Malware Analysis Report

2025-04-13 23:03

Sample ID 250322-gv683ssr18
Target archive_7.zip
SHA256 6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f
Tags
dcrat execution infostealer rat collection credential_access discovery persistence spyware stealer remcos host vipkeylogger keylogger quasar office04 trojan defense_evasion umbral xworm njrat neuf privilege_escalation hacked xenorat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Threat Level: Known bad

The file archive_7.zip was found to be: Known bad.

Malicious Activity Summary

dcrat execution infostealer rat collection credential_access discovery persistence spyware stealer remcos host vipkeylogger keylogger quasar office04 trojan defense_evasion umbral xworm njrat neuf privilege_escalation hacked xenorat

Detect Xworm Payload

Njrat family

DcRat

DCRat payload

Detect XenoRat Payload

Quasar RAT

Umbral family

Xworm

Dcrat family

Xworm family

Remcos

Remcos family

UAC bypass

Detect Umbral payload

Vipkeylogger family

Quasar family

Quasar payload

Process spawned unexpected child process

Xenorat family

njRAT/Bladabindi

VIPKeylogger

Umbral

DCRat payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Reads WinSCP keys stored on the system

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

System policy modification

outlook_office_path

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Detects videocard installed

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2025-03-22 06:08

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Dcrat family

dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A

Njrat family

njrat

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Recent\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\Uninstall Information\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXB7C9.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXB7CA.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\RCXCDE5.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCXC2D0.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Uninstall Information\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Uninstall Information\RCXC2CF.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\RCXCDE6.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Common Files\Services\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\RCXBC03.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\RCXBC13.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\Recent\RuntimeBroker.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Recent\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 6068 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 2732 wrote to memory of 6068 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 6068 wrote to memory of 5464 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 6068 wrote to memory of 5464 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 6068 wrote to memory of 5620 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 6068 wrote to memory of 5620 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5464 wrote to memory of 5748 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 5464 wrote to memory of 5748 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 5748 wrote to memory of 2992 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5748 wrote to memory of 2992 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5748 wrote to memory of 3012 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5748 wrote to memory of 3012 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2992 wrote to memory of 5364 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 2992 wrote to memory of 5364 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 5364 wrote to memory of 5156 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5364 wrote to memory of 5156 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5364 wrote to memory of 4748 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5364 wrote to memory of 4748 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5156 wrote to memory of 2380 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 5156 wrote to memory of 2380 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 2380 wrote to memory of 5656 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2380 wrote to memory of 5656 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2380 wrote to memory of 744 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 2380 wrote to memory of 744 N/A C:\Users\Admin\Recent\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 5656 wrote to memory of 916 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe
PID 5656 wrote to memory of 916 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\Recent\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'

C:\Users\Admin\Recent\RuntimeBroker.exe

"C:\Users\Admin\Recent\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d481ea4f-eaf6-4f5a-92c5-6292586b303f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5616a14c-de2f-44b8-8c2d-ce6d68eaa14c.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b943ece4-5f3c-499e-9bf5-922357f3dbdf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f816631-af94-4dde-a924-c43d5fe1283f.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e3198d-7084-42ad-920f-dba124e31d11.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac061e4-e7f9-4dbe-b070-eaf0ceb916dd.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2395a278-c7cc-4517-a65c-150eb79e12fe.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7db5887-4ac4-41e2-b648-4f3be53febc0.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eefd4a25-c381-43c2-b675-8731b5239b7f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69f96b2c-1b5c-46ee-b51c-a4898a1c55ce.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cce6cd55-c856-4800-82ef-80d625b9f183.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeaa8eac-87ee-449e-92d1-6c91bb3e4ec1.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa88264b-173a-4c9a-a2fb-86f9f5df373c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f14c8f2-c763-4ae1-9acf-86389fff29d6.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ddd023e-b825-4396-b032-436baa5096f6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d25e765-068b-4d09-a655-263c7795fc3d.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f005341-5865-4d0d-8495-42dedb8da939.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\740f474d-fbc6-4e70-9a96-b09bad997ed3.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab20ebb-59de-4491-9e31-fb0ca465f98b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aac0e408-793d-4bec-8df3-2f946547d6db.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db098804-eaa4-4fea-b1a4-998ccebcf533.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b360418a-9589-475c-8281-ea23d60cd333.vbs"

C:\Users\Admin\Recent\RuntimeBroker.exe

C:\Users\Admin\Recent\RuntimeBroker.exe

Network

Country Destination Domain Proto
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp

Files

memory/2732-0-0x00007FFF4DAA3000-0x00007FFF4DAA5000-memory.dmp

memory/2732-1-0x0000000000770000-0x0000000000912000-memory.dmp

memory/2732-2-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp

memory/2732-5-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/2732-4-0x0000000002BB0000-0x0000000002C00000-memory.dmp

memory/2732-3-0x0000000002B40000-0x0000000002B5C000-memory.dmp

memory/2732-7-0x0000000002B80000-0x0000000002B88000-memory.dmp

memory/2732-8-0x0000000002B90000-0x0000000002BA0000-memory.dmp

memory/2732-6-0x0000000002B60000-0x0000000002B76000-memory.dmp

memory/2732-9-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

memory/2732-10-0x0000000002C00000-0x0000000002C0C000-memory.dmp

memory/2732-11-0x0000000002C10000-0x0000000002C1C000-memory.dmp

memory/2732-13-0x000000001B610000-0x000000001B61E000-memory.dmp

memory/2732-12-0x000000001B600000-0x000000001B60A000-memory.dmp

memory/2732-16-0x000000001B640000-0x000000001B64A000-memory.dmp

memory/2732-15-0x000000001B630000-0x000000001B638000-memory.dmp

memory/2732-14-0x000000001B620000-0x000000001B628000-memory.dmp

memory/2732-17-0x000000001BE10000-0x000000001BE1C000-memory.dmp

C:\Users\Public\AccountPictures\SppExtComObj.exe

MD5 8b03d1f60bdf0b6465c0623109e7269e
SHA1 33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

C:\Users\Public\AccountPictures\SppExtComObj.exe

MD5 cf2b637d6ce2f00e73f9c384f56e4c7d
SHA1 b51ead76e7487b65815785a439466cf64dc1fb24
SHA256 eb3bc089086650585b14b85f61cf176ec41df79ebdede3b1de4a1ed7ff9e97ab
SHA512 5532ed4e22f304c729143bbb36dbe33b65e10c8c02563db19e5e2a9edde43730091bbb163d0b511af68537ff4ddfd0cfcdc6c9966deb7919beb4e247f5a638be

C:\dfe2e59cddd00040f555dab607351a1d\smss.exe

MD5 4ae12627b99be1ce48139f0c094fee57
SHA1 cbae347753b7170ce6e253ab2ebc22d3b76e94d2
SHA256 d49698d763409952744118ba7aa38019eedabae69719978a41ad54e074029d7a
SHA512 0467df50ab20127d2c76f22c15f54799f2f9c1d384d0b3eac1724544719de33ff20dcba870f8b37b420263324202e3b7417b7da0c1a3e466bc4339d7cb08e34c

memory/2732-189-0x00007FFF4DAA3000-0x00007FFF4DAA5000-memory.dmp

memory/2732-213-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp

C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe

MD5 6872948a18b1dfac9e62136f806bb439
SHA1 1d4d8fda1d3ddfaa4a6c6d272d5121e5cbbd7bbf
SHA256 9a7a4e98dce80395ca80d0ba80d22c2479ffdcc23332eb97d165402f6494bbdc
SHA512 92420579786621a156a7660b4445fc9bf1b417b0212a41129e783a02e97f3b040b236e1dd79c8419e1334354f68963d50e29d4ea99b5de3c22e383e875df0490

memory/5116-333-0x00000211E40F0000-0x00000211E4112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvbdz55r.b3p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2732-507-0x00007FFF4DAA0000-0x00007FFF4E561000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b0bd0ba1b6d523383ae26f8138bac15f
SHA1 8d2828b9380b09fe6b0a78703a821b9fb8a491e5
SHA256 a9878e55702f457717f86200e3258bfc960d37d5a8c2cab950c1dd842fbbaed1
SHA512 614df5e7b46469db879cf1be2cdc1df3071f0c3f0c1f78c73b81d23d651c54d246e8ca6e1923a34ac2dddc02c63b807c8d328f2d275f98e0997a12a7960bbf45

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 48b2b59bd1016475be4de4e087bb8169
SHA1 ecf9263187e29dc612224a6e1a4c5243ed110040
SHA256 df0e6548235499fc2881ef422771ee034eb86dadbcecb94f4c324ea1a0a7a209
SHA512 2186e40f82a80a3a89ec630c4d148b9f10424888635632e188eb32fc3f2d91e9a59fdf205810f4d33d3319cf35f9fcb8808c89ab7f7d553296c3969c1a1feb03

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af1324e7a4e3e6cfc7ee7add0391f0b9
SHA1 19117163248a95e5ceb83b6dc8c21e396f33bcaf
SHA256 a31abfc5cc0132c488495c81046d7f3c7eed1e7a6923d94ffd85b58436871a52
SHA512 6a05a892ec41527782b418a2f232300da84eff105b2d9c1cb55c7e9ce1ef13beab2d57b4bf3cc73d1e5b2710010f3622500c4d8e0cb2fa8e5365b6ff007e9d00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1b2770b6e93963548483b9857a191b12
SHA1 da1f36e92f6f116ea4d6300b279be899ed6413a8
SHA256 4c2f150efa24585d81d212c3d1618af0777e007596cf7bd76cbf660db384b00b
SHA512 6fe8388503b09ec12528e982fea548c271d5687163db05ede832a0814a0fad6fa7c4ff32ed0cfa48f90c9b2980e2613be1d673fa47eaa2a9ea9540add473b4ea

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0a5a1b68ad6facd1636fe5f5e1c4359
SHA1 e4fee6d6a2476904d9ba14d9045341df3616ca4a
SHA256 7257de23847d0c2fa79bbae208df603b1f29406f486cdcafdaedc54846b18c7a
SHA512 1b843eb6273034c6798379cf217ddb58004db776243daffba33020e5aa0ef8fc440e202b9cd6454521e7b608158891edb979165aa9353d3ea32fae74815e97d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 452593747a6f6f0b2e08d8502e1ec6e7
SHA1 027c3a7f5f18e7a1e96bbf2a3d3c267e72821836
SHA256 495c62eea4eb41269dbcdba0c0acd65d27a407ac837f5c04feaaa0542963b33d
SHA512 17a8288467e77ade8e81bf7620e9013ff3690c2577a172ce30734c65ca2d2328afd3737dd6a9fb6b4d7ba673767f094986f6b996f5920d7e1cdecdf019e37488

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 30552f7617959d837dbc5167ec0a3824
SHA1 a471b8d31983b3885cee92ead3f3f2b6621c1ebe
SHA256 c8f05399999cda0a1d159d9be58d5d7e39b783290d57a238cfdb22c000301c18
SHA512 37af8e93814f95ea8773b093803ca74475fcc2f0006bcbbd0ecc28d6ab6acb742afed81d5b859f6429128761b440a355f2b35fe38242fae9d8069c8ab23c84b2

C:\Users\Admin\AppData\Local\Temp\d481ea4f-eaf6-4f5a-92c5-6292586b303f.vbs

MD5 ffcad7faabbc2ae13a70e31e5051dec8
SHA1 6310e51e39b79a06eb76c40f7b7da1330737d36f
SHA256 c287d949a5efda989a10179e6091090c6c3c653bed18423e64de23f2b4aa1ef9
SHA512 a314f9d3110623f8f7f7e3c0097c291d32bde19978ca3958e199a4dbb118ecb4f08f19bc870b7e9abf7981114e2a4195ae5428195eb7c6ef1440005009f9d40e

C:\Users\Admin\AppData\Local\Temp\5616a14c-de2f-44b8-8c2d-ce6d68eaa14c.vbs

MD5 a16ac61e071c7a8babbd6fe177c24503
SHA1 c4fc328a93e45af371648b0f87d04fa1a419b36e
SHA256 8113e0b6dbf74d84cf0b201e6c07f0c675d639c1d9f7c395446aa8d171ec1d57
SHA512 7b416dc315c48f32a59bd947ffb236808a5927200cd38e10b88c74b308c6faf526c49437b99b736259618cfaff484071b8ec7cb49c41d7514d89c9fccf1e44a6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 3690a1c3b695227a38625dcf27bd6dac
SHA1 c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA256 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA512 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

C:\Users\Admin\AppData\Local\Temp\b943ece4-5f3c-499e-9bf5-922357f3dbdf.vbs

MD5 ea2ba168a1a960d3bf74d47ff2723ed1
SHA1 57d21973ece5d83cabed544569dacc10e00d5b21
SHA256 f4947b4588965189fb0eeeb75efcefa3bfb881adc38590c8ef3596f69f92d0a8
SHA512 02e945330d47813296c0709fc59e916e7f82a1bf8548fc5503b61ef719984ceb88757783b501e7d127344ae418e25d20195f72ceb0f1aaa81b59909c1368b1d7

C:\Users\Admin\AppData\Local\Temp\10e3198d-7084-42ad-920f-dba124e31d11.vbs

MD5 d83ec6d086dcf7efe0f3e0e064f73587
SHA1 b527001a736133532c54ba8e6a18e096cb5dee5a
SHA256 a03de9211655120fdddb6c2480018f95b0e42a235e664a4337a2bbda71811b35
SHA512 f50618fa67de7f7c597f56a4bc0236791e9ae651240085fa1a89b27e1c8ff3eeee2976df01e95b966147bfbb837ce8fdecffeeefea8d0a1d9a09d7e37d27cf13

C:\Users\Admin\AppData\Local\Temp\2395a278-c7cc-4517-a65c-150eb79e12fe.vbs

MD5 65b9b593f51e829b5b210db754293a16
SHA1 0e54fc6a77d154dc9300d73009c38850f2e19c98
SHA256 5ae198ef84c1dfa044fdd758e7ad3ee87fd35aa0d371a92c4de4a8854cc7ef3e
SHA512 c7df026a2bf2d384d9c03d0c59f2463f6af188fb9bfbb86141e6fbfa274ad097c1e6a7a71c3a16f07e4916f04f5c926c490f6ac999ab85a7191aa1c53322db38

C:\Users\Admin\AppData\Local\Temp\eefd4a25-c381-43c2-b675-8731b5239b7f.vbs

MD5 5394c6d24af841729f977aaeb6b19d76
SHA1 e9aa288ed65738b440fe284b4e6e3b37ae8aa8b5
SHA256 eafa6802bd776452cf7aff79b5bea8070265e58e2092df7c78a112031bf8a7b4
SHA512 20c478815dc9f33101b471a7e5f8eddbe84f64f5d807b322f6d99295d444c1abdd80c4c930473d78b183e141269167612e1997a8b4ad9a4dab99ec20efb2a39f

C:\Users\Admin\AppData\Local\Temp\cce6cd55-c856-4800-82ef-80d625b9f183.vbs

MD5 9d00d2598027ebd4b9f00eaa1db4be06
SHA1 c5092622cf0fe9d42c31daaad7256b3d7385382c
SHA256 49e789b54de3aa7d8296baaee8d7abbcd81f2165705708902085316cfad4e8d5
SHA512 8929d5c594551f1b41eaee2d9d90deb2e433d55bc7b7745a18573a1a9336089f5f101d8d9bb8723c932416f15d6da8cc81a10cf92d754f5855233cb2b1d22278

C:\Users\Admin\AppData\Local\Temp\fa88264b-173a-4c9a-a2fb-86f9f5df373c.vbs

MD5 0bf93df1b6b79cb3ec153a918419f304
SHA1 c80755e45c3bf5e644641b652488978192fa4bf4
SHA256 66f2b9832f58a560793952ffad0b0e80728cd785b00ffeb2bddc7cfcec8a905c
SHA512 bbba78f899c3b697a0c823448b5c16443905ee730626cad6e10eb9d064209f7caadd373d8bec67493dca2bdf03111060d8723154a62abc92272e13eb8857bc2f

C:\Users\Admin\AppData\Local\Temp\5ddd023e-b825-4396-b032-436baa5096f6.vbs

MD5 a29206e37e9e9cd58530b2072ecec39c
SHA1 ae7dccdae8f78ba47322df83dd2f75376532d318
SHA256 d12875af02bd87eb1a9c976762a85676681f9d01a77d0e68c83d5c9306bacf0f
SHA512 c22374faecc55ab82cbfb7b0dc55ffacd7fb4a59e10eca83a6ed1c71d681ef863f65c53096f79d9a49de7c014670066609389edaf1f0756602e9852b09947908

C:\Users\Admin\AppData\Local\Temp\0f005341-5865-4d0d-8495-42dedb8da939.vbs

MD5 0d06d8856eafbd12e01b3f01a6b1ff66
SHA1 5a49ff5de9b27d19cc1b7e55f9b85509a2f92d12
SHA256 83201592612db6e37cd267cf51b5cfb4e2c6130492d5f4431d5bbb0c3bdff08b
SHA512 5004913752d69f45da91b420310c0ba6fc9558f33400da486b15ae451fe77a9d9813a90e47f1985c0fa9f28249e3c321ccb50c7c312edd479fe51276458d9cb5

C:\Users\Admin\AppData\Local\Temp\eab20ebb-59de-4491-9e31-fb0ca465f98b.vbs

MD5 d8b3c75c6d2563a995d6f012a0c6d2d4
SHA1 82d2eb4f976431cb381b51f7abbbc0387b96589c
SHA256 c2cbef1fd8f876d78bf04a4e097201413faf236d52686b867a005661c3858c03
SHA512 78e4fae2904da470a9d1403b171aeedb67d2715f7f78802d7bd32cb9467a798bdd198bf9c758106ea6b6d4c88a209f2e0c04e7e85e26e4d34b43f9407af029a0

C:\Users\Admin\AppData\Local\Temp\db098804-eaa4-4fea-b1a4-998ccebcf533.vbs

MD5 f86d6e28dee4ae5a8dcd6b6b0e07a2b3
SHA1 64caf0f9b2a5eacc7864f431b9b68f349d27f20e
SHA256 34d765f215b75a72fa05c7230ed57f307280cb8b5e58844a24ad5a2d18d6a66f
SHA512 b481d0f8c0540aeb7888c8a8f1c2b2385cd1c8db5a1968d84ac7ce15b3b571a3dba053a92d3c0b92bc851e2e702d2a9c02b0601f813b26c1d9c808682891442c

Analysis: behavioral23

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:12

Platform

win7-20241010-en

Max time kernel

146s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2904 set thread context of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 set thread context of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2904 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2904 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2904 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2904 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2904 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.192.18.101:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp

Files

memory/2348-0-0x0000000077BE0000-0x0000000077D89000-memory.dmp

C:\Users\Admin\AppData\Roaming\app.exe

MD5 52fb55a1222aba62a80fe4888cd5f0a0
SHA1 db6bda74d90463c533a29e49cc715242661d562e
SHA256 e0c3c50f574a2d872991aec7082e075f3813e8c913c679a8e4f5e1d3606eeafd
SHA512 747447b49572c1cb74fdb18d3551beff0e4065270555e1459f13353a8b4c3af7e1bc95ae601d56556728f95717c103b9e8a798d937e34a19c45b04089902d3d8

memory/2904-27-0x0000000077BE0000-0x0000000077D89000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5B88.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5b8dc854ffde479cf114866dc67a1c0
SHA1 14e3e4622a05a5cbdd313909265434bb840ede7b
SHA256 8a3974fbd90e9aec41f3cd345795bdfe242e8c43759f19ca775fc507e0b38ab9
SHA512 fec44464522b17068fab0a425bcdfcf12d791a370898262a8e60713bb3a5f1ae411cebdc381f54ab51871aee0e7779df61b2fb2a5d237c92e189893e597987b2

C:\Users\Admin\AppData\Local\Temp\Tar6A87.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

memory/2148-84-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2148-81-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2148-77-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2096-86-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2096-85-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2096-76-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2096-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2148-61-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2148-59-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2148-57-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2148-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2148-63-0x0000000000080000-0x0000000000090000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240729-en

Max time kernel

139s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2340 set thread context of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2188 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2188 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2188 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 2340 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

Network

Country Destination Domain Proto
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.192.18.101:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp

Files

memory/2188-0-0x0000000074351000-0x0000000074352000-memory.dmp

memory/2188-8-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2188-11-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2188-12-0x0000000074350000-0x00000000748FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

MD5 0a18d56f34538070a8a715ec937a8929
SHA1 0ae813ceb71e5dc1e4ace6b1def908041bf4b3b4
SHA256 8a7e36230788c35f10b15313f478cd339dd30e609bf25d56be769a22a8bc0736
SHA512 4264c9e915db1a30901025078828c82c353855f255fbc5ddefe75078dc0f5dc1eaa2a1fe8270c11fc8f051319409fbb2e52938399f51334a43291a7f4a50f8e6

memory/2340-31-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2340-40-0x0000000074350000-0x00000000748FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8288.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40ca96e0ed10369126a9e46b5a5f3a63
SHA1 2cec116f70862928f2d11e39b0d67dd7d74a28e6
SHA256 2ca5a4fe29a9023cd5c246f6b9da8dab9c0890b69f2abc316f1d3cae86631558
SHA512 99e7a81083dc1d2da1af995f5ff9be693b6c48d432fce5f4e08e68f9f02c83e28fe09b944b6eb9e0f0323b08b5fef2da4604c88eea25b6a930a81f10381cb9db

memory/2188-30-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2340-42-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2340-41-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2168-56-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-65-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-64-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-63-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-60-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-59-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2340-66-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2168-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2168-52-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-48-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-46-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-50-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-44-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2168-69-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240903-en

Max time kernel

119s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2452 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 2452 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp"

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.16.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2452-3-0x0000000000B30000-0x0000000000B40000-memory.dmp

memory/2452-2-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2452-1-0x0000000000B40000-0x0000000000BF2000-memory.dmp

memory/2452-0-0x000000007461E000-0x000000007461F000-memory.dmp

memory/2452-4-0x000000007461E000-0x000000007461F000-memory.dmp

memory/2452-5-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2452-6-0x0000000004680000-0x000000000470E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 de4be458c2cfefc6beee3c56062c6183
SHA1 fe3886cda20167b5d7bf95fa9b378365217c1d66
SHA256 39a329d4ae9ffd316b6fa338127d7d727bb17cf30e0cc0178f322b2933cbf7d1
SHA512 7d9ea9a7a0df15d72be8d378a8546a6d43a56bdc319754746060f404a1f14712b82a0498e95b9684111db313c9f7e7a53a3e496afbed65a866ca6b8071d1b8c9

C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp

MD5 466b40fe54d1ea6c03f569d5bb3607e2
SHA1 1699e64c15e44b536752d2bd40799ffffbea167c
SHA256 d6e49379d1626cb5811940cfb7b29b40cc313c6986b80388ed603db300ac4dc2
SHA512 6566bff61ee5c8c730372e65fc2dd7088d94ddd5c5a796adfb2efcde2052585da18693b55173c58cadfb7a800baed853760f82c5b3a97fd3338634e5ff5dda6a

memory/2604-19-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2604-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2604-30-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2604-29-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2604-28-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2604-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2604-23-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2604-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2452-31-0x0000000074610000-0x0000000074CFE000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:13

Platform

win10v2004-20250314-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4068 set thread context of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 5184 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 4068 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 4068 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Windows\SysWOW64\schtasks.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe
PID 4068 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LbXyTV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LbXyTV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6EA.tmp"

C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe

"C:\Users\Admin\AppData\Local\Temp\19ec0ef7b7ce9c5d9d5a2c9ee955a5c4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.112.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4068-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

memory/4068-1-0x00000000006E0000-0x0000000000792000-memory.dmp

memory/4068-2-0x00000000057A0000-0x0000000005D44000-memory.dmp

memory/4068-3-0x00000000051F0000-0x0000000005282000-memory.dmp

memory/4068-4-0x0000000005190000-0x000000000519A000-memory.dmp

memory/4068-5-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/4068-6-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/4068-7-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

memory/4068-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/4068-9-0x0000000006380000-0x000000000640E000-memory.dmp

memory/4068-10-0x0000000006600000-0x000000000669C000-memory.dmp

memory/3496-15-0x00000000022D0000-0x0000000002306000-memory.dmp

memory/3496-16-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3496-17-0x0000000004E40000-0x0000000005468000-memory.dmp

memory/3496-18-0x0000000074D10000-0x00000000754C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC6EA.tmp

MD5 4e219603837fe6ee25d4576f583233dc
SHA1 8a9eb16f1270e1edc571a42dafd7c3b082ce039e
SHA256 da153726efe377f2ef593789dd19efa0c784bb2e343f2388c8823da46fb01fb4
SHA512 898c875f3fa8388b8c939f20fc547fd1438e038fce438d75e27301641b3ce00fd582311fec565cc45d95e6480efc81d6af1c6f6c8577901192169460a37a681e

memory/3496-20-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/5184-25-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3496-23-0x0000000005470000-0x00000000054D6000-memory.dmp

memory/3496-27-0x0000000005600000-0x0000000005954000-memory.dmp

memory/3496-22-0x0000000004D10000-0x0000000004D32000-memory.dmp

memory/4068-28-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/5184-29-0x0000000074D10000-0x00000000754C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pd4cslzm.5ib.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4088-21-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3496-24-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/3496-48-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

memory/3496-49-0x0000000005C40000-0x0000000005C8C000-memory.dmp

memory/3496-50-0x0000000006DA0000-0x0000000006DD2000-memory.dmp

memory/5184-61-0x00000000711E0000-0x000000007122C000-memory.dmp

memory/3496-71-0x0000000006170000-0x000000000618E000-memory.dmp

memory/5184-72-0x0000000007580000-0x0000000007623000-memory.dmp

memory/3496-51-0x00000000711E0000-0x000000007122C000-memory.dmp

memory/5184-74-0x00000000076B0000-0x00000000076CA000-memory.dmp

memory/5184-75-0x0000000007720000-0x000000000772A000-memory.dmp

memory/5184-73-0x0000000007CF0000-0x000000000836A000-memory.dmp

memory/3496-76-0x0000000007170000-0x0000000007206000-memory.dmp

memory/5184-77-0x00000000078B0000-0x00000000078C1000-memory.dmp

memory/5184-79-0x00000000078F0000-0x0000000007904000-memory.dmp

memory/5184-80-0x00000000079F0000-0x0000000007A0A000-memory.dmp

memory/5184-81-0x00000000079D0000-0x00000000079D8000-memory.dmp

memory/5184-78-0x00000000078E0000-0x00000000078EE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d98726e7cdd069cf6da75b757bf34e33
SHA1 16e512e7f9e25637de274ee343b59c4e72db71e8
SHA256 7211efda1373db1ddf0c3f84fe6050c3650c5e0ebc9cfae88b8ff31aa9870bcf
SHA512 1a47ad824479b7b5749e801c99d74b6a600c387381aa1fce5609877fa742bc8ae4ecc23570d6fcf80a7a0d6407d11ad9a19493f029fbbc7bf1f21129afd94fd7

memory/5184-88-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/3496-87-0x0000000074D10000-0x00000000754C0000-memory.dmp

memory/4088-89-0x0000000006E50000-0x0000000007012000-memory.dmp

memory/4088-90-0x0000000006CF0000-0x0000000006D40000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20241023-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iznarf.bplaced.net udp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
DE 162.55.0.137:80 iznarf.bplaced.net tcp

Files

memory/2908-0-0x000007FEF69BE000-0x000007FEF69BF000-memory.dmp

memory/2908-1-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

memory/2908-3-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

memory/2908-2-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

memory/2908-4-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

memory/2908-7-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

memory/2908-8-0x000007FEF69BE000-0x000007FEF69BF000-memory.dmp

memory/2908-9-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.55:4782 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp

Files

memory/2512-1-0x00000000003B0000-0x00000000006D4000-memory.dmp

memory/2512-0-0x00007FFDD8543000-0x00007FFDD8545000-memory.dmp

memory/2512-2-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 35110eedb3518d1905b88025bf11b77d
SHA1 c39e96cc0dcb14065984c3d3fbff331070e37feb
SHA256 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd
SHA512 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2

memory/3364-9-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp

memory/3364-10-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp

memory/3364-11-0x000000001B040000-0x000000001B090000-memory.dmp

memory/3364-12-0x000000001D140000-0x000000001D1F2000-memory.dmp

memory/2512-13-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp

memory/3364-14-0x00007FFDD8540000-0x00007FFDD9001000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240903-en

Max time kernel

150s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\RCXE5FE.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\RCXE5FF.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\winlogon.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCXBFAA.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCXD192.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\winlogon.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCXC662.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Google\Chrome\Application\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXC8D4.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCXCB46.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\RCXCD89.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Mail\1610b97d3ab4a7 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Mail\fr-FR\RCXD3A6.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Mail\fr-FR\dwm.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXE38C.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\winlogon.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\RCXD193.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Mail\fr-FR\RCXD3B7.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXD628.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXD629.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\RCXD89A.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\RCXD89B.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXE38D.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows NT\TableTextService\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Mail\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCXC661.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Google\Chrome\Application\System.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows Mail\fr-FR\dwm.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\winlogon.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows Mail\fr-FR\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Windows NT\TableTextService\explorer.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\RCXBF2C.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RCXC866.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\fr-FR\RCXCAD8.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\046b773a97cb66 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\RCXCD69.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\System.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\explorer.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppPatch\Custom\Custom64\csrss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Windows\AppPatch\Custom\Custom64\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Windows\AppPatch\Custom\Custom64\RCXE870.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Windows\AppPatch\Custom\Custom64\RCXE871.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Windows\AppPatch\Custom\Custom64\csrss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
PID 1712 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
PID 1712 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe
PID 768 wrote to memory of 1620 N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe C:\Windows\System32\WScript.exe
PID 768 wrote to memory of 1620 N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe C:\Windows\System32\WScript.exe
PID 768 wrote to memory of 1620 N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe C:\Windows\System32\WScript.exe
PID 768 wrote to memory of 2376 N/A C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe C:\Windows\System32\WScript.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a0" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "192f0f1221e376146e725a4d23ee69a01" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\192f0f1221e376146e725a4d23ee69a0.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Custom\Custom64\csrss.exe'

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\367d32be-5bd8-432d-8a4b-cf462ccb5190.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d7f4857-fd77-4ebf-9743-a7ce76ad4959.vbs"

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\558e0494-7bb6-46d1-8da6-b7d7bd26b796.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17ef93a9-ea76-482e-ae90-a1a15a6afe67.vbs"

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aa97c8d-c938-4752-be83-cf16ba904cd5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdb9f58f-91fa-4bfd-9034-59f39cc2ceed.vbs"

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\960df572-8523-4233-a5bc-eabd754d9a2c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3220d702-8c60-4c65-aa9c-7283d27b9f48.vbs"

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7468d560-5b21-4138-aacd-8df13e67b10f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a38f62d4-ecfe-4316-81c7-15798ac32855.vbs"

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c162ae6-1789-4fc0-b1e4-cebed116dd99.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6069be-d655-4237-83da-dd02e2db6cfc.vbs"

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe

"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\Idle.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecdd0072-ac3f-4e19-a57f-4f9c266bab2a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1633e71-b672-468f-96e6-9a062db59ddc.vbs"

Network

Country Destination Domain Proto
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp

Files

memory/1712-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

memory/1712-1-0x0000000000CE0000-0x0000000000ECA000-memory.dmp

memory/1712-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/1712-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

memory/1712-4-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/1712-5-0x0000000000510000-0x0000000000520000-memory.dmp

memory/1712-6-0x0000000000A40000-0x0000000000A56000-memory.dmp

memory/1712-7-0x0000000000520000-0x000000000052A000-memory.dmp

memory/1712-8-0x00000000023B0000-0x0000000002406000-memory.dmp

memory/1712-10-0x0000000000A70000-0x0000000000A78000-memory.dmp

memory/1712-9-0x0000000000A60000-0x0000000000A6C000-memory.dmp

memory/1712-12-0x0000000000B00000-0x0000000000B12000-memory.dmp

memory/1712-13-0x0000000000B10000-0x0000000000B1C000-memory.dmp

memory/1712-16-0x000000001A9B0000-0x000000001A9B8000-memory.dmp

memory/1712-17-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

memory/1712-15-0x000000001A9A0000-0x000000001A9AE000-memory.dmp

memory/1712-14-0x000000001A990000-0x000000001A99A000-memory.dmp

memory/1712-18-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe

MD5 192f0f1221e376146e725a4d23ee69a0
SHA1 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff
SHA256 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d
SHA512 daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

C:\Program Files (x86)\Google\CrashReports\winlogon.exe

MD5 9cb7fbe5f1b87bad3ca1337d1e37b4b7
SHA1 df5d3354faba2c8e5c071114c12db899eed42916
SHA256 5fd1991a0955b2bd39ea13283b3d2af42f55fdad3a01983d3152a443a2797fbf
SHA512 b930c4d8ced639e8abf1431fdc472a5578ef12fef5aa0655e53d0a91d4cdb4adcdf4ac409f68c5a2844b96349dd2cb80ccddc8f35cc570b67c2bb53ec8c49d6e

C:\Users\Public\Favorites\wininit.exe

MD5 7250e8f37879c317955a66be6a84494d
SHA1 6390dc1cd0823a2fe008c16cfee0657f1b5009ff
SHA256 45fe19263445901da1c8f25822442e155fc571ed287f0d58d6791aabb4b40546
SHA512 ba64474733a15b6ec29e9728281257aa54051a46cf7a71a04e0c52761056faccaac7da4c0f63b7ae161587ec5a96a807d259784a076e39e9bdd6a004d4b49413

C:\Program Files\Windows Portable Devices\csrss.exe

MD5 6adc7438bacfd0b487b70b32d9d61129
SHA1 62407c0e86ac037c7e20cbb01044b6f4f39099fd
SHA256 cb4ecf850565228ac3a5e9c481558228c7eecb8bee6949b10c06fd9170d9d739
SHA512 60a20f70b273da351b42083034d59ff9437849cb36371bd869448a1e0a90588a180a43cfe9fbc642c95fa3b4f866966d0ecd635d6d3722583ff7f8ce984d4d32

C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe

MD5 3c5a8fb0efa0383426f86a52226ec298
SHA1 ed126bfde67434f35faf9c68a4aed275ab7dd450
SHA256 02be0d6a338743310baa7e991f33a636bb3f2ad9556ccd348203a2470d52bb49
SHA512 696f03e29e8aa7df070bdee594e65f729cb96fa9a3b4e7da1d34b4f9c80c7bc21e33f334ff2cff5af284ae9537a60b121a1ee46050179a51e87c3800f2fb094c

memory/1712-174-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

memory/1712-199-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

C:\Users\Default\Documents\spoolsv.exe

MD5 bff0cebd6b7da74a3c67902ac6e8f49e
SHA1 c76d32fc318ca883b5ac44de6d3b692d4faab86a
SHA256 dbd3675696fb0d87fb51ee41122afcd7fb00a723543ff32133bea4d51dfbf7fc
SHA512 bd24b0bcdd5edf6785e061cd5ab7678bd151c1274500502cce5da43296fd0937802286330c69964684a8e4b479b6b745a5fc4a715236ea8f0223dc35304d5572

C:\Users\Default\Saved Games\OSPPSVC.exe

MD5 11045deafaf02537620e3f5a39a7487d
SHA1 6348b067d2c135c4008c4b6cea21cd8a5d93d33b
SHA256 5a72aaddd31152462f2965fe4b1f434a1cb6a665c2b0cc681eb44e67de74ff87
SHA512 c7a588ebe10be7a61ca0f84e1f6970c47237793b2ec63752416ac242b00f850f7ce4198f89276614e3405eb9d3a7b070ab023f9a8cdf216c7a7cfffb7af41db9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 55326309b9fbc46af6d66e32f6057a7c
SHA1 4d7e130f0c5a1d049bb8a2c95e1a15d40bdec761
SHA256 9df3a85659ea298b646825000dd9ee6105aa7915236fd5d3e3cc5b83362583ca
SHA512 1df86c638a69ce2ae256e80055c01c38dd61eb313dd87111cb6b728014fe030653653ab2c6ed4d86498bc53021b4ae207458f8249cb1903b76060bb0d25046af

memory/768-280-0x0000000000370000-0x000000000055A000-memory.dmp

memory/2392-306-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/1148-301-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/1712-362-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d7f4857-fd77-4ebf-9743-a7ce76ad4959.vbs

MD5 0d9197ae2d6d2ee9cc6c414e8b728ddb
SHA1 f970d3ad51c59f23829ab6bf1445f259d466c80d
SHA256 7423a09c27b52eea481d6d941ed24a45e847124a918216b2446e36be3319f244
SHA512 448f90adfa7b77c7d133c8279166e83e57d7f77dde4477a557c6fd211ff7076a01e443584fc37640a2db14f7d107b78d4bf670685d0c587536cb317bfc6997ad

C:\Users\Admin\AppData\Local\Temp\367d32be-5bd8-432d-8a4b-cf462ccb5190.vbs

MD5 93f4774599b410a638abacbe153d60af
SHA1 6de2a33667c0256aecd563a0654100a79dc5346f
SHA256 0d3f487d8ad8febb266dfc8d7c8d3c94409144b0d9246d710f56c0dd378c320b
SHA512 3e329d4dd005e4d58d7f8485f760310bf67d083b1a0a79ee95b89e2c47b59b33744d0b477d7a6966216b8ef67728e8d037d0e18c5ac0a1bc89b620d9db032d3f

memory/912-383-0x0000000000220000-0x000000000040A000-memory.dmp

memory/912-384-0x0000000000650000-0x0000000000662000-memory.dmp

memory/1360-395-0x0000000000B30000-0x0000000000D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3aa97c8d-c938-4752-be83-cf16ba904cd5.vbs

MD5 6b06e4e01885f01958162b9039f754e7
SHA1 72cd843bcd5b8cd2c9af468b57d07c5773d5ceb4
SHA256 b0163a41ab3b82f20cc11f2d551caf5cc723bc34f8b8acee75e9da04113a532c
SHA512 2be77de09f84037b38d940eb0d1d7790b64d85dd8fb56437512fc903a95b6980c0c7aed29922351a7b511ea7dc23500e5edb7c1f65f86e255f7cefebb16bb8dc

memory/2916-407-0x0000000001000000-0x00000000011EA000-memory.dmp

memory/2916-408-0x0000000000550000-0x0000000000562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\960df572-8523-4233-a5bc-eabd754d9a2c.vbs

MD5 03c42b63fea5450ceaef1ea09ed5f925
SHA1 8f07d96e44522bc1562a9276d3275c5a87ce841d
SHA256 3dae5f8fa563e1ae9d2f68ea63ebf1b17b7d1f5c37c8b904a38f3c6479d96b43
SHA512 41f77f7e5c0ceb3680ce5d7a902078e72b7cdaaa41e54c4d5b2fd3ac5b9ca6b3abe00fccfb3b9339c1284c093143234383a6d0fe63c0a088ec3f3b0c45208254

memory/832-420-0x00000000004B0000-0x0000000000506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7468d560-5b21-4138-aacd-8df13e67b10f.vbs

MD5 19255de831ad73ccab7ff6b812bd3df1
SHA1 f3b82561a99cc1910049e1b5c3e88fa4d4505a97
SHA256 30dd0b0be876f5a05d7285c9db86f5e47fc8f646171dd873597444bb2ade085b
SHA512 cc548dc0139ddc2ac5cf1a94e6efbb53f594419a7b88a8d88363837924e765545b57bb9cd3c7d6a11dd2c6d288406828e489284460b8acb88b08ee1db96ddfe8

C:\Users\Admin\AppData\Local\Temp\0c162ae6-1789-4fc0-b1e4-cebed116dd99.vbs

MD5 81e88db8bee7dc0592a7cf21f8b2185f
SHA1 b8a056472f6ab7051a26e8ce8b60c7a7bf1954f3
SHA256 7a22a601dd5a555063b41e1bbed6aefe56d7e5682ddb82b94829d3779e1f1a2a
SHA512 cc12da9c42163ba5bd746aa5b97ed01a6104eb14705e2b3ecb239ba7e964af59c27ec54015d8ac736007c97055d8c4d9210234f43db6a431f572e39325899848

memory/2200-443-0x00000000010D0000-0x00000000012BA000-memory.dmp

memory/2200-444-0x0000000000640000-0x0000000000652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecdd0072-ac3f-4e19-a57f-4f9c266bab2a.vbs

MD5 83c8c006bbe0cc67031dbc1414bceed5
SHA1 08bb71a0f05f67417155722e01106136c82a9efb
SHA256 267277d3945fbb0f71c74d5b8008bf8716ebd192fffff366d63fc8e4afc3dc22
SHA512 4f76ae9a445b66d67c8865f0300f6017bfdcd282f32715e60e9e5f501815290a2ee4b1e319e1fc29520aa8ddd041edcc0b0370d04d4452e2c0cc5c60243ff26f

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20250207-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 2352 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp

Files

memory/2352-0-0x000007FEF4FE3000-0x000007FEF4FE4000-memory.dmp

memory/2352-1-0x0000000000AF0000-0x0000000000B30000-memory.dmp

memory/2352-2-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

memory/1392-7-0x000007FEECEAE000-0x000007FEECEAF000-memory.dmp

memory/1392-8-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/1392-9-0x0000000002230000-0x0000000002238000-memory.dmp

memory/1392-10-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp

memory/1392-11-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp

memory/1392-12-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp

memory/1392-14-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp

memory/1392-13-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp

memory/1392-15-0x000007FEECBF0000-0x000007FEED58D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 be1437ced762af72b3d45f6dac3ae330
SHA1 07ccced9fb7c913184d50d7ddcb34f483fc0b46c
SHA256 b79229fc6049235630fa608a8dcbd65c221741aed98094b6787b58213247862f
SHA512 0836b1f01c44c472e5c4a0b4dfe52e8f92954a58f973ef2a5f22945db47acbb5f250b09db4a333accfa1db712a83b04ca1e1a1f600d778e8d004cfbdf2766928

memory/2784-21-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/2784-22-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2352-29-0x000007FEF4FE3000-0x000007FEF4FE4000-memory.dmp

memory/2352-30-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

memory/2912-36-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

memory/2352-40-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\app.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2340 set thread context of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 set thread context of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2592 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2592 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2340 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2340 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2340 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2340 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2340 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2340 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2340 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2592-0-0x0000000074B02000-0x0000000074B03000-memory.dmp

memory/2592-1-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2592-2-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2592-5-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2592-6-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2592-18-0x0000000074B02000-0x0000000074B03000-memory.dmp

memory/2592-19-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2592-20-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2592-21-0x0000000074B00000-0x00000000750B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\app.exe

MD5 c5de36531a3c4a3a1d9098ac862e5214
SHA1 648231e5533d7ce188ff90a9c851fd2f22a73930
SHA256 20083eeac2dc9fbeadca54a8a1f74c44336baacdd1d7ccb06836ec1946cd9857
SHA512 2beb218cac41a38f912858d60398b1597c705942c7aa33f98aff4cdbc1788a5a915eeb543ce775f39d8e5847ba829bb48779431ff6a69b092df445e5492504e5

memory/2592-32-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2340-33-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2340-34-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2340-35-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2340-36-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2340-37-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/3952-39-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/3952-40-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/3952-41-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2340-42-0x0000000074B00000-0x00000000750B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log

MD5 b3ac9d09e3a47d5fd00c37e075a70ecb
SHA1 ad14e6d0e07b00bd10d77a06d68841b20675680b
SHA256 7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432
SHA512 09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

memory/752-58-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2340-62-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/2340-65-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/3952-66-0x0000000074B00000-0x00000000750B1000-memory.dmp

memory/3952-67-0x0000000074B00000-0x00000000750B1000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

106s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 142.250.187.195:80 c.pki.goog tcp

Files

memory/5784-0-0x00007FFB7D563000-0x00007FFB7D565000-memory.dmp

memory/5784-1-0x00000000005F0000-0x00000000007FA000-memory.dmp

memory/5784-2-0x00007FFB7D560000-0x00007FFB7E021000-memory.dmp

memory/5784-3-0x0000000001010000-0x000000000101E000-memory.dmp

memory/5784-4-0x0000000001020000-0x000000000102E000-memory.dmp

memory/5784-6-0x00007FFB7D560000-0x00007FFB7E021000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

64s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Output.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Output.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 5320 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1632 wrote to memory of 5320 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1632 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1632 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4120 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4120 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4120 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4120 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2340 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2340 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2340 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2340 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2056 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2056 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2056 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2056 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4416 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4416 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4416 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4416 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4496 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4496 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4496 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4496 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4692 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4692 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4692 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4692 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4832 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4832 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 4832 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4832 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3020 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3020 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 3020 wrote to memory of 5924 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 3020 wrote to memory of 5924 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5924 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5924 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5924 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5924 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4184 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4184 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4184 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 4184 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5064 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5064 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5064 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1696 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1696 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1696 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1696 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2632 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2632 wrote to memory of 712 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2632 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2632 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2552 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2552 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2552 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2552 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5036 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5036 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 5036 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 5036 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv URhMR8YXLU++kEb1nIfiyQ.0.2

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
N/A 127.0.0.1:7000 tcp
GB 142.250.180.3:80 c.pki.goog tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/1632-0-0x00007FFF4DE33000-0x00007FFF4DE35000-memory.dmp

memory/1632-1-0x0000000000910000-0x0000000000966000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 e0918682feb10b28a39a9cfbf4d2d90c
SHA1 c33f8518747e96955387bac3c8299eea24357fe0
SHA256 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01
SHA512 dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7

C:\Users\Admin\AppData\Roaming\Output.exe

MD5 3ac2fbaa37549eb0c50eedbca0da41c2
SHA1 a486d241a02989d2adbff9785c7c39e68a2934af
SHA256 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd
SHA512 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7

memory/5320-23-0x0000000000C90000-0x0000000000CA2000-memory.dmp

memory/4120-26-0x00000000007B0000-0x00000000007F6000-memory.dmp

memory/5320-27-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/4120-30-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp

memory/4120-33-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp

memory/5320-64-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp

memory/5320-93-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp

memory/5320-94-0x00007FFF4DE30000-0x00007FFF4E8F1000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\app.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 980 set thread context of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 set thread context of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 4468 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 4468 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 980 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 980 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 980 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 980 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 980 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 980 wrote to memory of 5908 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 980 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe

"C:\Users\Admin\AppData\Local\Temp\1b7c2cbdf74b50ca0c081bd3404b8054bd85c6e0ab7b65f5863d2dd3d2fc9cfc.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4468-0-0x0000000074892000-0x0000000074893000-memory.dmp

memory/4468-1-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4468-2-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4468-5-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4468-6-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4468-7-0x0000000074892000-0x0000000074893000-memory.dmp

memory/4468-8-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4468-20-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4468-21-0x0000000074890000-0x0000000074E41000-memory.dmp

C:\Users\Admin\AppData\Roaming\app.exe

MD5 2a36c9ca52118eb7a7364b577e156cd5
SHA1 83f62a4a8643b9dfd89f6750a1b5e63a9d525b17
SHA256 6fa17b9dbde9b2f03975a5b5f44d7d2d4153aed94bebbd2098939a3562dac901
SHA512 bfbea8459c5135b6b21a2dc5bd149b0f775e4d540f7868252beb4e344e9de6e9040cb791da04186d487d92ef45a890154f80e62ebd16ac828f81ac2f6071732a

memory/980-33-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4468-32-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/980-34-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/980-35-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/980-36-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/3636-39-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/3636-40-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/3636-38-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/980-41-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/4100-56-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

memory/980-59-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/980-62-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/3636-63-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/3636-64-0x0000000074890000-0x0000000074E41000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240903-en

Max time kernel

121s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2968-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

memory/2968-1-0x00000000000C0000-0x0000000000416000-memory.dmp

memory/2968-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2968-4-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/2968-3-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/2196-7-0x000000006C121000-0x000000006C122000-memory.dmp

memory/2196-8-0x000000006C120000-0x000000006C6CB000-memory.dmp

memory/2196-9-0x000000006C120000-0x000000006C6CB000-memory.dmp

memory/2196-10-0x000000006C120000-0x000000006C6CB000-memory.dmp

memory/2196-11-0x000000006C120000-0x000000006C6CB000-memory.dmp

memory/2196-12-0x000000006C120000-0x000000006C6CB000-memory.dmp

memory/2968-14-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/2968-13-0x00000000740CE000-0x00000000740CF000-memory.dmp

memory/2968-15-0x00000000740C0000-0x00000000747AE000-memory.dmp

memory/2968-16-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/2968-17-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/2968-18-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/2968-19-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:12

Platform

win7-20241010-en

Max time kernel

144s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\app.exe" C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2848 set thread context of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 set thread context of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\app.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\app.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\app.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2288 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2288 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2288 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2848 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2848 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2848 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2848 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\app.exe
PID 2848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2848 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Users\Admin\AppData\Roaming\My.RawFile.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
PID 2848 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\app.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\My.RawFile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe

"C:\Users\Admin\AppData\Local\Temp\196a171e0e93d86ea0a2e62e57df3214202969dfdc4a3d635f228fe0a53565b9.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\app.exe

"C:\Users\Admin\AppData\Roaming\app.exe"

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

"C:\Users\Admin\AppData\Roaming\My.RawFile.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.192.18.101:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp

Files

memory/2288-0-0x0000000074B31000-0x0000000074B32000-memory.dmp

memory/2288-1-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2288-2-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2288-12-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2288-13-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2288-14-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2288-15-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2288-27-0x0000000074B30000-0x00000000750DB000-memory.dmp

\Users\Admin\AppData\Roaming\app.exe

MD5 97863757bcbb19ac4b85fdee34b532c2
SHA1 546673271b915dec79834f35767c7045b5aaf6a2
SHA256 05186a0de5bb7938a8b1f81f215abcec797e51d48f92979b1ae5ab57d1683ec6
SHA512 419ab1c94e00e5d278d86513d7d47c61b3b7ee7647bf4bad1e9a5baa34c7730f57210dda360ed202de7644e52ac088409592c22f369ce0aad5e624a1d0d9df77

memory/2288-34-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2848-35-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2848-36-0x0000000074B30000-0x00000000750DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab213.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27213d35f7b05b4b1bc63b078af737c2
SHA1 4563bf2eb797517a31134de93e49160858d9ac4b
SHA256 3b387eaef710efe6237c7982fcd0ea249875812298f4825d125dcc370a680474
SHA512 2c6c2bba83b0f570bba60d577e93c4704c244199c3c92265f47b08aac7d7cc20ba0ac07f57d1a02db2e277a077d6fb493fd0eac7e5f8369f134bb27bc36b9f8f

memory/2848-45-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2848-46-0x0000000074B30000-0x00000000750DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar1141.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Roaming\My.RawFile.exe

MD5 5a733ef0de5e31e2e4b4abb016c0f251
SHA1 28644040a6deac35c20fa931b5d003a97293363e
SHA256 a80c77ca694eca3f6629c54572aba811e64b61975c5db2ff38c8d662d12b1ce7
SHA512 9d09ac6b6a560643cac08345ab6ef8578011b11be7d4821d7aa1b3d76f2801d30cb4d206a4ff9335f0ece5cfa2ec8258754b2481102eac3da064e5005f7ffba9

memory/1292-97-0x0000000000080000-0x0000000000090000-memory.dmp

memory/1292-94-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2848-98-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/1292-90-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2968-79-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2968-78-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2968-77-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2968-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2968-74-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2968-72-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2968-70-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2968-68-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2848-99-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2848-102-0x0000000074B30000-0x00000000750DB000-memory.dmp

memory/2848-103-0x0000000074B30000-0x00000000750DB000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

103s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe

"C:\Users\Admin\AppData\Local\Temp\197a511efac9c171f1a50077e9ae4a32.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp""

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/644-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/644-1-0x0000000000A20000-0x0000000000D76000-memory.dmp

memory/644-2-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/644-3-0x00000000057D0000-0x00000000057EC000-memory.dmp

memory/644-4-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/644-5-0x0000000006090000-0x0000000006634000-memory.dmp

memory/4488-6-0x00000000024E0000-0x0000000002516000-memory.dmp

memory/4488-7-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4488-9-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4488-8-0x0000000004C00000-0x0000000005228000-memory.dmp

memory/4488-10-0x0000000005260000-0x0000000005282000-memory.dmp

memory/4488-12-0x00000000054A0000-0x0000000005506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljvetwjo.isr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4488-11-0x0000000005380000-0x00000000053E6000-memory.dmp

memory/4488-23-0x0000000005510000-0x0000000005864000-memory.dmp

memory/4488-22-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4488-24-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

memory/4488-25-0x00000000060D0000-0x000000000611C000-memory.dmp

memory/4488-27-0x000000006D030000-0x000000006D07C000-memory.dmp

memory/4488-28-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4488-40-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4488-39-0x0000000006AE0000-0x0000000006B83000-memory.dmp

memory/4488-41-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4488-38-0x0000000006040000-0x000000000605E000-memory.dmp

memory/4488-26-0x0000000006070000-0x00000000060A2000-memory.dmp

memory/4488-43-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

memory/4488-42-0x0000000007430000-0x0000000007AAA000-memory.dmp

memory/4488-44-0x0000000006E60000-0x0000000006E6A000-memory.dmp

memory/4488-45-0x0000000007070000-0x0000000007106000-memory.dmp

memory/4488-46-0x0000000006FF0000-0x0000000007001000-memory.dmp

memory/4488-47-0x0000000007020000-0x000000000702E000-memory.dmp

memory/4488-48-0x0000000007030000-0x0000000007044000-memory.dmp

memory/4488-49-0x0000000007130000-0x000000000714A000-memory.dmp

memory/4488-50-0x0000000007110000-0x0000000007118000-memory.dmp

memory/4488-53-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/644-54-0x000000000A9B0000-0x000000000A9B8000-memory.dmp

memory/644-57-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/644-56-0x000000000ACF0000-0x000000000ACFE000-memory.dmp

memory/644-55-0x000000000AD20000-0x000000000AD58000-memory.dmp

memory/644-58-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/644-59-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/644-60-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20241023-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1672 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1672 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1672 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 1672 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2304 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2304 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2304 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2304 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2304 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2304 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2420 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2420 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2420 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2420 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2420 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2420 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2920 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2920 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2920 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe
PID 2920 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\Output.exe C:\Users\Admin\AppData\Roaming\Output.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe

"C:\Users\Admin\AppData\Local\Temp\1b0acebe24bf7a0fa1e25e0e9174184ad9827298b7ff75384049deed6e74c306.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\Output.exe

"C:\Users\Admin\AppData\Roaming\Output.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/1672-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

memory/1672-1-0x0000000001000000-0x0000000001056000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 e0918682feb10b28a39a9cfbf4d2d90c
SHA1 c33f8518747e96955387bac3c8299eea24357fe0
SHA256 8f7a69675281f0e5f2fd0b43c64434fdb132fdca1eb82cf23aa947f83c833d01
SHA512 dcb3961832197bf33b4e554a69b95a17c847fccde7211ca96ee0a9ad975a051f93e6f29a3a9525279b2aaf9d6b7208a8ddeb8c1d430e79ddf4155f5629038fa7

memory/2308-11-0x00000000003A0000-0x00000000003B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Output.exe

MD5 3ac2fbaa37549eb0c50eedbca0da41c2
SHA1 a486d241a02989d2adbff9785c7c39e68a2934af
SHA256 815021055de7349aafb51c6788bfd8f1a0f9fc242e842d6b8bf639283a4658fd
SHA512 76ac7165eba850a34e9dd459c538e1e0ceaee09896e711dabc1272c76a0a79b0826124cec4c43d626b390c222367af55b3de452312e51725f994d218cbe0e7f7

memory/2304-13-0x0000000000280000-0x00000000002C6000-memory.dmp

memory/2308-17-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

memory/2308-21-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

memory/2308-22-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20250207-en

Max time kernel

126s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Windows\system32\schtasks.exe
PID 1192 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Windows\system32\schtasks.exe
PID 1192 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Windows\system32\schtasks.exe
PID 1192 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1192 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1192 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2520 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2520 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe
PID 2520 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe

"C:\Users\Admin\AppData\Local\Temp\1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp
N/A 192.168.1.55:4782 tcp

Files

memory/1192-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

memory/1192-1-0x0000000000E20000-0x0000000001144000-memory.dmp

memory/1192-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 35110eedb3518d1905b88025bf11b77d
SHA1 c39e96cc0dcb14065984c3d3fbff331070e37feb
SHA256 1bbf7d818b40f8fa0da224e39f27829bb7d8a8bdbec66fa62cfba39cd0d6d3fd
SHA512 08a3db05d373eb18f9b86fcea5b4338bd4cf3ca60df9906873bc0eb4d2dd6bc544890d23543df9be0848647d89a14d51010a7498bf8041c6872d8af768e035d2

memory/2520-9-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

memory/2520-8-0x0000000000270000-0x0000000000594000-memory.dmp

memory/2520-11-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

memory/1192-10-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

memory/2520-12-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

128s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\it-IT\0a1fd5f707cd16 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\RCX9359.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX988D.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA5B7.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCXB1B7.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA7CB.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RCXB1C7.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\b8efadc0803b95 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXA305.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA849.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files\Windows Media Player\it-IT\RCX9369.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXA315.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\RCXA5A6.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX989D.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LiveKernelReports\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\LiveKernelReports\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\LiveKernelReports\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCXA072.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCXA073.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 5684 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 5596 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 5208 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 5208 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 1848 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 636 wrote to memory of 5028 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 636 wrote to memory of 5028 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 636 wrote to memory of 776 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 636 wrote to memory of 776 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 5028 wrote to memory of 1564 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 5028 wrote to memory of 1564 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 1564 wrote to memory of 2504 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 2504 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 1848 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1564 wrote to memory of 1848 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 2504 wrote to memory of 1608 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 2504 wrote to memory of 1608 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 1608 wrote to memory of 5396 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1608 wrote to memory of 5396 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1608 wrote to memory of 1788 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 1608 wrote to memory of 1788 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 5396 wrote to memory of 6128 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 5396 wrote to memory of 6128 N/A C:\Windows\System32\WScript.exe C:\Program Files\Windows Media Player\it-IT\sppsvc.exe
PID 6128 wrote to memory of 4916 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 6128 wrote to memory of 4916 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 6128 wrote to memory of 1188 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe
PID 6128 wrote to memory of 1188 N/A C:\Program Files\Windows Media Player\it-IT\sppsvc.exe C:\Windows\System32\WScript.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Windows Media Player\it-IT\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\4d7dcf6448637544ea7e961be1ad\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca1" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/4d7dcf6448637544ea7e961be1ad/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/4fc20efa2b2ad5aa4b35f8fcca90f7df/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files\Windows Media Player\it-IT\sppsvc.exe

"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e920aaf-2d28-4db8-8c57-20b01a64ccd1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f05bf25-4175-4d9d-a0bc-6d7df99ed6db.vbs"

C:\Program Files\Windows Media Player\it-IT\sppsvc.exe

"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b8a4abf-acc7-4fd4-9897-c468b0519d40.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f02882-59c6-4905-9be8-1a5fbbfa042c.vbs"

C:\Program Files\Windows Media Player\it-IT\sppsvc.exe

"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73264ea4-08f2-4f30-981c-2a72705d32c6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bb12026-5f72-4af6-8d4d-edc895fd7efe.vbs"

C:\Program Files\Windows Media Player\it-IT\sppsvc.exe

"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d288c75-a642-4201-bac7-d8299702582b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a265beb2-ff6d-4517-8be1-d0689a132954.vbs"

C:\Program Files\Windows Media Player\it-IT\sppsvc.exe

"C:\Program Files\Windows Media Player\it-IT\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 a0889572.xsph.ru udp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
NL 4.175.87.197:443 tcp
NL 4.175.87.197:443 tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp

Files

memory/1848-0-0x00007FF91ECC3000-0x00007FF91ECC5000-memory.dmp

memory/1848-1-0x00000000000B0000-0x00000000009A8000-memory.dmp

memory/1848-2-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1848-3-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp

memory/1848-4-0x0000000002A30000-0x0000000002A3E000-memory.dmp

memory/1848-5-0x0000000002A40000-0x0000000002A4E000-memory.dmp

memory/1848-13-0x000000001CF80000-0x000000001CF92000-memory.dmp

memory/1848-16-0x000000001CF90000-0x000000001CFA0000-memory.dmp

memory/1848-15-0x000000001CE10000-0x000000001CE18000-memory.dmp

memory/1848-17-0x000000001CFA0000-0x000000001CFAA000-memory.dmp

memory/1848-18-0x000000001CFB0000-0x000000001D006000-memory.dmp

memory/1848-21-0x000000001D020000-0x000000001D02C000-memory.dmp

memory/1848-24-0x000000001D040000-0x000000001D052000-memory.dmp

memory/1848-26-0x000000001D070000-0x000000001D07C000-memory.dmp

memory/1848-29-0x000000001D0A0000-0x000000001D0AC000-memory.dmp

memory/1848-30-0x000000001D0B0000-0x000000001D0BC000-memory.dmp

memory/1848-36-0x000000001D2F0000-0x000000001D2FE000-memory.dmp

memory/1848-40-0x000000001D340000-0x000000001D34A000-memory.dmp

memory/1848-41-0x000000001D360000-0x000000001D36C000-memory.dmp

memory/1848-39-0x000000001D320000-0x000000001D328000-memory.dmp

memory/1848-38-0x000000001D310000-0x000000001D31C000-memory.dmp

memory/1848-37-0x000000001D300000-0x000000001D308000-memory.dmp

C:\4d7dcf6448637544ea7e961be1ad\upfc.exe

MD5 518e21ada29ef9b6dcfa8710b76ef169
SHA1 613c59e1ed18c8a50df59a5d7496cc74b3a36d2f
SHA256 2525437093b8cea2cf0081eb98d9286dc198973a004d9ffa2d721a8873ce0b5d
SHA512 d1f13c1e9317d20b14ab1434ca1fcf9bbc93d95ba24dfe744fec14cdbd60f324bdc8fdb6eefe1bb7b9df3c119eab58a7b249d71bfea8c19b70cad94acaf93f57

C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\backgroundTaskHost.exe

MD5 5d8505501b7faa4c7e541b0a32467a58
SHA1 ed0b9de10c38774af49d9279e25a8958817f33a7
SHA256 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca
SHA512 a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

memory/1848-35-0x000000001D2E0000-0x000000001D2E8000-memory.dmp

memory/1848-34-0x000000001D2D0000-0x000000001D2DE000-memory.dmp

memory/1848-33-0x000000001D2C0000-0x000000001D2CA000-memory.dmp

memory/1848-32-0x000000001D350000-0x000000001D35C000-memory.dmp

memory/1848-31-0x000000001D330000-0x000000001D338000-memory.dmp

memory/1848-28-0x000000001D090000-0x000000001D098000-memory.dmp

memory/1848-27-0x000000001D080000-0x000000001D08C000-memory.dmp

memory/1848-25-0x000000001D5A0000-0x000000001DAC8000-memory.dmp

memory/1848-22-0x000000001D030000-0x000000001D038000-memory.dmp

memory/1848-20-0x000000001D010000-0x000000001D018000-memory.dmp

memory/1848-19-0x000000001D000000-0x000000001D00C000-memory.dmp

memory/1848-14-0x000000001CE20000-0x000000001CE2C000-memory.dmp

memory/1848-12-0x000000001CE00000-0x000000001CE08000-memory.dmp

memory/1848-11-0x000000001CDE0000-0x000000001CDF6000-memory.dmp

memory/1848-10-0x000000001B610000-0x000000001B620000-memory.dmp

memory/1848-9-0x000000001B5F0000-0x000000001B5F8000-memory.dmp

memory/1848-8-0x000000001CE30000-0x000000001CE80000-memory.dmp

memory/1848-7-0x000000001B5D0000-0x000000001B5EC000-memory.dmp

memory/1848-6-0x000000001B5C0000-0x000000001B5C8000-memory.dmp

C:\Program Files (x86)\Internet Explorer\fr-FR\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

MD5 3aee48e5bac720b0806f714256fef029
SHA1 89afdba09b16adcfec9279bcf65dbe94396e3a01
SHA256 a670ea7da08b60c94f7e9f70d850514e2a2cdfbdc187276a1f6a78f86763fcf3
SHA512 1cccb4b1fbae5366d3b1023bbe4685a800c67380b2057dec7e459d11054b0a5701b705cea088f4a66750ec734baa9365795b3994a8da27d9e36bf3ea27735377

memory/1848-188-0x00007FF91ECC3000-0x00007FF91ECC5000-memory.dmp

memory/1848-212-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp

C:\4d7dcf6448637544ea7e961be1ad\backgroundTaskHost.exe

MD5 2510e74d6604e16f5eb602abbe3ec2f3
SHA1 85322b8268e420cf92511c74c4cda6c30a49cc5c
SHA256 10040b110aee3f822ebe61d6438dd44e31ee928e3a04d5cc7247c4cfbdd08f07
SHA512 1c1583940210f54fbe05b4d33f9519fadd47200bec775cec88a9e04af4d692a061be7bb9b2a6f02c8a914bfa68a3c080958a1ba31b0045fdac0ab69ccf1dc5a7

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyrohzq0.b5e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1772-301-0x000001F7251F0000-0x000001F725212000-memory.dmp

memory/1848-425-0x00007FF91ECC0000-0x00007FF91F781000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 82da496008a09abc336bf9adbe6453dd
SHA1 a57df6c2432c6bf7ab549a4333e636f9d9dfebd2
SHA256 69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810
SHA512 86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3c9a06205efb4ec6b1ca25ba605f9f6d
SHA1 53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8
SHA256 4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a
SHA512 e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3fe089fecc1a7897c40a12707d788ca9
SHA1 97f8ab9020333729ec191b3dbd044c57227b84fc
SHA256 70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c
SHA512 4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7cd541695b3cebb31ad4b3e131bfb4d5
SHA1 16d8085de66ff920f6028c282afb3183bed8865a
SHA256 dc0ae36677b455e1b5c66859b5b2cac1b3a29aabd281f52ac682cc4b99b84fe3
SHA512 f90fa2d9c231a0a00579deafce7b74c2f043485d560c4377c2591a37dad4c79638b30025adb896107a3cb9b5f21f24289f1fe1f3bb73dcd16e346ab95b7bd56f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd95e4475b8798a58a9e9d19409c1eac
SHA1 571d070dd6315847c4ba334670beffd245a35c45
SHA256 d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729
SHA512 1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ec1de5af22ee94e2a00a91da98957bd
SHA1 0ade5098be757a47adb6d5d0dbf576bcf41d6253
SHA256 540ab5c28d94cbbe9c9bf5334eb8dd7e203b7c4aa5c6f195f95fe64965f1ed76
SHA512 8c2242c22a8c2baa92e2ec47fd29447caa709093ed4ff6ee459f8f438c193bc0cb9f5baaf113696c63227f7a67462214236703569689f50272a6f37f5f63452b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 750e4be22a6fdadd7778a388198a9ee3
SHA1 8feb2054d8a3767833dd972535df54f0c3ab6648
SHA256 26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1
SHA512 b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2044ef36c414ed6e6c991e5fbe7d5bf1
SHA1 0dbd4be869af1290a771fa295db969dc14b2a1fc
SHA256 1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6
SHA512 304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

C:\Users\Admin\AppData\Local\Temp\4f05bf25-4175-4d9d-a0bc-6d7df99ed6db.vbs

MD5 dcbc79a4588cd89330cc36d040f6c9af
SHA1 f05ddbed99b87e8594b839c40975480850fafe8a
SHA256 3e5a0baca9290c80c3c485c38a88f210345f123256909e9c6d9208e26d666163
SHA512 30b5ae2b1db63d99e07de4a2a1f9f45861207a00254347cc0c5a115edafe3c1796f47b1eff004ac3f9c49531233b99a5c95445d24cd851e906d0a4e76290b9f0

C:\Users\Admin\AppData\Local\Temp\6e920aaf-2d28-4db8-8c57-20b01a64ccd1.vbs

MD5 197c6140b55931d6be1f67211634df79
SHA1 1173948c21a0cac43e3f903e0c3915bd52d4feb5
SHA256 91067df273f0921deca2c478f14c95eb647dac0995d3822dd48b30f10cff3ccf
SHA512 2c8c41934eed43dfb134ec71cad8027d8157c71ae13e61ba63c0508995536135861bf724867d912b14a2742edee50ccef33db815a947efa96f3638c382c927da

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

MD5 229da4b4256a6a948830de7ee5f9b298
SHA1 8118b8ddc115689ca9dc2fe8c244350333c5ba8b
SHA256 3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11
SHA512 3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

C:\Users\Admin\AppData\Local\Temp\7b8a4abf-acc7-4fd4-9897-c468b0519d40.vbs

MD5 03a6bb911504abf0eb13554c3e264e2d
SHA1 e67a07eb09667099f037c003337dd5361cbc4380
SHA256 63f5c3fce4135308bb3339c6aeaaacacd0dc83328618cacd67445c95af3acf64
SHA512 a4e712684fa4901516e1a8111aa92148376e1a19800ca8089bfc1e93700cd160b0652e61d99cf40720a2ed968a5933a690b36718497fb82625f2fe4646659f55

memory/1608-479-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\73264ea4-08f2-4f30-981c-2a72705d32c6.vbs

MD5 6e58ec49de3166bf3b933a9eb67fe100
SHA1 881812fde1d30c561cbc1e5ba5b21008712ac4be
SHA256 c6c87ffb295dd04d2b34d1ee127f19aaed607c48d5791a984ae89014e4eb18ba
SHA512 3d043b6981e0142c9ea8c589ef74ff001b5eba402ab220b4b43ac3223d3cb97ccee67497be5ca57472e092043b27962bf1c7bdfc1da13e83ef9097d79616f6de

memory/6128-492-0x000000001B6C0000-0x000000001B6D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6d288c75-a642-4201-bac7-d8299702582b.vbs

MD5 4545d8505c580f7aeccc4f2b5c946f66
SHA1 7d990b1e419ad8a53b82c8791a29914f745288e0
SHA256 b4ab2470e506cd7afccd50846b9109d23dc1cce3ba483fb55ea12540bb905c58
SHA512 f0c5531ae967755114a706670862348ca2685c310289f17594cffe7203484f961ad9a258e190d6b340076fdc90dc4a0dbf4f52430bb8c760e6df601d5982bc25

C:\Program Files\Windows Media Player\it-IT\sppsvc.exe

MD5 6d8c32b1ff296b5d9173cb53bc91ff7e
SHA1 068c277b4593782dec08c219a8717b456efa0d64
SHA256 e5a9ccb7b29dbc011ac5c74216f97e9dd0ec58e001f668998480562800beaea5
SHA512 e4c2fe5be5b747d056858aeef26ace2db9ba45ebbd6db23d226e82a040ac4e41676c33880d16ed8112960b0024b552562581cde9a6e86b3c02f1ddf738a1abd1

Analysis: behavioral4

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

104s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 1752 wrote to memory of 5600 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 1752 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 1752 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 1752 wrote to memory of 5332 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 1752 wrote to memory of 5332 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 1752 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe
PID 1752 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe

"C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\193e069cb0734f2f4107d4c1fbb7f3b22d8783932eaa405bb7a0e52cb86fcfe1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/1752-1-0x00000230A63F0000-0x00000230A6430000-memory.dmp

memory/1752-0-0x00007FFA84013000-0x00007FFA84015000-memory.dmp

memory/1752-2-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp

memory/1444-3-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp

memory/1444-13-0x00000214DC900000-0x00000214DC922000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2nes3nn.nxw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1444-14-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp

memory/1444-15-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp

memory/1444-18-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 efa4168b73a5e8ae56d49bcac4d67861
SHA1 b3fe6b2d9fc05ad7892a2c8b96914764336b3067
SHA256 7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca
SHA512 a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

memory/1752-32-0x00000230C0D20000-0x00000230C0D96000-memory.dmp

memory/1752-31-0x00000230A6A80000-0x00000230A6AD0000-memory.dmp

memory/1752-33-0x00000230A6A50000-0x00000230A6A6E000-memory.dmp

memory/1752-41-0x00000230C0900000-0x00000230C0912000-memory.dmp

memory/1752-40-0x00000230A6AD0000-0x00000230A6ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74a6b79d36b4aae8b027a218bc6e1af7
SHA1 0350e46c1df6934903c4820a00b0bc4721779e5f
SHA256 60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04
SHA512 60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

memory/1752-55-0x00007FFA84013000-0x00007FFA84015000-memory.dmp

memory/1752-56-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp

memory/1752-57-0x00000230C09D0000-0x00000230C0AD2000-memory.dmp

memory/1752-60-0x00000230C09D0000-0x00000230C0AD2000-memory.dmp

memory/1752-61-0x00007FFA84010000-0x00007FFA84AD1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe

"C:\Users\Admin\AppData\Local\Temp\1a4ae15ef300f51f70607edc1e8e62a3.exe"

Network

N/A

Files

memory/2204-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

memory/2204-1-0x0000000001260000-0x000000000146A000-memory.dmp

memory/2204-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

memory/2204-3-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2204-4-0x0000000000420000-0x000000000042E000-memory.dmp

memory/2204-5-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:12

Platform

win7-20241010-en

Max time kernel

154s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1248 set thread context of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1068 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1068 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1068 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1248 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2820 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2820 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2820 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2820 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.192.18.101:80 www.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp

Files

memory/1068-0-0x0000000074591000-0x0000000074592000-memory.dmp

memory/1068-1-0x0000000074590000-0x0000000074B3B000-memory.dmp

memory/1068-2-0x0000000074590000-0x0000000074B3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6376.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6398.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1068-27-0x0000000074590000-0x0000000074B3B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar7638.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99ae410abb902ccc96f9e9207afe5f85
SHA1 84f2ae1a979dd51f614b666d1e0ce7856e188ce4
SHA256 93d5db439677c5712357d91d72e494167fc447015d937fa26d0746157ff7ba30
SHA512 f775d36cf8bb44f183d0ab8a300a427973cd180e33f7c144a13ab76d846b1024c005e9f3fa61e789ae2f33e3236f840d466e7b7dd60bd5ee47dd3b4071a3beb1

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 934c06a6c53a006b0d3ca9c7d3ac3ecf
SHA1 23c4fb0d070ba1100669b88cf1b5acdbb6d01de7
SHA256 99e28f01a0b7f46bc7e2009cae50076243314e2f24d9605bce5084a24055a9ba
SHA512 a464e9a55c81a231d5a89f85d04a326358c6f7c995b26edea73c6a4bd65b6b995e686e8da12c6585736af70e52e32cfafc0ca5c5b8391d464987d4620917d07d

memory/1068-194-0x0000000074590000-0x0000000074B3B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 3b5e0bd6640456a749d9155e6c135727
SHA1 7d985e42e7df8cac3cf7ec917df10b9fbef09a21
SHA256 c362a3d2b661c6066a02fc169faaa1976c2f6160da5837c7e68b7e0f67b794ed
SHA512 b1b669bad519dccab5224c8fcdb13bb2b015e22fd30ba57e92c9cde4480e655f19f0bbb862db5fd87828d2a3ab74c4a6090f36b6358f9eefe5c82e024afe4a3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 1ea27366e034eb9447a33ce639c01489
SHA1 d12ed3e7e60c65ce90f0a58b9b9e47292caed923
SHA256 788d210ef206a4d11b6b506bf52124ee03fca4e8a9389fad43772202a7e29452
SHA512 e06f7443f0f7ca5db4411aa0718102c08068e95ec305b6b53c0b42a941a877de39f95c7e7514e69316b41a7ac19eaa6ccddc581fe475bdb842ec920691726e49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 f2f1c636dbc689355839f18c6906a8de
SHA1 edb68abcac18b4ba1889e2c5034763ecf4eeaba4
SHA256 5faf6f41e206396f1fc7ae233fbce325072ff53669183cdc3978e7550dbd772e
SHA512 5081daa24cdeec5d0f239cbe40ee7aacd1cd0fafb39aa6b278c179e6ee64f1babde8b1be2b588078ba9261f0cc359b4779fd64f01ddb8d98ec2c2abb7346e844

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 ce6e373f789785f9bcf0117b43acfab9
SHA1 41cf4d6f84850c1daecf01b885e3b8a805714dc8
SHA256 1e268eb9162d27a500cd58404fbc33c04a299d5d1ea6e8d7b419472b9127ee26
SHA512 91e0e3becaa36336cde36f6d66079aa7925e984b5b8b70be8bae9259f6439238da5474dbc6f9fe14360aec502e7553b3b5e99bbefafb841d8fc9c97748fb528f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc5d75b2548d4461b99aba29aaed2ac5
SHA1 c6f69117ed88fdc9c1a1c3d17ee2ef2cf40dd905
SHA256 5780c686ece37e97e137976fa63af25cfaf21dc596f6a1d5fbd62151eef6720c
SHA512 5bd34fbc2a2d1c19ba0c5baeb4ae636057d38e87912c167507a31eaad6a57f16dd62971bab7d90b797356d26047cdc91dc2c15e95edf49a66e6d644568ccf956

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8cd148597f9cddd123d42b1b1acffa5
SHA1 3c56759b1d49a5b50c4c35aaf04f1afb24a2e2b3
SHA256 2d66fb9d3dd192aa1db06fd6ed41e4e61b5129d8f99ebd83eab9ce53b45d929c
SHA512 b36927a99fb6bd0d6691cc46a2201f58987e147d402e3c345de8ed1e8905c11561413f04eb840c4c7b52c707f4e52ab914823be4d7596b2a94a9149b0bf1e50d

memory/2820-366-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2820-365-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2820-363-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

110s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5160-0-0x00007FFD2C7F3000-0x00007FFD2C7F5000-memory.dmp

memory/5160-1-0x000002AD14930000-0x000002AD14970000-memory.dmp

memory/5160-2-0x00007FFD2C7F0000-0x00007FFD2D2B1000-memory.dmp

memory/5160-4-0x00007FFD2C7F0000-0x00007FFD2D2B1000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240729-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogFiles\AIT\RCXDFDA.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\System32\LogFiles\AIT\RCXDFEB.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\System32\LogFiles\AIT\1610b97d3ab4a7 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\101b941d020240 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDDB6.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXDDC7.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCXDB82.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
File opened for modification C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\RCXDB93.tmp C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2124 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 2124 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 2124 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 1828 wrote to memory of 1360 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1828 wrote to memory of 1360 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1828 wrote to memory of 1360 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1828 wrote to memory of 1900 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1828 wrote to memory of 1900 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1828 wrote to memory of 1900 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1360 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 1360 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 1360 wrote to memory of 1804 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 1804 wrote to memory of 1596 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 1596 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 1596 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2436 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2436 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1804 wrote to memory of 2436 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 1596 wrote to memory of 2696 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 1596 wrote to memory of 2696 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 1596 wrote to memory of 2696 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe
PID 2696 wrote to memory of 352 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 352 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 352 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 1520 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 1520 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 2696 wrote to memory of 1520 N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe C:\Windows\System32\WScript.exe
PID 352 wrote to memory of 1836 N/A C:\Windows\System32\WScript.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe

"C:\Users\Admin\AppData\Local\Temp\1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\inf\.NET CLR Networking 4.0.0.0\0019\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\LogFiles\AIT\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74123978-7af5-4e83-b54f-7598187cd117.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\837d2091-babc-439f-bac8-c244cf353bb2.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\701fdcff-39ed-4937-b20b-f144a96e339d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac3bc1b8-82f6-4006-af92-ad65c18cf17c.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f924f5-ddfa-4ac6-b21f-cfa0976d6ab8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\000b1f31-6489-410a-81a3-dea3ba1b618c.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15a77a32-d2ee-42c9-9229-56f5a29bfc5f.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5ad544e-176e-4f7e-b20d-a2f1d3a09965.vbs"

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02460290-6983-4422-8cd2-37c14db1ca5b.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\373353a3-408c-4e25-84ad-f9783ac1fc3f.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0889572.xsph.ru udp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp
RU 141.8.197.42:80 a0889572.xsph.ru tcp

Files

memory/2124-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

memory/2124-1-0x00000000011E0000-0x0000000001AD8000-memory.dmp

memory/2124-2-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2124-3-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

memory/2124-4-0x0000000000460000-0x000000000046E000-memory.dmp

memory/2124-5-0x0000000000470000-0x000000000047E000-memory.dmp

memory/2124-8-0x0000000000490000-0x0000000000498000-memory.dmp

memory/2124-7-0x0000000000520000-0x000000000053C000-memory.dmp

memory/2124-9-0x0000000000540000-0x0000000000550000-memory.dmp

memory/2124-12-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/2124-11-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/2124-10-0x0000000000550000-0x0000000000566000-memory.dmp

memory/2124-13-0x0000000000B50000-0x0000000000B5C000-memory.dmp

memory/2124-15-0x0000000000B40000-0x0000000000B50000-memory.dmp

memory/2124-14-0x0000000000B20000-0x0000000000B28000-memory.dmp

memory/2124-6-0x0000000000480000-0x0000000000488000-memory.dmp

memory/2124-16-0x0000000000B60000-0x0000000000B6A000-memory.dmp

memory/2124-17-0x0000000000B70000-0x0000000000BC6000-memory.dmp

memory/2124-20-0x0000000000C60000-0x0000000000C6C000-memory.dmp

memory/2124-23-0x0000000000C80000-0x0000000000C92000-memory.dmp

memory/2124-21-0x0000000000C70000-0x0000000000C78000-memory.dmp

memory/2124-19-0x0000000000C50000-0x0000000000C58000-memory.dmp

memory/2124-24-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

memory/2124-18-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/2124-27-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

memory/2124-29-0x0000000000D00000-0x0000000000D08000-memory.dmp

memory/2124-30-0x000000001AFF0000-0x000000001AFFC000-memory.dmp

memory/2124-28-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

memory/2124-34-0x00000000011C0000-0x00000000011CE000-memory.dmp

memory/2124-33-0x00000000011B0000-0x00000000011B8000-memory.dmp

memory/2124-39-0x000000001B400000-0x000000001B40C000-memory.dmp

memory/2124-38-0x000000001B020000-0x000000001B02A000-memory.dmp

memory/2124-37-0x000000001B010000-0x000000001B018000-memory.dmp

memory/2124-36-0x000000001B000000-0x000000001B00C000-memory.dmp

memory/2124-35-0x00000000011D0000-0x00000000011D8000-memory.dmp

memory/2124-32-0x00000000011A0000-0x00000000011AE000-memory.dmp

memory/2124-31-0x0000000001190000-0x000000000119A000-memory.dmp

memory/2124-26-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

memory/2124-25-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCXD95F.tmp

MD5 5d8505501b7faa4c7e541b0a32467a58
SHA1 ed0b9de10c38774af49d9279e25a8958817f33a7
SHA256 1b64ed84e05604e07552ae57fe9f150e3ca6c2da17c4b4e3bef01d5d023d1bca
SHA512 a1fb110b16700001f75d4f74d93746349b5e2e78d4a5dde84c00ffe4eeed914cf7a3702de507c9a287f6df54a4cc0a4010a6bc28e4b641e8d5dcf20db6a302d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7058a27c3ca227c416ab095df0827719
SHA1 ab0000c5a59ffda7cfc2fe44df51b0c4be102b1a
SHA256 24ebad3674fd7a297324917081dbbe9a54aad659ef470f920d6cf63a11411e13
SHA512 293c98de66f862c7232db5ce0efcdb9a2e5c6556813ea1e94a7b33c8e38f75146fe80ba98fa2270b08e06faaba44d067961313011243420921851aeb26cd40c5

memory/2300-121-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/1828-138-0x0000000001330000-0x0000000001C28000-memory.dmp

memory/2008-136-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/2124-139-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\837d2091-babc-439f-bac8-c244cf353bb2.vbs

MD5 9b4aec1e6db2351915b67e34d4166584
SHA1 e65be07846c7638912e6a8f1fc6eb418f9c7353f
SHA256 1069c6c5fbcfe1fb22dd7cd913314fd6e12bf086a1b5a04fe9aada89729b5c05
SHA512 420485e8f19cbc3437371cba52acd6b965f9974905a696ba601c0ba86be176f0ae47fee76c250c13679204bdb85e0ee0b575ae6423278b0ff181d82ec573bf65

C:\Users\Admin\AppData\Local\Temp\74123978-7af5-4e83-b54f-7598187cd117.vbs

MD5 6a5183b0184e3f3a699c647ba2c0bbef
SHA1 c6d453b8bdbc9e6f590ca932b42aff4bac33a4e7
SHA256 10dd2dbae0f415178d5f425302172cb89fe7cbd4248fa34a184a7aead9d890ee
SHA512 5778f5d8ca0f8e25a4fba9712687506a3a770c31c692ed186992d82883aa7ec9904e3f6f1098de2a4bd8d5342fbb2ff44c735650f715ff2da6eca86029d7d85f

memory/1804-166-0x0000000001220000-0x0000000001276000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\701fdcff-39ed-4937-b20b-f144a96e339d.vbs

MD5 61c213c910399afd52d8e43f4b202ec5
SHA1 26ffd26405b47111ca48f6a44cf6fbc97ad6a770
SHA256 b76aae388ae995d8068857d7e94a35a209981acfc5d3264506131248e5e55c21
SHA512 693bdd1b2661fbb856ab09921d5fcb0308b12af1dcad5ac218d7ae13d5f01bd8e2e037929872e6f8665add941ca2723fa04314c18507decca8290369c1676b82

memory/2696-179-0x000000001B4A0000-0x000000001B4F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80f924f5-ddfa-4ac6-b21f-cfa0976d6ab8.vbs

MD5 7f06bd0ac17e5a8103701b8395982932
SHA1 43897cebb416cb0bf7176b7a2d21971366308764
SHA256 f50b25d551e6f9defe4650d8ab5398494926910a415b8044386ab3e6d9f2ba6f
SHA512 5959b9a6f61eb0ab50ec67c71799d8ed3e33da23628e54b1bba40f4fe831ea9f077e81c99b0cbd72093caf5d05954a027bef55781c7d1819f924358294ae0f01

C:\Users\Admin\AppData\Local\Temp\15a77a32-d2ee-42c9-9229-56f5a29bfc5f.vbs

MD5 9fd5a289cbb45bd2aee9fd6952bb20dd
SHA1 c74466133c0c6492bce6e1f33783a665461e3e2b
SHA256 55c84b1d439937e3896b25fba6db9faccd0b6647688b38e9dbbe6911b05e882f
SHA512 0f2606099305020f7505ef8640665842ff24e3aba6102d2ee2a605e5ae6bf35db983347f493a94127242b0ad095185e5742c5e8271ed9da50f19b16ed99ef1fb

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsm.exe

MD5 7f21be9ce89cbb8cb81f0008a24802ee
SHA1 6628cc6ce841bcfcc5d5e87284d22196d15e0490
SHA256 3ad53bdfffb31bbe733c2a9866c60f0a20d2edb5845743d576e1a4b4c0b1b441
SHA512 a285c892fe313478c34b08ed5ae3ede070ae6e5c2e2d4e7c8319a58b5a804ce401d31f5a28e3d55c4ffa421bd94d0c5668eacc5052bb79a6c935654ef105995f

memory/2416-204-0x0000000000C30000-0x0000000000C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6dde813ff7286e8839024e617617a509c69bce29.exe

MD5 f541550e30e6948fa06af288942aad20
SHA1 c1ecea8fbeb749e72c2a6200ec55efd8896c96a1
SHA256 8c898fe79f90a997df501ee29f4c711a29552ec7effbc2b693b8f32246209d9d
SHA512 6f7756804daf1c7af49ba3e303eb34e6dee38f34b0605090fd97ac7366608f36d5a2266e3458910650d08e401f9822ac01bbdd41d8dacfaeffb0aeb3d550b9dc

C:\Users\Admin\AppData\Local\Temp\02460290-6983-4422-8cd2-37c14db1ca5b.vbs

MD5 a1bf9b134e6974f40e020caab67148ad
SHA1 3634201440362fc1cdbf1f0f485efaf42eed81de
SHA256 4ee43f20b88421e4a131ea67184c2c7e05eb7e1643cac0fa6d8ef0a12a621b6f
SHA512 16b668b9632196b4c81f3b13fdb55cae2d1e2f5fe944b7caa0f5e31767b0db015254159378d87918a6cd681054f8dcd3d16c6313c20f9d6ca4ade15981121d77

Analysis: behavioral25

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240903-en

Max time kernel

119s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Network

N/A

Files

memory/2172-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

memory/2172-1-0x0000000000EB0000-0x00000000010BA000-memory.dmp

memory/2172-2-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2172-3-0x0000000000550000-0x000000000055E000-memory.dmp

memory/2172-4-0x0000000000560000-0x000000000056E000-memory.dmp

memory/2172-5-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

85s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe

"C:\Users\Admin\AppData\Local\Temp\1bb302f6b26022b9f405c4a06c165b236837688e94ea312a231c8f780e63d2b3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2352-0-0x00007FFF87663000-0x00007FFF87665000-memory.dmp

memory/2352-1-0x0000000000E40000-0x000000000104A000-memory.dmp

memory/2352-2-0x00007FFF87660000-0x00007FFF88121000-memory.dmp

memory/2352-3-0x0000000001910000-0x000000000191E000-memory.dmp

memory/2352-4-0x0000000001920000-0x000000000192E000-memory.dmp

memory/2352-6-0x00007FFF87660000-0x00007FFF88121000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240903-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe

"C:\Users\Admin\AppData\Local\Temp\1be2b92ceabc55905ef2d5a4d28e28f80931887ca1b7aa2557775e09402d36ae.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
GB 172.217.16.227:443 gstatic.com tcp

Files

memory/2388-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

memory/2388-1-0x00000000013E0000-0x0000000001420000-memory.dmp

memory/2388-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

memory/2388-3-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

memory/2388-4-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\sbietrcl.exe" C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4836 set thread context of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 1104 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 1104 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe
PID 4836 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe

"C:\Users\Admin\AppData\Local\Temp\1c2345047abfb5daed017769f13254053b7c8cfe14027982065835c6a4bc9aa0.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp
RU 213.183.58.19:4000 tcp

Files

memory/1104-0-0x0000000074D52000-0x0000000074D53000-memory.dmp

memory/1104-1-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/1104-2-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/1104-5-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/1104-6-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/1104-18-0x0000000074D52000-0x0000000074D53000-memory.dmp

memory/1104-19-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/1104-20-0x0000000074D50000-0x0000000075301000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\sbietrcl.exe

MD5 3dde06982003b0e533a684df3964d63e
SHA1 13247f80d6a518716b9f121591d1eeea814fc680
SHA256 1e9f626bab720bb552f865e01a7f3b33edb848047fdcf0404d9864c7bc9088bd
SHA512 3aafe2560ba495366749738aea8e75ee415f50ef69236a2b10086711a214fa68bdc963ffec4d304dd9fc6fd6a1272451023e5862aaa7f7ef13b36242425e10af

memory/1104-31-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4836-32-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4836-33-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4836-34-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/4836-35-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/5052-39-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5052-46-0x0000000000400000-0x0000000000417000-memory.dmp

memory/4836-47-0x0000000074D50000-0x0000000075301000-memory.dmp

memory/5052-45-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5052-41-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5052-44-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5052-36-0x0000000000400000-0x0000000000417000-memory.dmp

memory/5052-50-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

143s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Windows\INF\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Windows\INF\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Windows\INF\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Windows\INF\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\INF\csrss.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\INF\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\INF\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\fr-FR\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\RCX8EA8.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Common Files\RCX95D3.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Common Files\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\RCX97D8.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXA6E7.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RCXA6E8.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX9D59.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX9DC8.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\reports\RCX9FCD.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\edge_BITS_4648_225925476\RCXA2AE.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\edge_BITS_4648_225925476\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\reports\RCX9FCC.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\edge_BITS_4648_225925476\RCXA1E2.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\MsEdgeCrashpad\reports\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\Common Files\RCX9564.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\RCX97D7.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Common Files\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\Common Files\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\RCX8EA7.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\csrss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File created C:\Windows\INF\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Windows\INF\RCX9A5A.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Windows\INF\RCX9AD8.tmp C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
File opened for modification C:\Windows\INF\csrss.exe C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings C:\Windows\INF\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings C:\Windows\INF\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings C:\Windows\INF\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings C:\Windows\INF\csrss.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A
N/A N/A C:\Windows\INF\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 5248 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5248 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5372 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5676 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5676 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5300 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5416 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5340 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5340 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5172 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5788 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\cmd.exe
PID 1316 wrote to memory of 5812 N/A C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe C:\Windows\System32\cmd.exe
PID 5812 wrote to memory of 3380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5812 wrote to memory of 3380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5812 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\csrss.exe
PID 5812 wrote to memory of 1240 N/A C:\Windows\System32\cmd.exe C:\Windows\INF\csrss.exe
PID 1240 wrote to memory of 2820 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 1240 wrote to memory of 2820 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 1240 wrote to memory of 1624 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 1240 wrote to memory of 1624 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 2820 wrote to memory of 4348 N/A C:\Windows\System32\WScript.exe C:\Windows\INF\csrss.exe
PID 2820 wrote to memory of 4348 N/A C:\Windows\System32\WScript.exe C:\Windows\INF\csrss.exe
PID 4348 wrote to memory of 2100 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 4348 wrote to memory of 2100 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 4348 wrote to memory of 4316 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 4348 wrote to memory of 4316 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 2100 wrote to memory of 1364 N/A C:\Windows\System32\WScript.exe C:\Windows\INF\csrss.exe
PID 2100 wrote to memory of 1364 N/A C:\Windows\System32\WScript.exe C:\Windows\INF\csrss.exe
PID 1364 wrote to memory of 3756 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 1364 wrote to memory of 3756 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 1364 wrote to memory of 4708 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 1364 wrote to memory of 4708 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 3756 wrote to memory of 2376 N/A C:\Windows\System32\WScript.exe C:\Windows\INF\csrss.exe
PID 3756 wrote to memory of 2376 N/A C:\Windows\System32\WScript.exe C:\Windows\INF\csrss.exe
PID 2376 wrote to memory of 2224 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 2224 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 988 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe
PID 2376 wrote to memory of 988 N/A C:\Windows\INF\csrss.exe C:\Windows\System32\WScript.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\INF\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe

"C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\INF\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\INF\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78578\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MsEdgeCrashpad\reports\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4648_225925476\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K09nVBHGsQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\INF\csrss.exe

"C:\Windows\INF\csrss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f43129-4b96-4f47-a1b4-cc23f1c103c5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d13c786d-1d9f-4833-9fef-1ce160009d03.vbs"

C:\Windows\INF\csrss.exe

C:\Windows\INF\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7338981a-3da8-4f45-96a4-acbb0e64d018.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaee8a08-0687-48e3-b567-a6b41338d915.vbs"

C:\Windows\INF\csrss.exe

C:\Windows\INF\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4559ebf-c0b9-4a78-b16f-669dce3f4b5d.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc942405-30cd-4116-b9a2-f422d2dcd0d5.vbs"

C:\Windows\INF\csrss.exe

C:\Windows\INF\csrss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306970e6-f5bb-4ff6-b5dc-056434e19e15.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\054d82fa-6662-4337-8b25-d6c6956d07fe.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 46.3.197.86:80 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp
DE 46.3.197.86:80 tcp

Files

memory/1316-0-0x00007FF8ABCC3000-0x00007FF8ABCC5000-memory.dmp

memory/1316-1-0x0000000000AF0000-0x0000000000CDA000-memory.dmp

memory/1316-2-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp

memory/1316-6-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/1316-5-0x0000000001490000-0x0000000001498000-memory.dmp

memory/1316-7-0x0000000002E40000-0x0000000002E56000-memory.dmp

memory/1316-9-0x0000000002E60000-0x0000000002EB6000-memory.dmp

memory/1316-8-0x0000000002E20000-0x0000000002E2A000-memory.dmp

memory/1316-13-0x000000001B9B0000-0x000000001B9C2000-memory.dmp

memory/1316-11-0x0000000002EC0000-0x0000000002EC8000-memory.dmp

memory/1316-10-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

memory/1316-4-0x000000001BED0000-0x000000001BF20000-memory.dmp

memory/1316-3-0x0000000002DE0000-0x0000000002DFC000-memory.dmp

memory/1316-15-0x000000001BF40000-0x000000001BF4C000-memory.dmp

memory/1316-20-0x000000001C140000-0x000000001C14C000-memory.dmp

memory/1316-19-0x000000001C130000-0x000000001C13C000-memory.dmp

memory/1316-18-0x000000001C120000-0x000000001C128000-memory.dmp

memory/1316-17-0x000000001C110000-0x000000001C11E000-memory.dmp

C:\Program Files\Common Files\backgroundTaskHost.exe

MD5 192f0f1221e376146e725a4d23ee69a0
SHA1 9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff
SHA256 019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d
SHA512 daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

C:\7330c8a20692d0b35002ea5a\StartMenuExperienceHost.exe

MD5 d38f2b4edf0a2d92da9a09dd70d2cf37
SHA1 8bb8d4d545da1c85f4828ddcd67983b6faa4dc26
SHA256 2310585595777afba7f5918c1600f0e717da6277d5f2573445be74a890bd4a0c
SHA512 87e9ade45737b2b75eaa121bdf9f3af459752e8d9787ad27a502d4e80fb6af5e523eaa2ed447a7315bee850f36794cd8329970be25e99e98ec098fab4f1df350

memory/1316-16-0x000000001C100000-0x000000001C10A000-memory.dmp

memory/1316-14-0x000000001CA00000-0x000000001CF28000-memory.dmp

C:\Program Files\Common Files\backgroundTaskHost.exe

MD5 6faff46046ba4e35aaac24654382aaf1
SHA1 7ab205f4c2cd3dec0955f7283f20cc9ce9b32057
SHA256 8320003cdab3fa348c22e15a1da150dad377039f4ab348c7c5fb24a451faf6a3
SHA512 06f42a846f51d5bf1efc28bc7304f29cf267f5be3d28bca39d812aced0c9156544fa080a4ad51024849dcac5f423dbcac58ad02fcaeeee83bd0cf760a558e844

C:\Program Files (x86)\Windows Sidebar\Gadgets\lsass.exe

MD5 8064fd807b0a95217b4310fa0f86b6b8
SHA1 686474ccf2248cad9ff138384929a5815887cada
SHA256 a60ddfcd566a760aa8d5429a13d92a9be4fc7a48243d4ee8b3b8769a7bbab4ef
SHA512 695bf4e1f3f91997e742172e48dff7bfed870242778c8940effb942e36a93a4f0fe1f228c0fd0a9dd621f1bb69336e1a7af3d560e523b224f1d2f942862d72ac

memory/1316-182-0x00007FF8ABCC3000-0x00007FF8ABCC5000-memory.dmp

memory/1316-206-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp

C:\7330c8a20692d0b35002ea5a\RuntimeBroker.exe

MD5 af1ea42c5a939898dec638a3e3bafe89
SHA1 e1198b426a010c52d5d819d4e3549b7fd9aedf9c
SHA256 297fa09f43979245eb68d51b056070d866ba499bbdba48002f510929a30d9529
SHA512 cedcff98f50e4744780d37878d3df5894a03c68c5181a4863184044ce0042f5bdf75f1e24b5cc18a1796e5f4a6e538e4d5185e57f4a21ef6a2b8050c36551d81

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smsen4sv.z3u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1316-231-0x00007FF8ABCC0000-0x00007FF8AC781000-memory.dmp

memory/5676-241-0x000001F896DF0000-0x000001F896E12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\K09nVBHGsQ.bat

MD5 9de1f780a0d76f5cf665dd3e9b4ee4fb
SHA1 78f560b23e20723d73e24e75fb30244d40913bcb
SHA256 4dacf51d0cfe3961fa0cc7cc035d288de7a32a80a3f0fc5eabaa98962e5e7f53
SHA512 a08b0d35cfc510451432330bd045efd76f1cb02a404d33307389744f837ef2ef33adcf90ff4548269a6c176047bcefedf31116b3d588cb6d4ca4de5950a346c4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2044ef36c414ed6e6c991e5fbe7d5bf1
SHA1 0dbd4be869af1290a771fa295db969dc14b2a1fc
SHA256 1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6
SHA512 304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaf0080989fabad865a080216418fbf2
SHA1 935075309ff07f95b5c2ff643661fef989526e15
SHA256 86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c
SHA512 21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c8fd95453fe0d2e0f6d8e5ac03994b1
SHA1 d9811cf9d2b0d0ce3387fd79462cd592b005a634
SHA256 232dac927d663f4ed67a4f005da093bc9865c323767c29c3b4a21797f4a60e58
SHA512 f334216c706e96e85910bc14e7eeec0da3e6f4e9a8620108c938d997266939170aabfdfddd9830f454a34d0db503f8f0bbe63c910007bfd03f294f8a34945810

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c3cddab7d289f65843ac7ee436ff50d
SHA1 19046a0dc416df364c3be08b72166becf7ed9ca9
SHA256 c94ea9a9d0877a48ade47f77733be15871512f7aded45a211eb636bdcf7e45a1
SHA512 45c710a959f67ed05c25709c24887a4d5e5909e94f2012bd1cad64b32729fafea6f6628b2552f36c9d98bf8a1ddf50bb84d92d6e1cb15f20b2a74739ff19c9ff

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3fe089fecc1a7897c40a12707d788ca9
SHA1 97f8ab9020333729ec191b3dbd044c57227b84fc
SHA256 70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c
SHA512 4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bc26d684f5b18f9220f5487ef7791ec
SHA1 484f4f11b2143a750753f24c413380c2731f28f2
SHA256 9381ad930c4656a680f340a2892781ae12b9eb6eccc1a50a0ca40467cf38f35c
SHA512 2a69e4c58808c4bac49ccd4abe75b79c07482855940d13937371279771e48d1127dde9471bcc2ea2fdc4e93a8434663e4f42e01a1d7ee4c1eb2803aa57450459

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 82da496008a09abc336bf9adbe6453dd
SHA1 a57df6c2432c6bf7ab549a4333e636f9d9dfebd2
SHA256 69def38d01c34269e4e7be79130fc62befb01815c783fef6d4dc116672306810
SHA512 86d1efaf512d5ffc0af6a4508e63ffaa646971192762461957c0a544e77f9f24bbd0576927a6a996a87f147bcd6562bdc27a57caac6aad64354f485a7a7a7197

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea6fe6004d9717ca991a4a5fd8873443
SHA1 af50625293a3f23d13dedd6cdb64ccf374ec5c85
SHA256 81e411c6b8ba866564687309bb2aa45431e595ce1aba231f6abb1c34169355bd
SHA512 0214e67ddac786e31f3d2f5665f6c15f1dd87c00d403b38ca77260f04bad8b29402ef40c5219af62af27ae05590ef375d7f6a9eee51ef529fd2ecdc80a63cf34

memory/1240-407-0x0000000000CD0000-0x0000000000EBA000-memory.dmp

C:\Windows\INF\csrss.exe

MD5 e65c46812829dbd42ad6b83b86264516
SHA1 573a8d91f80af72a0fb2f3d1d3703d8d9af2d521
SHA256 791aa8ff83acfea81ad9677705472f449fa2603fea30d41786afb8cb46f53fbf
SHA512 d92c4429e8fb676cb633299be2e99705ea0c42a4e51a0a39b820a301acaa207be8fd7ee9864034a6a604a1f55cbb8e1d386fa89aeb343324289b4500966f7803

memory/1240-408-0x000000001D6A0000-0x000000001D6B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d13c786d-1d9f-4833-9fef-1ce160009d03.vbs

MD5 598aed3da2b9bdd3052dbd5a96dd9bee
SHA1 2f5f7aca2e053000f16fc5a599a690c2147cccd6
SHA256 ed446bc64ca3f525e8051e13939e49bc49bf157e36393e8fa9c3e37ac1986d5a
SHA512 ba2457c986c110d6307252d3e52e41d1d76fbf6fef5d466c90e8a576a574a00e6426500bdb1ae361437b0bfa0bab54fdf93318abf67387b0eb6c4a3d80c0ee7a

C:\Users\Admin\AppData\Local\Temp\61f43129-4b96-4f47-a1b4-cc23f1c103c5.vbs

MD5 61701634730f703141dd8ac5155425c5
SHA1 34569d1849fc5e858b274197baf73eaeee196b63
SHA256 0f71765886ac465cda927bb0140766cc36729335b77ffac5d72ed5138606b05a
SHA512 6b5eb486837ede8f5fcaf070380589e9d41fa7c9beacce5329e532d689da65b13d6fc0c28851aa701970c8dcf923669d6b5277723db4eae0603b5a4ecbe2e5db

memory/1240-418-0x000000001E260000-0x000000001E362000-memory.dmp

memory/1240-421-0x000000001E260000-0x000000001E362000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 364147c1feef3565925ea5b4ac701a01
SHA1 9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef
SHA256 38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b
SHA512 bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

C:\Users\Admin\AppData\Local\Temp\7338981a-3da8-4f45-96a4-acbb0e64d018.vbs

MD5 5c1222a45892d80248b4f364bc79d694
SHA1 72c131a0988d4649d76857bc87a4b0ad384de6c7
SHA256 0f054f4c59706be1146af6783217d96c735a9af1d26951b0280d99469fd65f58
SHA512 8de7ead3649e6b1ca6384513a80d776a3cc763647b233a8847cb54be221e934153afd8bd519ab2182665c45397b0e9bbdad769a59e6e266cca4e727b487ff5f4

C:\Users\Admin\AppData\Local\Temp\b4559ebf-c0b9-4a78-b16f-669dce3f4b5d.vbs

MD5 920ba622e14d10ae01909b718cecaa28
SHA1 e1cf2550b8d6a6bb8a4595ae0eac75a6f3c6f218
SHA256 4b7a7739c921345a3559beacfb1c3a28feba40184efba222be3560678ff6a1d3
SHA512 54c1c529b893e272ffbbb714a5dbb297c924b707bf6eb6e1a6e6214cbb6f7dd1e051c013c53f5deeba6b7c9d6b072e2d1623d32a25f995aa847d3223855a7996

C:\Users\Admin\AppData\Local\Temp\306970e6-f5bb-4ff6-b5dc-056434e19e15.vbs

MD5 259d7e6d9a37a7dfc6436643d2875afc
SHA1 fe0a1bd28418c179438fd325cdf3b71d48140c1e
SHA256 377e4e0909e000fe50cee20e46c6075e88736e3beb191560b3a9163a5baf7413
SHA512 90ca7d2c5f86dbb1aa66ccf8a49aaa739e0e1b6292d309ca3400f524c9f75e7d71ecd43f9552db2151b6c673c656a55c9cd5c223a588d467c04f37070fb30371

Analysis: behavioral14

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win10v2004-20250314-en

Max time kernel

131s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio HD Driver = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Protector.exe" C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe

"C:\Users\Admin\AppData\Local\Temp\1a76abc85db21c92e847aa3562aab0b09c56bdce383b54b6957b78314d4429f9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 iznarf.bplaced.net udp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 162.55.0.137:80 iznarf.bplaced.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
DE 162.55.0.137:80 iznarf.bplaced.net tcp

Files

memory/5220-0-0x00007FFAD6AF5000-0x00007FFAD6AF6000-memory.dmp

memory/5220-1-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-2-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-3-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-4-0x000000001BD70000-0x000000001C23E000-memory.dmp

memory/5220-5-0x000000001C2E0000-0x000000001C37C000-memory.dmp

memory/5220-6-0x000000001C3F0000-0x000000001C452000-memory.dmp

memory/5220-7-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-8-0x0000000000F40000-0x0000000000F48000-memory.dmp

memory/5220-9-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-10-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-13-0x00007FFAD6AF5000-0x00007FFAD6AF6000-memory.dmp

memory/5220-14-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-15-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-16-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

memory/5220-17-0x00007FFAD6840000-0x00007FFAD71E1000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:12

Platform

win10v2004-20250314-en

Max time kernel

146s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a9cd1714a3e518cfd51f84f1be819bf.exe" C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4736 set thread context of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1172 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1172 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4736 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4868 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 4868 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 4868 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe

"C:\Users\Admin\AppData\Local\Temp\1a9cd1714a3e518cfd51f84f1be819bf.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp
MA 196.119.34.23:10000 doddyfire.linkpc.net tcp

Files

memory/1172-0-0x0000000074E72000-0x0000000074E73000-memory.dmp

memory/1172-1-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/1172-2-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/1172-7-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/1172-6-0x0000000074E72000-0x0000000074E73000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 04298def7d2ae8acb8ba44e0657381ed
SHA1 9b15f92468bdf4c49bb27d67b3dd4aa131359517
SHA256 728a4e65086186d13d50ecc219d935a23b9737a0419b2fb995634beea8d64cd6
SHA512 db0778a6e35ed62f7ccf2cd43e9e7da58937bed53e654ce7cc3dc397a800b8d390d626dc038fb7892203499933e52e3ac0d3ec49160e7179a2b02bfa98c1c702

memory/1172-20-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/1172-19-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4736-21-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4736-23-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4736-22-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4868-29-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4868-31-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4868-30-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4736-28-0x0000000074E70000-0x0000000075421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/4868-24-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4868-32-0x0000000074E70000-0x0000000075421000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2025-03-22 06:08

Reported

2025-03-22 06:11

Platform

win7-20240903-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\System.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Google\RCXEE87.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXF08B.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\System.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\Google\dllhost.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Program Files\Google\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files\Google\RCXEE18.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\RCXF08A.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\LiveKernelReports\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Windows\LiveKernelReports\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCXF28F.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\LiveKernelReports\RCXF2FD.tmp C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File opened for modification C:\Windows\LiveKernelReports\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
File created C:\Windows\schemas\EAPHost\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A
N/A N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2164 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 2164 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 2164 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1652 wrote to memory of 2816 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2816 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2816 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2172 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2172 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1652 wrote to memory of 2172 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 2816 wrote to memory of 1536 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 2816 wrote to memory of 1536 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 2816 wrote to memory of 1536 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1536 wrote to memory of 3016 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1536 wrote to memory of 3016 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1536 wrote to memory of 3016 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1536 wrote to memory of 2752 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1536 wrote to memory of 2752 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1536 wrote to memory of 2752 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 3016 wrote to memory of 2608 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 3016 wrote to memory of 2608 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 3016 wrote to memory of 2608 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 2608 wrote to memory of 1860 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 1860 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 1860 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2316 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2316 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 2608 wrote to memory of 2316 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1860 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1860 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1860 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1616 wrote to memory of 1692 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 1692 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 1692 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 1676 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 1676 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1616 wrote to memory of 1676 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1692 wrote to memory of 1148 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1692 wrote to memory of 1148 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1692 wrote to memory of 1148 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 1148 wrote to memory of 2156 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1148 wrote to memory of 2156 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1148 wrote to memory of 2156 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1148 wrote to memory of 2116 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1148 wrote to memory of 2116 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 1148 wrote to memory of 2116 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe
PID 2156 wrote to memory of 680 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 2156 wrote to memory of 680 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 2156 wrote to memory of 680 N/A C:\Windows\System32\WScript.exe C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
PID 680 wrote to memory of 3056 N/A C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

"C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3808695b-b5ed-4f68-882d-73dc19cc241c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbefcf26-6e9b-4904-be24-4d0495b8aa70.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79b3adbd-e901-4b29-8776-4cc37e88e7a5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71089328-2bda-47a9-8612-45614989461b.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09566802-f660-4893-83ea-be245e37ae25.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4151b8f-1c59-48aa-9584-05f1b7e85770.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28cbfb2c-1464-4e99-9cdb-06860736bb33.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6c89ac4-f539-42f7-a410-3650adea5ad3.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de5dd3f-2d8a-4beb-be72-dde674d9b9da.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\934301f6-9907-49f4-88e9-877d43616079.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f951463-7232-4f2c-8c06-2ec049992cb5.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53f81faa-e186-461c-8df0-4c836a024ec6.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4909cc9-401e-430a-9951-a19e25d569eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f35e3c19-dd68-4a81-839d-98e2fa6c497f.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86781a64-29d8-45ef-8da0-9db19ed3b613.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0017d93c-81a3-4f22-83dc-885878a300a4.vbs"

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb91bc8-5e0f-4a22-bc39-e3340b8e8ba7.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7db610c-d9b1-40e9-93ca-83ad555f386e.vbs"

Network

Country Destination Domain Proto
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 62.109.4.67 tcp
RU 62.109.4.67:80 tcp
RU 62.109.4.67:80 62.109.4.67 tcp

Files

memory/2164-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

memory/2164-1-0x00000000003B0000-0x0000000000552000-memory.dmp

memory/2164-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2164-3-0x0000000000570000-0x000000000058C000-memory.dmp

memory/2164-7-0x0000000002350000-0x0000000002360000-memory.dmp

memory/2164-10-0x0000000002380000-0x000000000238C000-memory.dmp

memory/2164-16-0x0000000002460000-0x000000000246C000-memory.dmp

memory/2164-15-0x0000000002450000-0x000000000245A000-memory.dmp

memory/2164-14-0x0000000002440000-0x0000000002448000-memory.dmp

memory/2164-13-0x00000000023B0000-0x00000000023B8000-memory.dmp

memory/2164-12-0x00000000023A0000-0x00000000023AE000-memory.dmp

memory/2164-11-0x0000000002390000-0x000000000239A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RCXEC15.tmp

MD5 8b03d1f60bdf0b6465c0623109e7269e
SHA1 33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256 1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512 8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

memory/2164-9-0x0000000002340000-0x000000000234C000-memory.dmp

memory/2164-8-0x0000000002330000-0x0000000002338000-memory.dmp

memory/2164-6-0x0000000000820000-0x0000000000828000-memory.dmp

memory/2164-5-0x0000000002310000-0x0000000002326000-memory.dmp

memory/2164-4-0x0000000000610000-0x0000000000620000-memory.dmp

C:\Program Files\Google\dllhost.exe

MD5 1b94ffdece2669c380920b6f6fc05787
SHA1 d2210081a0e734f920f20845338f311ae2ec029d
SHA256 e1603ce7be11ee694f2c479fe54d7a1fdb7f4cd722c96335b52f78bfbe0068bd
SHA512 0d34160876ad7d88e2cdaecae5ecba9cd6207c5ee824b61ece89e03dcd8d50383f1659b8f4fe48faf7126c983b4fa73c5855d0273dc697568b92ecc899fb4d2c

C:\Windows\LiveKernelReports\spoolsv.exe

MD5 294e86b19dc9d397ca7bf2a16e52f5e5
SHA1 604013d841fb5af5b06e12a11c3c825c962cb43f
SHA256 cbda464b7c254ef90a7c0261642ff50e850b011de75a25806975ca7bff454644
SHA512 fe50d588f74d06cf8754fcac3dca1e73d8bffb29a9d73852ec1425587ee88b28b7be27b06bdb6a5c4833705678622d95e5b9478cceed21e25f87e878e13acfd4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c181fcabd5d4db82a2965976dc7d0782
SHA1 bf3ed984433d2309f6274ae46ed53ae774a52555
SHA256 6618734d87805a39d74c0ff2780e0222cf8f4149727cd7c0c9f060794da2e7d2
SHA512 6e8bb57e9afe80055f7452a5ad0055937e9a9eca0b4ab9ace7036423158566043e19d9a05c8cd752620beb4dcbd4c4735eba6c93acca94e403191fec80d4a827

memory/1944-98-0x000000001B680000-0x000000001B962000-memory.dmp

memory/1740-99-0x0000000001D80000-0x0000000001D88000-memory.dmp

memory/1652-105-0x00000000009A0000-0x0000000000B42000-memory.dmp

memory/2164-106-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3808695b-b5ed-4f68-882d-73dc19cc241c.vbs

MD5 598490620ecebfdc865ac897e289fe34
SHA1 cd3d0c7126bff41b1c28cdc4fdda641497369b09
SHA256 f8f6edd9accd5e05596d259958388dc90632c91be3cc7a7d33043f68f5fb546e
SHA512 e86d1c7375bf3435d6f8766508cdd2b43577b51ab9e4c00c553ba311040488512022b85109c4dfc1b1cf3cd6314e08cd91aaf9876c235c4fc903ea9f81c6c492

C:\Users\Admin\AppData\Local\Temp\cbefcf26-6e9b-4904-be24-4d0495b8aa70.vbs

MD5 c433ded079144b90f57050978f3f131c
SHA1 032818910fd24c86e433290cd985e2285124ed08
SHA256 c7b455f2f4cd387574b1a5e08ffe6bf841332114ec791cfa95cb202189c6840f
SHA512 3e0f3cc36eaacb5f460847e0a7f264548f8b4fa2f8219cf43826649cf44cb5ea695477f12e0385cbf59677f2e34184f9a626ace5cdcb4017d73db04ecafe4030

memory/1536-117-0x0000000001280000-0x0000000001422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79b3adbd-e901-4b29-8776-4cc37e88e7a5.vbs

MD5 4fa26e18dd84211a5f425ffc68599744
SHA1 2a431d3a4ead0509d04f88864f134a3f45b1c4c5
SHA256 dd2817a6d0ea657e4f25526c9e02eb0f3a35c65467e437f6e142a41790caa738
SHA512 dd27362ca5d00d89abae86d635c966ad2b16cb7ce6872463fabfe5a111e3c07590d3e04aebc2e478f76f02c2ffec0275e421e65e9ffc48cd3cf80d3de2998509

memory/2608-129-0x0000000001330000-0x00000000014D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\09566802-f660-4893-83ea-be245e37ae25.vbs

MD5 b84093cc5f7dfed6bfd0b0530c2fe26a
SHA1 0e1c988cef300652742b51881bed9df9874a6391
SHA256 43b5368733a79694c5beb409f041ae648df92e84d709d2de161b01a1bcc23a9b
SHA512 d7c33af4f60f62acedd6c217c56d1e1258c69b2ed16a11d8a8df56b32f0dbc4ef995762723839e02871fc403092d93730c137be2053b2c7060bb22b9d32709d7

memory/1616-141-0x00000000003A0000-0x0000000000542000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\28cbfb2c-1464-4e99-9cdb-06860736bb33.vbs

MD5 28a16126ba86c6ff4d4d96d35f5f8dec
SHA1 33392071c3716e4d5b1b8d281038e5fba5d7b8c9
SHA256 4a62a45aeccf7b9c407446fc3af4020621ad0d9e368e1ba904cb58222fa35cc3
SHA512 75250d59230401327ae4fd00be8ae5775ceb66fb45a52339428d283c086a22dcc625eef682c7daa7d01c6f19086a164a88af450ec4f7b537e3910a26d808aa9d

memory/1148-153-0x00000000011F0000-0x0000000001392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8de5dd3f-2d8a-4beb-be72-dde674d9b9da.vbs

MD5 248fcf85673292ee3b07eb60bb97a5a5
SHA1 bf4ef537bc7f2174f21f1857ecefa8376a18658f
SHA256 02390a71b4f65232d7e7693010c19be1e075518768aa9b5328e8d0ae989f0275
SHA512 36366c40e7f69076ac0f417d80802684d0117ee6c07ba53f227eae8a3dd8edb71629cd67c69fb32bb211628eb3f67d8b8a754f8777ccbcffad71319192277595

C:\Users\Admin\AppData\Local\Temp\1f951463-7232-4f2c-8c06-2ec049992cb5.vbs

MD5 9b600a16f45a6e02253623a25b38ac02
SHA1 65e3ea07cde173acdafd011593b7df7140dae109
SHA256 c835535ab73a752edc1265e9df335378ec4c8d37dddcbf84e8a3104e6bc313c7
SHA512 614b7e1524d2c254a92322ac3c296896283ce029aebff96051bc206159139850189e0338149bb6451c7267475fb1f9c666df0781e1c111aee6c97df8264fc2c1

memory/872-176-0x0000000001390000-0x0000000001532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d4909cc9-401e-430a-9951-a19e25d569eb.vbs

MD5 02ae326d17895f78243db7ff4c068a5f
SHA1 5c287cbecd700d63e74afd779e8e40195602b2a3
SHA256 cece1dcebe6604fb9a2de65cf8284f7649b172d18bce30695e25fbf61d6d884f
SHA512 0b210a454eebbfd1ea1ffad02f64807d50056730b0620e1213c1092645a89d9f2a986152c833b392135c5496eb7faddcd8edaac05a631263b0d8d525b975f0d2

memory/1504-188-0x0000000000060000-0x0000000000202000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\86781a64-29d8-45ef-8da0-9db19ed3b613.vbs

MD5 fe952d16010a2c097bd65598f8d9dbdb
SHA1 79d89eec2b4f1857953d48dd5b195e5e6282cbfe
SHA256 36a433e227c7356b51ba16dce74fd0e91d2ad229c4774a897364754d737172ef
SHA512 36ff1705116c4c96eb3030af6e6d54136e0214bafcf6232e25224098e617c4c4d5212ff7b98aa85654ee63fdb83f83013c3869d74184f02a57fe83d0d1f9e879

memory/2880-200-0x0000000000CF0000-0x0000000000E92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6cb91bc8-5e0f-4a22-bc39-e3340b8e8ba7.vbs

MD5 953b7b79d97b2c4003b30ff34805cfd1
SHA1 5ba5e444b4dca72c3195d4e1a53641beca6013b3
SHA256 5cb586573c892e50655d46144aec0336898576c67e0eca0e288e28ffb973b475
SHA512 8f9680e8c8228898e3880236fba56076e87769dd75981dba227d2a00b844d8e495dbc39334dcf891a3688c82287d63153e1af25a6004f2fcc5cb4c12f906b76a