fbb98a26d5543ecd8be85870352b7641d151121a4dffa5a5dd53e3fd455886c5

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 09:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

QI.exe
Size

5.7MB
MD5

71058566c0821ca320639f18c62905f0
SHA1

235e751fb521829628f4df4d43b88e0ed6396a5d
SHA256

fbb98a26d5543ecd8be85870352b7641d151121a4dffa5a5dd53e3fd455886c5
SHA512

f7f7aad683bca495f438ff1fb9a91b02300d624dd3fb8f5491ee4ca7b52ea1b6641ccd12821e07399a1156ac3f6e6a13e62be286e7c66aa89ab226f91e196c1b
SSDEEP

98304:Mtx1TaW8Q9CzAY+mVmDmOaEaJchTNhpLGJMz6coX2XwFUSWPSdmAijGrCvVYusl0:MI/Q9C8YT6aJchTNjGiz7XwFWam7irCH

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 50 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4588	powershell.exe
3016	powershell.exe
3644	powershell.exe
4928	powershell.exe
3028	powershell.exe
2496	powershell.exe
4652	powershell.exe
1660	powershell.exe
996	powershell.exe
2680	powershell.exe
3140	powershell.exe
3292	powershell.exe
4404	powershell.exe
4140	powershell.exe
4824	powershell.exe
1032	powershell.exe
4216	powershell.exe
1080	powershell.exe
1280	powershell.exe
4652	powershell.exe
2060	powershell.exe
4972	powershell.exe
4576	powershell.exe
3828	powershell.exe
4212	powershell.exe
4924	powershell.exe
2716	powershell.exe
4404	powershell.exe
4988	powershell.exe
2784	powershell.exe
1864	powershell.exe
1136	powershell.exe
2260	powershell.exe
3892	powershell.exe
4564	powershell.exe
4140	powershell.exe
3000	powershell.exe
4448	powershell.exe
3628	powershell.exe
1124	powershell.exe
2344	powershell.exe
2724	powershell.exe
4064	powershell.exe
3940	powershell.exe
2364	powershell.exe
1992	powershell.exe
2172	powershell.exe
4296	powershell.exe
1560	powershell.exe
2428	powershell.exe

Checks computer location settings 2 TTPs 50 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	QI.EXE

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QI.EXE"	QI.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 50 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4564	schtasks.exe
3232	schtasks.exe
3400	schtasks.exe
1456	schtasks.exe
2736	schtasks.exe
636	schtasks.exe
2548	schtasks.exe
4340	schtasks.exe
2264	schtasks.exe
3372	schtasks.exe
4372	schtasks.exe
4224	schtasks.exe
3140	schtasks.exe
856	schtasks.exe
336	schtasks.exe
2660	schtasks.exe
3132	schtasks.exe
3120	schtasks.exe
4440	schtasks.exe
4484	schtasks.exe
1972	schtasks.exe
2292	schtasks.exe
1704	schtasks.exe
2720	schtasks.exe
4268	schtasks.exe
4200	schtasks.exe
1280	schtasks.exe
4084	schtasks.exe
3660	schtasks.exe
3240	schtasks.exe
2808	schtasks.exe
3400	schtasks.exe
692	schtasks.exe
1032	schtasks.exe
1664	schtasks.exe
4988	schtasks.exe
4824	schtasks.exe
1940	schtasks.exe
3564	schtasks.exe
4760	schtasks.exe
1704	schtasks.exe
3020	schtasks.exe
3756	schtasks.exe
2452	schtasks.exe
2816	schtasks.exe
4652	schtasks.exe
4548	schtasks.exe
3452	schtasks.exe
1440	schtasks.exe
32	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4824	powershell.exe
4824	powershell.exe
1136	powershell.exe
1136	powershell.exe
4216	powershell.exe
4216	powershell.exe
3292	powershell.exe
3292	powershell.exe
3292	powershell.exe
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
2260	powershell.exe
2260	powershell.exe
4448	powershell.exe
4448	powershell.exe
4924	powershell.exe
4924	powershell.exe
3892	powershell.exe
3892	powershell.exe
4588	powershell.exe
4588	powershell.exe
996	powershell.exe
996	powershell.exe
4928	powershell.exe
4928	powershell.exe
1992	powershell.exe
1992	powershell.exe
2172	powershell.exe
2172	powershell.exe
3628	powershell.exe
3628	powershell.exe
3028	powershell.exe
3028	powershell.exe
4576	powershell.exe
4576	powershell.exe
2496	powershell.exe
2496	powershell.exe
4404	powershell.exe
4404	powershell.exe
1080	powershell.exe
1080	powershell.exe
1280	powershell.exe
1280	powershell.exe
2680	powershell.exe
2680	powershell.exe
2344	powershell.exe
2344	powershell.exe
2724	powershell.exe
2724	powershell.exe
3828	powershell.exe
3828	powershell.exe
4188	taskmgr.exe
4188	taskmgr.exe
3140	powershell.exe
3140	powershell.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4064	powershell.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	4188	taskmgr.exe
Token: SeSystemProfilePrivilege	4188	taskmgr.exe
Token: SeCreateGlobalPrivilege	4188	taskmgr.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: 33	4188	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4188	taskmgr.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe
4188	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 4824	2296	QI.exe	88
PID 2296 wrote to memory of 4824	2296	QI.exe	88
PID 2296 wrote to memory of 1456	2296	QI.exe	91
PID 2296 wrote to memory of 1456	2296	QI.exe	91
PID 2296 wrote to memory of 1748	2296	QI.exe	96
PID 2296 wrote to memory of 1748	2296	QI.exe	96
PID 1748 wrote to memory of 1136	1748	QI.EXE	100
PID 1748 wrote to memory of 1136	1748	QI.EXE	100
PID 1748 wrote to memory of 692	1748	QI.EXE	102
PID 1748 wrote to memory of 692	1748	QI.EXE	102
PID 1748 wrote to memory of 1480	1748	QI.EXE	104
PID 1748 wrote to memory of 1480	1748	QI.EXE	104
PID 1480 wrote to memory of 4216	1480	QI.EXE	106
PID 1480 wrote to memory of 4216	1480	QI.EXE	106
PID 1480 wrote to memory of 2452	1480	QI.EXE	108
PID 1480 wrote to memory of 2452	1480	QI.EXE	108
PID 1480 wrote to memory of 2280	1480	QI.EXE	110
PID 1480 wrote to memory of 2280	1480	QI.EXE	110
PID 2280 wrote to memory of 3292	2280	QI.EXE	113
PID 2280 wrote to memory of 3292	2280	QI.EXE	113
PID 2280 wrote to memory of 2548	2280	QI.EXE	115
PID 2280 wrote to memory of 2548	2280	QI.EXE	115
PID 2280 wrote to memory of 4284	2280	QI.EXE	117
PID 2280 wrote to memory of 4284	2280	QI.EXE	117
PID 4284 wrote to memory of 4972	4284	QI.EXE	118
PID 4284 wrote to memory of 4972	4284	QI.EXE	118
PID 4284 wrote to memory of 3564	4284	QI.EXE	120
PID 4284 wrote to memory of 3564	4284	QI.EXE	120
PID 4284 wrote to memory of 3608	4284	QI.EXE	122
PID 4284 wrote to memory of 3608	4284	QI.EXE	122
PID 3608 wrote to memory of 3644	3608	QI.EXE	123
PID 3608 wrote to memory of 3644	3608	QI.EXE	123
PID 3608 wrote to memory of 3660	3608	QI.EXE	125
PID 3608 wrote to memory of 3660	3608	QI.EXE	125
PID 3608 wrote to memory of 3276	3608	QI.EXE	127
PID 3608 wrote to memory of 3276	3608	QI.EXE	127
PID 3276 wrote to memory of 2260	3276	QI.EXE	128
PID 3276 wrote to memory of 2260	3276	QI.EXE	128
PID 3276 wrote to memory of 2660	3276	QI.EXE	130
PID 3276 wrote to memory of 2660	3276	QI.EXE	130
PID 3276 wrote to memory of 3748	3276	QI.EXE	132
PID 3276 wrote to memory of 3748	3276	QI.EXE	132
PID 3748 wrote to memory of 4448	3748	QI.EXE	133
PID 3748 wrote to memory of 4448	3748	QI.EXE	133
PID 3748 wrote to memory of 3240	3748	QI.EXE	135
PID 3748 wrote to memory of 3240	3748	QI.EXE	135
PID 3748 wrote to memory of 4764	3748	QI.EXE	137
PID 3748 wrote to memory of 4764	3748	QI.EXE	137
PID 4764 wrote to memory of 4924	4764	QI.EXE	138
PID 4764 wrote to memory of 4924	4764	QI.EXE	138
PID 4764 wrote to memory of 3140	4764	QI.EXE	140
PID 4764 wrote to memory of 3140	4764	QI.EXE	140
PID 4764 wrote to memory of 4200	4764	QI.EXE	142
PID 4764 wrote to memory of 4200	4764	QI.EXE	142
PID 4200 wrote to memory of 3892	4200	QI.EXE	144
PID 4200 wrote to memory of 3892	4200	QI.EXE	144
PID 4200 wrote to memory of 4484	4200	QI.EXE	146
PID 4200 wrote to memory of 4484	4200	QI.EXE	146
PID 4200 wrote to memory of 4652	4200	QI.EXE	148
PID 4200 wrote to memory of 4652	4200	QI.EXE	148
PID 4652 wrote to memory of 4588	4652	QI.EXE	149
PID 4652 wrote to memory of 4588	4652	QI.EXE	149
PID 4652 wrote to memory of 4564	4652	QI.EXE	151
PID 4652 wrote to memory of 4564	4652	QI.EXE	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\QI.exe
"C:\Users\Admin\AppData\Local\Temp\QI.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\QI.EXE
  "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\QI.EXE
    "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\QI.EXE
      "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
      4⤵
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3564
      - C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        6⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        7⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        8⤵
        Creates scheduled task(s)
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        8⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        10⤵
        Creates scheduled task(s)
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        10⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        11⤵
        Creates scheduled task(s)
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        11⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        12⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        13⤵
        Creates scheduled task(s)
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        13⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        14⤵
        Creates scheduled task(s)
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        14⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        15⤵
        Creates scheduled task(s)
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        15⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        16⤵
        Creates scheduled task(s)
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        16⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        17⤵
        Creates scheduled task(s)
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        17⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        18⤵
        Creates scheduled task(s)
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        18⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        19⤵
        Creates scheduled task(s)
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        19⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        20⤵
        Creates scheduled task(s)
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        20⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        21⤵
        Creates scheduled task(s)
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        22⤵
        Creates scheduled task(s)
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        23⤵
        Creates scheduled task(s)
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        23⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        24⤵
        Creates scheduled task(s)
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        24⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        25⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        25⤵
        Creates scheduled task(s)
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        25⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        26⤵
        Creates scheduled task(s)
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        26⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        27⤵
        Creates scheduled task(s)
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        27⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        28⤵
        Creates scheduled task(s)
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        28⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        29⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        29⤵
        Creates scheduled task(s)
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        29⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        30⤵
        Creates scheduled task(s)
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        30⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        31⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        31⤵
        Creates scheduled task(s)
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        31⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        32⤵
        Creates scheduled task(s)
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        32⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        33⤵
        Creates scheduled task(s)
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        33⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        34⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        34⤵
        Creates scheduled task(s)
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        34⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        35⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        35⤵
        Creates scheduled task(s)
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        35⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        36⤵
        Creates scheduled task(s)
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        36⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        37⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        37⤵
        Creates scheduled task(s)
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        37⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        38⤵
        Creates scheduled task(s)
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        38⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        39⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        39⤵
        Creates scheduled task(s)
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        39⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        40⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        40⤵
        Creates scheduled task(s)
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        40⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        41⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        41⤵
        Creates scheduled task(s)
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        41⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        42⤵
        Creates scheduled task(s)
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        42⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        43⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        43⤵
        Creates scheduled task(s)
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        43⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        44⤵
        Creates scheduled task(s)
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        44⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        45⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        45⤵
        Creates scheduled task(s)
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        45⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        46⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        46⤵
        Creates scheduled task(s)
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        46⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        47⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        47⤵
        Creates scheduled task(s)
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        47⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        48⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        48⤵
        Creates scheduled task(s)
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        48⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        49⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        49⤵
        Creates scheduled task(s)
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        49⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        50⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        50⤵
        Creates scheduled task(s)
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        50⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\QI.EXE'
        51⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\QI.EXE" /RL HIGHEST
        51⤵
        Creates scheduled task(s)
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\QI.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\QI.EXE"
        51⤵
        
        PID:2804

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\QI.exe
"C:\Users\Admin\AppData\Local\Temp\QI.exe"
1⤵
PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QI.EXE.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8ab6456a8ec71255cb9ead0bb5d27767

SHA1
bc9ff860086488478e7716f7ac4421e8f69795fb

SHA256
bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2

SHA512
87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01fff31a70e26012f37789b179059e32

SHA1
555b6f05cce7daf46920df1c01eb5c55dc62c9e6

SHA256
adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

SHA512
ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
272dc716c99407615cc54be63824cd1e

SHA1
6aeeeee0a254473427af394b161c1020cf74ec0a

SHA256
0e772f1d15426881d1c79b319c8d52919383d1c1b861d1893a94c0e8bd472f06

SHA512
5a32034ea515f358ef4ec2e2f198fdc0dd0c5900645c4a8e8e1da7922ee19836d735ee726ce7d60b3015ab7abc10ebec2602fec24dca4f4e0798db2a7bf5aaf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75d224e238a397659d8e5cf458a41143

SHA1
d182d16283d3d864a2e328b677551428c29ad6df

SHA256
6a98fa5e6c5b77722f2bd8c855fd14d6bf545fc35b292252d1dc136b89ed2fee

SHA512
3477f3b4182ffdccc817de4242c8fcba706c193a0de5170cd023f8df3d330487d7e372556524b5a0fe1df56de40923700f3f8368eadf6601970e347cbcf078cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e72944dbca88eb43abaa74c2bddb4ec0

SHA1
eaffbd434543849c9d8efb5bea26e40c0f7a5ef6

SHA256
83608fc7c130308953acba179c5592810d6ac4a34bae35b81df2e4b5d46d202c

SHA512
2c009bfebd6d6ee6d036e45b780054adfd565f0fdac9bce011f134370580764bd21d955aa2668dc3ca838b0cde941e85f2619f7ee4266efef50282d6705ec9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b3bc9ca267ea2969eb6201d77e58560c

SHA1
78f83a443aa1ca235edcab2da9e2fda6fecc1da4

SHA256
7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695

SHA512
8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4fc1ceefa94c82f73b7ee478e2920ea3

SHA1
17a031c8d10e316478d85d24ba8a8b5ebfda3149

SHA256
018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb

SHA512
cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f3b96b24f06e2d37a46e43e8b784f56

SHA1
7be6702c5867f359e913eeeecdd5b76698589295

SHA256
8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720

SHA512
d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d06ce10e4e5b9e174b5ebbdad300fad

SHA1
bcc1c231e22238cef02ae25331320060ada2f131

SHA256
87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

SHA512
38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
330c0d750a5199394897ed266a508d9a

SHA1
48cc83c9efe720b4018a1bbbd28b9548b7cc08ed

SHA256
eac12f58c6fd86f674cc2dfec7717b5be286f45a370b22e522b86c302b94421d

SHA512
511cb3e04881e206fd8b86840b33b8ed8a78e71c28c508384387348982283b1bc0522051f992c998f7e64e4069e9ee55a5e3a6d1e0b923f4f34fdb1c17fd5631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aeceee3981c528bdc5e1c635b65d223d

SHA1
de9939ed37edca6772f5cdd29f6a973b36b7d31b

SHA256
b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

SHA512
df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f0a41fc9c1123bb127e55ecc66c8f052

SHA1
57152411758fa3df2623cc8a4df6d9fea73652f8

SHA256
a4fe2be2c449e841f6a12d32114672b097fc1058b6f2971a03521220a0228745

SHA512
e3e967adac361ddcf8240cf641f3e77eacfefc61dec725b8ae12e6a94f7d2ebd937fb9eb3cd068a0b3d4306e163dc87773b322bc2dd8b7df93b8103d0e99a900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8ee45e423ed25aebba9f81792cafa04c

SHA1
c8826b4f44fc4980f4d7c2df090de9ed1a2df171

SHA256
b96091133429c398177786798cbb103af1123af14acd453e9223f649fb5dd069

SHA512
45d9e26be993f606ed32d066986db31d508de65f4a2d37c2a79228d5f9cfa9c658903ee92b2f8fa707edde1d1b9f9c80cf6809ee905d30d3e71ac3dd01bb2fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1008cfb29cdc25b4180c736ec404335

SHA1
39760fbcc8c1a64e856e98d61ce194d39b727438

SHA256
0eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558

SHA512
00c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caae66b2d6030f85188e48e4ea3a9fa6

SHA1
108425bd97144fa0f92ff7b2109fec293d14a461

SHA256
a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

SHA512
189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_upo1b1re.vm0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2296-1-0x00000000002F0000-0x00000000008B2000-memory.dmp

Filesize
5.8MB

Download
memory/2296-18-0x00007FFECFC50000-0x00007FFED0711000-memory.dmp

Filesize
10.8MB

Download
memory/2296-21-0x00007FFECFC50000-0x00007FFED0711000-memory.dmp

Filesize
10.8MB

Download
memory/2296-0-0x00007FFECFC53000-0x00007FFECFC55000-memory.dmp

Filesize
8KB

Download
memory/4188-314-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-320-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-316-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-317-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-318-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-319-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-308-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-310-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-309-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4188-315-0x0000022264DB0000-0x0000022264DB1000-memory.dmp

Filesize
4KB

Download
memory/4824-12-0x00007FFECFC50000-0x00007FFED0711000-memory.dmp

Filesize
10.8MB

Download
memory/4824-8-0x000001CBFA530000-0x000001CBFA552000-memory.dmp

Filesize
136KB

Download
memory/4824-13-0x00007FFECFC50000-0x00007FFED0711000-memory.dmp

Filesize
10.8MB

Download
memory/4824-14-0x00007FFECFC50000-0x00007FFED0711000-memory.dmp

Filesize
10.8MB

Download
memory/4824-17-0x00007FFECFC50000-0x00007FFED0711000-memory.dmp

Filesize
10.8MB

Download