phemedrone | 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358

General

Target

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Size

144KB
MD5

319218e4eb0d6637a76668a228e32de3
SHA1

20523303d722a7747deb6154a5d4401e1b932d56
SHA256

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358
SHA512

db3d1637c178bdf3c8c5b754fe72c388a3da176b2d0a7727e89f2c257bcb93b1574eda1de7f6ea25e493949f47157c07637fbe1169fe6c9481cc42d925293fe6
SSDEEP

3072:HGNhvhNC38S7gzQ/cmD4ULz82nyLOLt/w/HOWJbG5vcX+skwEKEAm31D5:EzQ/2my2w/uWJbGFsREKQ1

Score

10^/10

phemedrone execution persistence spyware stealer

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2212	powershell.exe
2252	powershell.exe
2568	powershell.exe
1860	powershell.exe
2620	powershell.exe
756	powershell.exe
2904	powershell.exe
1248	powershell.exe
2528	powershell.exe
1740	powershell.exe
2924	powershell.exe
1724	powershell.exe
1696	powershell.exe
2584	powershell.exe
2304	powershell.exe
2160	powershell.exe
848	powershell.exe
3056	powershell.exe
2952	powershell.exe
2116	powershell.exe
2156	powershell.exe
1384	powershell.exe
2752	powershell.exe
2780	powershell.exe
3020	powershell.exe
1744	powershell.exe
2380	powershell.exe
2156	powershell.exe
1424	powershell.exe
804	powershell.exe
2184	powershell.exe
2736	powershell.exe
3016	powershell.exe
2036	powershell.exe
448	powershell.exe
2036	powershell.exe
1096	powershell.exe
2360	powershell.exe
1440	powershell.exe
1480	powershell.exe
1680	powershell.exe
1648	powershell.exe
2468	powershell.exe
888	powershell.exe
1460	powershell.exe
2504	powershell.exe
1940	powershell.exe
2680	powershell.exe
3048	powershell.exe
1292	powershell.exe
3048	powershell.exe
1748	powershell.exe
356	powershell.exe
1988	powershell.exe
2724	powershell.exe
1184	powershell.exe
948	powershell.exe
2776	powershell.exe
2536	powershell.exe
2156	powershell.exe
2252	powershell.exe
3052	powershell.exe
360	powershell.exe
2608	powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe"	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	ip-api.com

Modifies registry class 5 IoCs

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exe3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2608	powershell.exe
2620	powershell.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
1648	powershell.exe
2184	powershell.exe
2044	powershell.exe
2212	powershell.exe
360	powershell.exe
948	powershell.exe
980	powershell.exe
356	powershell.exe
2580	powershell.exe
2528	powershell.exe
1724	powershell.exe
2780	powershell.exe
2776	powershell.exe
2752	powershell.exe
3024	powershell.exe
1744	powershell.exe
2276	powershell.exe
1924	powershell.exe
2380	powershell.exe
2536	powershell.exe
2680	powershell.exe
2748	powershell.exe
848	powershell.exe
2108	powershell.exe
2772	powershell.exe
756	powershell.exe
3048	powershell.exe
2252	powershell.exe
1508	powershell.exe
2980	powershell.exe
2156	powershell.exe
2468	powershell.exe
3056	powershell.exe
1040	powershell.exe
2036	powershell.exe
1988	powershell.exe
1480	powershell.exe
888	powershell.exe
1384	powershell.exe
2724	powershell.exe
2528	powershell.exe
2952	powershell.exe
1460	powershell.exe
2780	powershell.exe
1696	powershell.exe
1184	powershell.exe
1744	powershell.exe
3024	powershell.exe
448	powershell.exe
2116	powershell.exe
1636	powershell.exe
268	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

pid process

1220 3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

pid	process
1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1220 wrote to memory of 2504	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2504	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2504	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2524	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2524	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2524	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2504 wrote to memory of 2608	2504	cmd.exe	powershell.exe
PID 2504 wrote to memory of 2608	2504	cmd.exe	powershell.exe
PID 2504 wrote to memory of 2608	2504	cmd.exe	powershell.exe
PID 2524 wrote to memory of 2620	2524	cmd.exe	powershell.exe
PID 2524 wrote to memory of 2620	2524	cmd.exe	powershell.exe
PID 2524 wrote to memory of 2620	2524	cmd.exe	powershell.exe
PID 1220 wrote to memory of 1748	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1748	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1748	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1736	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1736	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1736	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1748 wrote to memory of 1648	1748	cmd.exe	powershell.exe
PID 1748 wrote to memory of 1648	1748	cmd.exe	powershell.exe
PID 1748 wrote to memory of 1648	1748	cmd.exe	powershell.exe
PID 1736 wrote to memory of 2184	1736	cmd.exe	powershell.exe
PID 1736 wrote to memory of 2184	1736	cmd.exe	powershell.exe
PID 1736 wrote to memory of 2184	1736	cmd.exe	powershell.exe
PID 1220 wrote to memory of 2872	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2872	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2872	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2768	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2768	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2768	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2768 wrote to memory of 2044	2768	cmd.exe	powershell.exe
PID 2768 wrote to memory of 2044	2768	cmd.exe	powershell.exe
PID 2768 wrote to memory of 2044	2768	cmd.exe	powershell.exe
PID 2872 wrote to memory of 2212	2872	cmd.exe	powershell.exe
PID 2872 wrote to memory of 2212	2872	cmd.exe	powershell.exe
PID 2872 wrote to memory of 2212	2872	cmd.exe	powershell.exe
PID 1220 wrote to memory of 1496	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1496	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1496	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1984	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1984	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 1984	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1496 wrote to memory of 360	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 360	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 360	1496	cmd.exe	powershell.exe
PID 1984 wrote to memory of 948	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 948	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 948	1984	cmd.exe	powershell.exe
PID 1220 wrote to memory of 2312	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2312	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2312	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2280	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2280	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2280	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 2312 wrote to memory of 980	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 980	2312	cmd.exe	powershell.exe
PID 2312 wrote to memory of 980	2312	cmd.exe	powershell.exe
PID 2280 wrote to memory of 356	2280	cmd.exe	powershell.exe
PID 2280 wrote to memory of 356	2280	cmd.exe	powershell.exe
PID 2280 wrote to memory of 356	2280	cmd.exe	powershell.exe
PID 1220 wrote to memory of 2032	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2032	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2032	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe
PID 1220 wrote to memory of 2532	1220	3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
"C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:1688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:2268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:2616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:1448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:1732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:2772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:2408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:2632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:1164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:2160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:1228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:2328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe & exit
2⤵
PID:1692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3bb41473ee7e39b74fc96fadc0551780dbb08190c540c690e11b492952b33358.exe
3⤵
PID:2800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
2⤵
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
3⤵
PID:1888

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0764fc5645fa407139923ac1e581f70b

SHA1
4149c776e6b5c40241bff5b2fd02527545cd5483

SHA256
28892bc7d15a6db3eed42e83e062c1a39df7a1c3685e40104cfd976927f70246

SHA512
3a1b8423b34ec66743ce05ae6bd4fcdb39bb74c649c5c05ebb0a8e974bfb9b480c84086b896434606e28175f116053f2db4204f8f334085ec1a72813c3ac937a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WF9LG0V1JPBFE7PE8EK6.temp
Filesize
7KB

MD5
b3845cd3a3be2f8844f2ebd49b3ee498

SHA1
2218038e0e83156b37eed4560c584efcb325431f

SHA256
e488450bee5d3ae410a58bbb5544e1bd2016ba59235e79f4f8bb78af5615d572

SHA512
544d8c293d014e23f2691f1fb62f3ebef7588f7fa2a1da0cb3ce6ce584fbb41170e20f3a4cc087e48212d21d05d016bd2bd726f25e9619cf4ff175a31521d89c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1220-0-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/1220-1-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/1220-2-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-58-0x000007FEF5683000-0x000007FEF5684000-memory.dmp

Filesize
4KB

Download
memory/1220-59-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download
memory/1648-20-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1648-21-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/2608-12-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2608-13-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads