phemedrone | 6ac30aaef20c25564eebdbfd55db25f61ff6c84204ecc30241c0cf2332a0d04b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

2.3MB
MD5

f80723c7062d0414bfd23249a943b330
SHA1

0996049a3da01ef925e954867aaa302d82279639
SHA256

6ac30aaef20c25564eebdbfd55db25f61ff6c84204ecc30241c0cf2332a0d04b
SHA512

f99821c40a3c1d19403b7cd21a2434293d2d23c92a716312e4bbbfb433b1c4b2ec4c90ce9750d4b574d0a802108191621a3b018ab2ebff65f535d843929278de
SSDEEP

49152:XJAFOSG/TBqwnbetRXZRAL3Wa88eVuN6yCQhJolninbT:ZAo3/T5bQRpRAL3denin

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121

Attributes

Install_directory
%Public%
install_file
calc.exe

Extracted

Family

phemedrone

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\calcc.exe	family_xworm
behavioral2/memory/4900-42-0x0000000000270000-0x0000000000288000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
380	powershell.exe
3532	powershell.exe
3084	powershell.exe
2152	powershell.exe
4244	powershell.exe
436	powershell.exe
4928	powershell.exe
1864	powershell.exe
1088	powershell.exe
4952	powershell.exe
1860	powershell.exe
948	powershell.exe
3852	powershell.exe
5116	powershell.exe
1376	powershell.exe
2948	powershell.exe
688	powershell.exe
1936	powershell.exe
1544	powershell.exe
1092	powershell.exe
3376	powershell.exe
4464	powershell.exe
856	powershell.exe
2792	powershell.exe
3876	powershell.exe
4376	powershell.exe
3632	powershell.exe
1576	powershell.exe
3292	powershell.exe
1912	powershell.exe
3336	powershell.exe
4384	powershell.exe
3972	powershell.exe
1920	powershell.exe
4032	powershell.exe
4808	powershell.exe
1736	powershell.exe
4164	powershell.exe
2988	powershell.exe
3388	powershell.exe
1188	powershell.exe
2292	powershell.exe
4932	powershell.exe
4536	powershell.exe
4880	powershell.exe
232	powershell.exe
2620	powershell.exe
948	powershell.exe
4336	powershell.exe
4808	powershell.exe
2872	powershell.exe
1368	powershell.exe
4188	powershell.exe
5064	powershell.exe
4328	powershell.exe
4344	powershell.exe
4000	powershell.exe
868	powershell.exe
3884	powershell.exe
3228	powershell.exe
2152	powershell.exe
3340	powershell.exe
4068	powershell.exe
5116	powershell.exe

Checks computer location settings 2 TTPs 34 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.execalcc.exeWaveInstaller.exeWaveInstaller.exeWaveInstaller.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	calcc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WaveInstaller.exe

Drops startup file 2 IoCs

Processes:

calcc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe

Executes dropped EXE 64 IoCs

Processes:

calcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalc.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalc.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.exe

pid	process
4900	calcc.exe
4332	Sync Center.exe
3688	calcc.exe
2704	Sync Center.exe
4504	calcc.exe
756	Sync Center.exe
4932	calcc.exe
3460	Sync Center.exe
4440	calcc.exe
1568	Sync Center.exe
2704	calcc.exe
2284	Sync Center.exe
1852	calcc.exe
4584	Sync Center.exe
2280	calcc.exe
5016	Sync Center.exe
1736	calcc.exe
3776	Sync Center.exe
1156	calcc.exe
4328	Sync Center.exe
3004	calcc.exe
4404	Sync Center.exe
1068	calcc.exe
2020	Sync Center.exe
4064	calcc.exe
2984	Sync Center.exe
4736	calcc.exe
1860	Sync Center.exe
4756	calc.exe
4600	calcc.exe
1976	Sync Center.exe
4620	calcc.exe
2292	Sync Center.exe
3148	calcc.exe
4128	Sync Center.exe
4400	calcc.exe
3340	Sync Center.exe
2280	calcc.exe
4888	Sync Center.exe
1852	calcc.exe
3876	Sync Center.exe
4952	calcc.exe
4600	Sync Center.exe
2424	calcc.exe
3660	Sync Center.exe
1092	calcc.exe
4076	Sync Center.exe
60	calcc.exe
1624	Sync Center.exe
3872	calcc.exe
1432	Sync Center.exe
3716	calcc.exe
4776	Sync Center.exe
3772	calcc.exe
3224	Sync Center.exe
2484	calcc.exe
4160	Sync Center.exe
2604	calc.exe
2704	calcc.exe
4536	Sync Center.exe
1088	calcc.exe
184	Sync Center.exe
2132	calcc.exe
4224	Sync Center.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc = "C:\\Users\\Public\\calc.exe"	calcc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sync Center = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Sync Center.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	WaveInstaller.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

107 ip-api.com
141 ip-api.com
27 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3288 schtasks.exe

flow	ioc
107	ip-api.com
141	ip-api.com
27	ip-api.com

pid	process
3288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exe

pid	process
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
4332	Sync Center.exe
4332	Sync Center.exe
5060	powershell.exe
5060	powershell.exe
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe
2152	powershell.exe
2152	powershell.exe
2152	powershell.exe
2704	Sync Center.exe
856	powershell.exe
856	powershell.exe
856	powershell.exe
3340	powershell.exe
3340	powershell.exe
3340	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
756	Sync Center.exe
756	Sync Center.exe
1256	powershell.exe
1256	powershell.exe
1256	powershell.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
4032	powershell.exe
4032	powershell.exe
4032	powershell.exe
3460	Sync Center.exe
3460	Sync Center.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
3084	powershell.exe
3084	powershell.exe
3084	powershell.exe
1568	Sync Center.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeWaveInstaller.exepowershell.exepowershell.execalcc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3900	WaveInstaller.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4900	calcc.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4332	Sync Center.exe
Token: SeDebugPrivilege	3084	WaveInstaller.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3688	calcc.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2704	Sync Center.exe
Token: SeDebugPrivilege	3792	WaveInstaller.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	4504	calcc.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	756	Sync Center.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4456	WaveInstaller.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4900	calcc.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4932	calcc.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3460	Sync Center.exe
Token: SeDebugPrivilege	2184	WaveInstaller.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4440	calcc.exe
Token: SeDebugPrivilege	3084	powershell.exe
Token: SeDebugPrivilege	1568	Sync Center.exe
Token: SeDebugPrivilege	2308	WaveInstaller.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2704	calcc.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	2284	Sync Center.exe
Token: SeDebugPrivilege	4928	WaveInstaller.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	1852	calcc.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4584	Sync Center.exe
Token: SeDebugPrivilege	2460	WaveInstaller.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2280	calcc.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	5016	Sync Center.exe
Token: SeDebugPrivilege	916	WaveInstaller.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1736	calcc.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3776	Sync Center.exe
Token: SeDebugPrivilege	3824	WaveInstaller.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	1156	calcc.exe
Token: SeDebugPrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WaveInstaller.exeWaveInstaller.exeWaveInstaller.execalcc.exeWaveInstaller.exeWaveInstaller.exe

description	pid	process	target process
PID 3900 wrote to memory of 3376	3900	WaveInstaller.exe	powershell.exe
PID 3900 wrote to memory of 3376	3900	WaveInstaller.exe	powershell.exe
PID 3900 wrote to memory of 3084	3900	WaveInstaller.exe	WaveInstaller.exe
PID 3900 wrote to memory of 3084	3900	WaveInstaller.exe	WaveInstaller.exe
PID 3900 wrote to memory of 4376	3900	WaveInstaller.exe	powershell.exe
PID 3900 wrote to memory of 4376	3900	WaveInstaller.exe	powershell.exe
PID 3900 wrote to memory of 4900	3900	WaveInstaller.exe	calcc.exe
PID 3900 wrote to memory of 4900	3900	WaveInstaller.exe	calcc.exe
PID 3900 wrote to memory of 4336	3900	WaveInstaller.exe	powershell.exe
PID 3900 wrote to memory of 4336	3900	WaveInstaller.exe	powershell.exe
PID 3900 wrote to memory of 4332	3900	WaveInstaller.exe	Sync Center.exe
PID 3900 wrote to memory of 4332	3900	WaveInstaller.exe	Sync Center.exe
PID 3084 wrote to memory of 5060	3084	WaveInstaller.exe	powershell.exe
PID 3084 wrote to memory of 5060	3084	WaveInstaller.exe	powershell.exe
PID 3084 wrote to memory of 3792	3084	WaveInstaller.exe	WaveInstaller.exe
PID 3084 wrote to memory of 3792	3084	WaveInstaller.exe	WaveInstaller.exe
PID 3084 wrote to memory of 3228	3084	WaveInstaller.exe	powershell.exe
PID 3084 wrote to memory of 3228	3084	WaveInstaller.exe	powershell.exe
PID 3084 wrote to memory of 3688	3084	WaveInstaller.exe	calcc.exe
PID 3084 wrote to memory of 3688	3084	WaveInstaller.exe	calcc.exe
PID 3084 wrote to memory of 2152	3084	WaveInstaller.exe	powershell.exe
PID 3084 wrote to memory of 2152	3084	WaveInstaller.exe	powershell.exe
PID 3084 wrote to memory of 2704	3084	WaveInstaller.exe	Sync Center.exe
PID 3084 wrote to memory of 2704	3084	WaveInstaller.exe	Sync Center.exe
PID 3792 wrote to memory of 856	3792	WaveInstaller.exe	powershell.exe
PID 3792 wrote to memory of 856	3792	WaveInstaller.exe	powershell.exe
PID 3792 wrote to memory of 4456	3792	WaveInstaller.exe	WaveInstaller.exe
PID 3792 wrote to memory of 4456	3792	WaveInstaller.exe	WaveInstaller.exe
PID 3792 wrote to memory of 3340	3792	WaveInstaller.exe	powershell.exe
PID 3792 wrote to memory of 3340	3792	WaveInstaller.exe	powershell.exe
PID 3792 wrote to memory of 4504	3792	WaveInstaller.exe	calcc.exe
PID 3792 wrote to memory of 4504	3792	WaveInstaller.exe	calcc.exe
PID 3792 wrote to memory of 4928	3792	WaveInstaller.exe	powershell.exe
PID 3792 wrote to memory of 4928	3792	WaveInstaller.exe	powershell.exe
PID 4900 wrote to memory of 4536	4900	calcc.exe	powershell.exe
PID 4900 wrote to memory of 4536	4900	calcc.exe	powershell.exe
PID 3792 wrote to memory of 756	3792	WaveInstaller.exe	Sync Center.exe
PID 3792 wrote to memory of 756	3792	WaveInstaller.exe	Sync Center.exe
PID 4900 wrote to memory of 1256	4900	calcc.exe	powershell.exe
PID 4900 wrote to memory of 1256	4900	calcc.exe	powershell.exe
PID 4900 wrote to memory of 688	4900	calcc.exe	powershell.exe
PID 4900 wrote to memory of 688	4900	calcc.exe	powershell.exe
PID 4900 wrote to memory of 1864	4900	calcc.exe	powershell.exe
PID 4900 wrote to memory of 1864	4900	calcc.exe	powershell.exe
PID 4456 wrote to memory of 4880	4456	WaveInstaller.exe	powershell.exe
PID 4456 wrote to memory of 4880	4456	WaveInstaller.exe	powershell.exe
PID 4900 wrote to memory of 3288	4900	calcc.exe	schtasks.exe
PID 4900 wrote to memory of 3288	4900	calcc.exe	schtasks.exe
PID 4456 wrote to memory of 2184	4456	WaveInstaller.exe	WaveInstaller.exe
PID 4456 wrote to memory of 2184	4456	WaveInstaller.exe	WaveInstaller.exe
PID 4456 wrote to memory of 4164	4456	WaveInstaller.exe	powershell.exe
PID 4456 wrote to memory of 4164	4456	WaveInstaller.exe	powershell.exe
PID 4456 wrote to memory of 4932	4456	WaveInstaller.exe	calcc.exe
PID 4456 wrote to memory of 4932	4456	WaveInstaller.exe	calcc.exe
PID 4456 wrote to memory of 4032	4456	WaveInstaller.exe	powershell.exe
PID 4456 wrote to memory of 4032	4456	WaveInstaller.exe	powershell.exe
PID 4456 wrote to memory of 3460	4456	WaveInstaller.exe	Sync Center.exe
PID 4456 wrote to memory of 3460	4456	WaveInstaller.exe	Sync Center.exe
PID 2184 wrote to memory of 1852	2184	WaveInstaller.exe	powershell.exe
PID 2184 wrote to memory of 1852	2184	WaveInstaller.exe	powershell.exe
PID 2184 wrote to memory of 2308	2184	WaveInstaller.exe	WaveInstaller.exe
PID 2184 wrote to memory of 2308	2184	WaveInstaller.exe	WaveInstaller.exe
PID 2184 wrote to memory of 4344	2184	WaveInstaller.exe	powershell.exe
PID 2184 wrote to memory of 4344	2184	WaveInstaller.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:856
  - - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
      4⤵
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        6⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        7⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        8⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        10⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        11⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        12⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        13⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        13⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        14⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        15⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        16⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        16⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        17⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        18⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        19⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        19⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        20⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        20⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        21⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        21⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        22⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        23⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        23⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        24⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        25⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        26⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        26⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        27⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        27⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        28⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        28⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        29⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        29⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        30⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        31⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        31⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        32⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        33⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
        33⤵
        Checks computer location settings
        
        PID:376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        33⤵
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        33⤵
        
        PID:384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        32⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        32⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        31⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        31⤵
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        30⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        30⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        30⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        30⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        29⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        29⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        28⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        28⤵
        Executes dropped EXE
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        27⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        27⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        26⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        26⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        26⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        26⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        25⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        25⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        24⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        24⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        24⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        24⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        23⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        23⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        23⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        22⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        22⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        22⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        22⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        21⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        21⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        20⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        20⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        20⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        19⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        19⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        19⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        19⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        18⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        18⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        18⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        17⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        17⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        16⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        16⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        16⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        15⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        15⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        14⤵
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        14⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        13⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        13⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        12⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        12⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        12⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        12⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        11⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
      - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
    - - C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\calcc.exe
      "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
      "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3228
- - C:\Users\Admin\AppData\Local\Temp\calcc.exe
    "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
    "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\calcc.exe
  "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calcc.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\calc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "calc" /tr "C:\Users\Public\calc.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
  "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332

C:\Users\Public\calc.exe
C:\Users\Public\calc.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Users\Public\calc.exe
C:\Users\Public\calc.exe
1⤵
- Executes dropped EXE
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sync Center.exe.log

Filesize
1KB

MD5
d7e08a6cf500fe5ab87b41795962ee19

SHA1
dd08782055e3e72f7a8c14ee8a27953825b18c6a

SHA256
e74f68eef03565053effbbfb8a786c8858edea751f40cd8c1030ca673f6ba161

SHA512
d4d694cde80f00642174c564969c228ae69dd31707b8e9cf52b5564b98b34d1c20857fddfeff66b597bab150be18b8166425f6cc1001c6154ba77611f0bec4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WaveInstaller.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\calcc.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
37a924b11cf3f7f57fc56898abe9b0e6

SHA1
5ee379727611f74dc5fa677b65881d4c63e10f95

SHA256
6e7f7c5fddb3a0300740fdcbe1a8ec3a0be0f16dff193f9806364a19262b52bf

SHA512
903e1badb3577e0b3e92b69491596c9a402b51cdf3de43d5fb06b08c5689d2ff7ba25f8d1497d6527e943d9063a7ee79cbf2b47892de1de3b68cc7ca77853d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d65ebc84c6b0b52901fb46f5e2b83ab5

SHA1
d036a0c3eb9e1616d0f7f5ca41171060c13a3095

SHA256
d45581b0807a0d04a70ec75e3e4575e73f148e5b4e0d3d325dfbd6400a4bfbd1

SHA512
88ac232e7702ebd53788cf8429d266ae367111bfccf4bc9d40ead25b552347521458ca60d320e2775b5d2edcaf8501251cb2db68b38dc000ac50463fb80865be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2fdeebf8fd935cb54b8867dc6cf2c6af

SHA1
c23a1cdd68599b7b67cc0e0e47c9ec5c7f40a035

SHA256
19a6060336405f08287ffdb20e01641b8731488d6cfca549c95fb765f6e30ef5

SHA512
23c3a6818ef06de5dcd2a0190a25961da3a989238f65687bb4a8837d2a9688bcdd14757634ade46028e1fc9083692823ce5859b2c54b8f629d7fa3f48b54b0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
993af531f0b57e8128ec273731c3a8e2

SHA1
a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

SHA256
fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

SHA512
bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
121036df237e18427d4f8285e9b4babb

SHA1
d2c930a18a7145fe88607e4d27fe4f580dcbecff

SHA256
f79e1f1b2ba58c21437e70ce5602c0a47cd2f9a0905423ba26ccc3c2a3a434e9

SHA512
6d82491231c55a141b8f691d284fd2b612db3231896833b220ee47104fd01b893882ed15447cee476b84a891a122ba48feea4c5aad3285eddb6d1e4ca1fd2010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ce292bb581460978c5b6a6b6c02ea99

SHA1
261d81777c16ad7a104052a3b9d719c26f55ba38

SHA256
e7fcfed5376d00e784f09167de08f1559ae2ffc5a3b3e49c10af538153d7f806

SHA512
af498881c99b46d2a0c6b42d6c96fcc405f220189843d9a4bf0cad6fcdcab29c330322041c96571fb4119fd548f0daaf2e06eabdcc844ab4f645022571116fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d06ce10e4e5b9e174b5ebbdad300fad

SHA1
bcc1c231e22238cef02ae25331320060ada2f131

SHA256
87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

SHA512
38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b2551c57c4f442d3968db9a207cfd059

SHA1
38910649f3f651586477bf47640174ae4db1e8c2

SHA256
d37658614a272d600067784941dca04367d449085124833554557d60c2ddc4c4

SHA512
b48d4a9c465415ecd67ca98f3f1b8be163af87f301a145ceb6fe8a5806c777d4bf6e6040a5468f325561333c05dd4cd9b7c678fd434909e70761998d3a5335d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae3b439d2d295d6e4c5fb2dc141ee97f

SHA1
92f6f35e58178dad7509daed385663a688234037

SHA256
f7b7916a3c816b24aeb55680a9458554909ad3774baee2e979512aeb90d393db

SHA512
5372aa4736648884fe32e1ff57990f6c73736c77ff5f14ea064867b542793fcf7c6ac625150e11f21c39a163366c6735dadb9de0f94f1dfe6a25a9cc24f69e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4eaeeca90ebe7f5cb292f4778156dd93

SHA1
a1f8e7c53c52173269eec93fecefdf699f8ed9e7

SHA256
f6592ce0efe8b608c11abaaad6f74386757cf22c1ebcd2df2b745db7e64dfbfc

SHA512
055406e953fa42913fcabedc836abb1a56f528eaa76530ef8c4af10b97664e1b06d5b2e59009279d6e55118d926c5ae3c4a314ac1fda93d39e0efcb0a715f15a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9a2c763c5ff40e18e49ad63c7c3b0088

SHA1
4b289ea34755323fa869da6ad6480d8d12385a36

SHA256
517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e

SHA512
3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1fee44d99fc4afa998e1fbe887d4133f

SHA1
4ce4177db7e940ba0b7adf9ce7fa5dc0732481f3

SHA256
43dc153f22a8d306e0c130d1231bb60778c6f4e0bd20be875e79771c71392391

SHA512
a6abcb17b4c739f96172f7dc6ee5ba9e8e2c6c73286d1af85644b3cae1c18cfc4613bf84d0d88eff4d952cf4bb66161309dc1293b2d9a45841024d1260d73a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9925a480d644014f3883431012f461f4

SHA1
a3e6e9a9a9f29291ddc32242083aa8f453903d5e

SHA256
4616abd1f1b64bdddc6cc60bf7ecb3147f2395cb8ec023188ee97865ffec43d3

SHA512
597b62627a01233ef6715ceeb1839439d2eff7f25d2b4efc2571911c7d14324a5f25693b4e727fc6ce9ff031cc3fea3704c5dbdc18727da4a83919d4e499408b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vyihobuv.4tp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\calcc.exe

Filesize
71KB

MD5
36686a659c023c60d85630ef9080ee34

SHA1
c26facc03073d700fc65af33eb2d8a6215f065b6

SHA256
eadd6fd65960900c14dd8e18a16348ec4c6f766e6316428f8cf659d02b43fb49

SHA512
236eab23ae8a565532ffd063a7e31ecc9aa835c63ca243c15ddba652f639dc5249589340812299e523156ac8695571877d1af78c2a481f0b2527d90aa00c3587

Download Submit
memory/3376-3-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-4-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-5-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-11-0x000002C672520000-0x000002C672542000-memory.dmp

Filesize
136KB

Download
memory/3376-18-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3900-0-0x00007FFDDAAF3000-0x00007FFDDAAF5000-memory.dmp

Filesize
8KB

Download
memory/3900-1-0x0000000000E10000-0x0000000001070000-memory.dmp

Filesize
2.4MB

Download
memory/3900-2-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3900-67-0x00007FFDDAAF0000-0x00007FFDDB5B1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-66-0x0000000000710000-0x0000000000734000-memory.dmp

Filesize
144KB

Download
memory/4900-42-0x0000000000270000-0x0000000000288000-memory.dmp

Filesize
96KB

Download