fbb98a26d5543ecd8be85870352b7641d151121a4dffa5a5dd53e3fd455886c5

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QI.exe
Size

5.7MB
MD5

71058566c0821ca320639f18c62905f0
SHA1

235e751fb521829628f4df4d43b88e0ed6396a5d
SHA256

fbb98a26d5543ecd8be85870352b7641d151121a4dffa5a5dd53e3fd455886c5
SHA512

f7f7aad683bca495f438ff1fb9a91b02300d624dd3fb8f5491ee4ca7b52ea1b6641ccd12821e07399a1156ac3f6e6a13e62be286e7c66aa89ab226f91e196c1b
SSDEEP

98304:Mtx1TaW8Q9CzAY+mVmDmOaEaJchTNhpLGJMz6coX2XwFUSWPSdmAijGrCvVYusl0:MI/Q9C8YT6aJchTNjGiz7XwFWam7irCH

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 58 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2672	powershell.exe
2756	powershell.exe
2936	powershell.exe
1728	powershell.exe
3000	powershell.exe
2448	powershell.exe
3032	powershell.exe
580	powershell.exe
1988	powershell.exe
2156	powershell.exe
2752	powershell.exe
1464	powershell.exe
1488	powershell.exe
2484	powershell.exe
1516	powershell.exe
2508	powershell.exe
2000	powershell.exe
568	powershell.exe
2308	powershell.exe
1920	powershell.exe
2952	powershell.exe
376	powershell.exe
1224	powershell.exe
2348	powershell.exe
1728	powershell.exe
2604	powershell.exe
1988	powershell.exe
2036	powershell.exe
1476	powershell.exe
544	powershell.exe
320	powershell.exe
1432	powershell.exe
2160	powershell.exe
2888	powershell.exe
2864	powershell.exe
620	powershell.exe
892	powershell.exe
1972	powershell.exe
1248	powershell.exe
1652	powershell.exe
2556	powershell.exe
2140	powershell.exe
2708	powershell.exe
2852	powershell.exe
2660	powershell.exe
580	powershell.exe
2596	powershell.exe
2952	powershell.exe
2320	powershell.exe
1652	powershell.exe
2836	powershell.exe
2656	powershell.exe
2108	powershell.exe
1272	powershell.exe
2332	powershell.exe
376	powershell.exe
2000	powershell.exe
1900	powershell.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 58 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2912	schtasks.exe
2844	schtasks.exe
1384	schtasks.exe
2080	schtasks.exe
1904	schtasks.exe
320	schtasks.exe
2644	schtasks.exe
2020	schtasks.exe
2484	schtasks.exe
2284	schtasks.exe
1580	schtasks.exe
648	schtasks.exe
2636	schtasks.exe
2548	schtasks.exe
544	schtasks.exe
2004	schtasks.exe
2608	schtasks.exe
2580	schtasks.exe
2664	schtasks.exe
3056	schtasks.exe
1540	schtasks.exe
2368	schtasks.exe
380	schtasks.exe
1604	schtasks.exe
2124	schtasks.exe
3020	schtasks.exe
2580	schtasks.exe
2116	schtasks.exe
1132	schtasks.exe
1544	schtasks.exe
2416	schtasks.exe
1676	schtasks.exe
2368	schtasks.exe
720	schtasks.exe
3000	schtasks.exe
2528	schtasks.exe
3032	schtasks.exe
2692	schtasks.exe
2548	schtasks.exe
2012	schtasks.exe
2804	schtasks.exe
2036	schtasks.exe
1384	schtasks.exe
2892	schtasks.exe
1420	schtasks.exe
2688	schtasks.exe
896	schtasks.exe
812	schtasks.exe
1992	schtasks.exe
2872	schtasks.exe
2348	schtasks.exe
1944	schtasks.exe
1544	schtasks.exe
2604	schtasks.exe
2464	schtasks.exe
2668	schtasks.exe
408	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2752	powershell.exe
2508	powershell.exe
376	powershell.exe
2160	powershell.exe
1464	powershell.exe
2660	powershell.exe
1476	powershell.exe
1488	powershell.exe
2000	powershell.exe
1652	powershell.exe
2672	powershell.exe
2448	powershell.exe
2484	powershell.exe
544	powershell.exe
2888	powershell.exe
580	powershell.exe
2348	powershell.exe
3032	powershell.exe
1972	powershell.exe
2756	powershell.exe
1248	powershell.exe
320	powershell.exe
2864	powershell.exe
2836	powershell.exe
3000	powershell.exe
1728	powershell.exe
2000	powershell.exe
1652	powershell.exe
2556	powershell.exe
2140	powershell.exe
568	powershell.exe
2708	powershell.exe
2852	powershell.exe
2308	powershell.exe
1920	powershell.exe
1516	powershell.exe
2332	powershell.exe
2952	powershell.exe
2604	powershell.exe
1988	powershell.exe
376	powershell.exe
2156	powershell.exe
2656	powershell.exe
2108	powershell.exe
1728	powershell.exe
1272	powershell.exe
2596	powershell.exe
2952	powershell.exe
1224	powershell.exe
1988	powershell.exe
620	powershell.exe
2036	powershell.exe
1900	powershell.exe
580	powershell.exe
1432	powershell.exe
2936	powershell.exe
2320	powershell.exe
892	powershell.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2752	2184	QI.exe	28
PID 2184 wrote to memory of 2752	2184	QI.exe	28
PID 2184 wrote to memory of 2752	2184	QI.exe	28
PID 2184 wrote to memory of 2580	2184	QI.exe	30
PID 2184 wrote to memory of 2580	2184	QI.exe	30
PID 2184 wrote to memory of 2580	2184	QI.exe	30
PID 2184 wrote to memory of 1224	2184	QI.exe	32
PID 2184 wrote to memory of 1224	2184	QI.exe	32
PID 2184 wrote to memory of 1224	2184	QI.exe	32
PID 1224 wrote to memory of 2508	1224	QI.EXE	33
PID 1224 wrote to memory of 2508	1224	QI.EXE	33
PID 1224 wrote to memory of 2508	1224	QI.EXE	33
PID 1224 wrote to memory of 2416	1224	QI.EXE	35
PID 1224 wrote to memory of 2416	1224	QI.EXE	35
PID 1224 wrote to memory of 2416	1224	QI.EXE	35
PID 1224 wrote to memory of 2840	1224	QI.EXE	37
PID 1224 wrote to memory of 2840	1224	QI.EXE	37
PID 1224 wrote to memory of 2840	1224	QI.EXE	37
PID 2840 wrote to memory of 376	2840	QI.EXE	38
PID 2840 wrote to memory of 376	2840	QI.EXE	38
PID 2840 wrote to memory of 376	2840	QI.EXE	38
PID 2840 wrote to memory of 2484	2840	QI.EXE	40
PID 2840 wrote to memory of 2484	2840	QI.EXE	40
PID 2840 wrote to memory of 2484	2840	QI.EXE	40
PID 2840 wrote to memory of 1532	2840	QI.EXE	42
PID 2840 wrote to memory of 1532	2840	QI.EXE	42
PID 2840 wrote to memory of 1532	2840	QI.EXE	42
PID 1532 wrote to memory of 2160	1532	QI.EXE	43
PID 1532 wrote to memory of 2160	1532	QI.EXE	43
PID 1532 wrote to memory of 2160	1532	QI.EXE	43
PID 1532 wrote to memory of 544	1532	QI.EXE	45
PID 1532 wrote to memory of 544	1532	QI.EXE	45
PID 1532 wrote to memory of 544	1532	QI.EXE	45
PID 1532 wrote to memory of 1252	1532	QI.EXE	47
PID 1532 wrote to memory of 1252	1532	QI.EXE	47
PID 1532 wrote to memory of 1252	1532	QI.EXE	47
PID 1252 wrote to memory of 1464	1252	QI.EXE	48
PID 1252 wrote to memory of 1464	1252	QI.EXE	48
PID 1252 wrote to memory of 1464	1252	QI.EXE	48
PID 1252 wrote to memory of 2872	1252	QI.EXE	50
PID 1252 wrote to memory of 2872	1252	QI.EXE	50
PID 1252 wrote to memory of 2872	1252	QI.EXE	50
PID 1252 wrote to memory of 2884	1252	QI.EXE	52
PID 1252 wrote to memory of 2884	1252	QI.EXE	52
PID 1252 wrote to memory of 2884	1252	QI.EXE	52
PID 2884 wrote to memory of 2660	2884	QI.EXE	53
PID 2884 wrote to memory of 2660	2884	QI.EXE	53
PID 2884 wrote to memory of 2660	2884	QI.EXE	53
PID 2884 wrote to memory of 380	2884	QI.EXE	55
PID 2884 wrote to memory of 380	2884	QI.EXE	55
PID 2884 wrote to memory of 380	2884	QI.EXE	55
PID 2884 wrote to memory of 1436	2884	QI.EXE	57
PID 2884 wrote to memory of 1436	2884	QI.EXE	57
PID 2884 wrote to memory of 1436	2884	QI.EXE	57
PID 1436 wrote to memory of 1476	1436	QI.EXE	58
PID 1436 wrote to memory of 1476	1436	QI.EXE	58
PID 1436 wrote to memory of 1476	1436	QI.EXE	58
PID 1436 wrote to memory of 2348	1436	QI.EXE	60
PID 1436 wrote to memory of 2348	1436	QI.EXE	60
PID 1436 wrote to memory of 2348	1436	QI.EXE	60
PID 1436 wrote to memory of 1164	1436	QI.EXE	62
PID 1436 wrote to memory of 1164	1436	QI.EXE	62
PID 1436 wrote to memory of 1164	1436	QI.EXE	62
PID 1164 wrote to memory of 1488	1164	QI.EXE	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\QI.exe
"C:\Users\Admin\AppData\Local\Temp\QI.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\QI.EXE
  "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\QI.EXE
    "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:376
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\QI.EXE
      "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
      4⤵
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:544
    - - C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        7⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        8⤵
        Creates scheduled task(s)
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        8⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        9⤵
        Adds Run key to start application
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        10⤵
        Creates scheduled task(s)
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        10⤵
        Adds Run key to start application
        
        PID:1868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        11⤵
        Creates scheduled task(s)
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        11⤵
        Adds Run key to start application
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        12⤵
        Adds Run key to start application
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        13⤵
        Creates scheduled task(s)
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        13⤵
        Adds Run key to start application
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        14⤵
        Creates scheduled task(s)
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        14⤵
        Adds Run key to start application
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        15⤵
        Creates scheduled task(s)
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        15⤵
        Adds Run key to start application
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        16⤵
        Creates scheduled task(s)
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        16⤵
        Adds Run key to start application
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        17⤵
        Creates scheduled task(s)
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        17⤵
        Adds Run key to start application
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        18⤵
        Creates scheduled task(s)
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        18⤵
        Adds Run key to start application
        
        PID:920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        19⤵
        Creates scheduled task(s)
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        19⤵
        Adds Run key to start application
        
        PID:2060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        20⤵
        Creates scheduled task(s)
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        20⤵
        Adds Run key to start application
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        21⤵
        Creates scheduled task(s)
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        21⤵
        Adds Run key to start application
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        22⤵
        Creates scheduled task(s)
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        22⤵
        Adds Run key to start application
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        23⤵
        Creates scheduled task(s)
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        23⤵
        Adds Run key to start application
        
        PID:864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        24⤵
        Creates scheduled task(s)
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        24⤵
        Adds Run key to start application
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        25⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        25⤵
        Creates scheduled task(s)
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        25⤵
        Adds Run key to start application
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        26⤵
        Creates scheduled task(s)
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        26⤵
        Adds Run key to start application
        
        PID:1084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        27⤵
        Creates scheduled task(s)
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        27⤵
        Adds Run key to start application
        
        PID:1160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        28⤵
        Creates scheduled task(s)
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        28⤵
        Adds Run key to start application
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        29⤵
        Creates scheduled task(s)
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        29⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        30⤵
        Creates scheduled task(s)
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        30⤵
        Adds Run key to start application
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        31⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        31⤵
        Creates scheduled task(s)
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        31⤵
        Adds Run key to start application
        
        PID:2384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        32⤵
        Creates scheduled task(s)
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        32⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        33⤵
        Creates scheduled task(s)
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        33⤵
        Adds Run key to start application
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        34⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        34⤵
        Creates scheduled task(s)
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        34⤵
        Adds Run key to start application
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        35⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        35⤵
        Creates scheduled task(s)
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        35⤵
        Adds Run key to start application
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        36⤵
        Creates scheduled task(s)
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        36⤵
        Adds Run key to start application
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        37⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        37⤵
        Creates scheduled task(s)
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        37⤵
        Adds Run key to start application
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        38⤵
        Creates scheduled task(s)
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        38⤵
        Adds Run key to start application
        
        PID:892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        39⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        39⤵
        Creates scheduled task(s)
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        39⤵
        Adds Run key to start application
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        40⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        40⤵
        Creates scheduled task(s)
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        40⤵
        Adds Run key to start application
        
        PID:2508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        41⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        41⤵
        Creates scheduled task(s)
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        41⤵
        Adds Run key to start application
        
        PID:1456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        42⤵
        Creates scheduled task(s)
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        42⤵
        Adds Run key to start application
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        43⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        43⤵
        Creates scheduled task(s)
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        43⤵
        Adds Run key to start application
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        44⤵
        Creates scheduled task(s)
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        44⤵
        Adds Run key to start application
        
        PID:800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        45⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        45⤵
        Creates scheduled task(s)
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        45⤵
        Adds Run key to start application
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        46⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        46⤵
        Creates scheduled task(s)
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        46⤵
        Adds Run key to start application
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        47⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        47⤵
        Creates scheduled task(s)
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        47⤵
        Adds Run key to start application
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        48⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        48⤵
        Creates scheduled task(s)
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        48⤵
        Adds Run key to start application
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        49⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        49⤵
        Creates scheduled task(s)
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        49⤵
        Adds Run key to start application
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        50⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        50⤵
        Creates scheduled task(s)
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        50⤵
        Adds Run key to start application
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        51⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        51⤵
        Creates scheduled task(s)
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        51⤵
        Adds Run key to start application
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        52⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        52⤵
        Creates scheduled task(s)
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        52⤵
        Adds Run key to start application
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        53⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        53⤵
        Creates scheduled task(s)
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        53⤵
        Adds Run key to start application
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        54⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        54⤵
        Creates scheduled task(s)
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        54⤵
        Adds Run key to start application
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        55⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        55⤵
        Creates scheduled task(s)
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        55⤵
        Adds Run key to start application
        
        PID:1696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        56⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        56⤵
        Creates scheduled task(s)
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        56⤵
        Adds Run key to start application
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        57⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        57⤵
        Creates scheduled task(s)
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        57⤵
        Adds Run key to start application
        
        PID:1124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        58⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        58⤵
        Creates scheduled task(s)
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        58⤵
        Adds Run key to start application
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        59⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        59⤵
        Creates scheduled task(s)
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        59⤵
        
        PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
62cba907583dc106c07ec43d1505b231

SHA1
4d660b071ad1eba3f63eff48a1fb84fae7024feb

SHA256
998a75b72eed8c4989a7f0b26eda5b5e81a9dd72521b4bf50e6aa2c5ec9708b1

SHA512
9d8a6cdc626d51810372688b9fd2cb0059169a67446adda0bfaacbc6633ede66ad6d3c973a2ff6615ad8ca105a5e979515e1597a064388ec7721054d46e9bf97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4f067b6215a8499190599f72287669b8

SHA1
64fb4943c230a0fc33069648655af872909d917c

SHA256
ff84c24e094bf89f62c13d99db8a658c18c5ccbad471502c66179cd3bc660611

SHA512
1627185a2a75d5a3314ecb40d55ee21bbc258fd56f803ae3b3b543e63a829cf115b4e36e2cd21942113b69a9cd62f91ca86b90d0c3179687a7dd2d7392e9561a

Download Submit
memory/2184-0-0x000007FEF5943000-0x000007FEF5944000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x0000000000EB0000-0x0000000001472000-memory.dmp

Filesize
5.8MB

Download
memory/2508-14-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2508-15-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2752-6-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2752-7-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2752-8-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download