phemedrone | 3a11bdaa4bac674e37e4b6d77a14dffd9689080720590108651b66ccd0fc5f65

Analysis

max time kernel
74s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

126KB
MD5

083661bf1e509d3e2be99b02f7ebdb72
SHA1

df4dd941d359ffe0cdfeebf5c8492ff675fd88f6
SHA256

3a11bdaa4bac674e37e4b6d77a14dffd9689080720590108651b66ccd0fc5f65
SHA512

01887bcd0f6cbc6fdb11066e6da4024f91e7b902cb98219b146cd883fa7d7904967d8931a0b0edc5ac3a12adcab2a938741db69ef91f94a1cfb4b2903ca2ecda
SSDEEP

3072:KecOklG1NOuyUesDmUENL4QaF1QeHzypy9hLsvu:DGlGtyUXasfHzN9hLC

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121

Attributes

Install_directory
%Public%
install_file
calc.exe

Extracted

Family

phemedrone

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\calcc.exe	family_xworm
behavioral1/memory/4372-41-0x00000000001A0000-0x00000000001B8000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4624	powershell.exe
1612	powershell.exe
4216	powershell.exe
2592	powershell.exe
3456	powershell.exe
3004	powershell.exe
3156	powershell.exe
4636	powershell.exe
1336	powershell.exe
4636	powershell.exe
5096	powershell.exe
4792	powershell.exe
2256	powershell.exe
512	powershell.exe
3668	powershell.exe
4220	powershell.exe
652	powershell.exe
1548	powershell.exe
1616	powershell.exe
5060	powershell.exe
1600	powershell.exe
4272	powershell.exe
4328	powershell.exe
1336	powershell.exe
2972	powershell.exe
5048	powershell.exe
3248	powershell.exe
2004	powershell.exe
4644	powershell.exe
2300	powershell.exe
512	powershell.exe
2188	powershell.exe
3472	powershell.exe
2656	powershell.exe
4364	powershell.exe
4792	powershell.exe
1928	powershell.exe
1712	powershell.exe
2256	powershell.exe
1336	powershell.exe
732	powershell.exe
3340	powershell.exe
3684	powershell.exe
1140	powershell.exe
1620	powershell.exe
2268	powershell.exe
4648	powershell.exe
3832	powershell.exe
1912	powershell.exe
4916	powershell.exe
1632	powershell.exe
4408	powershell.exe
2688	powershell.exe
1948	powershell.exe
3300	powershell.exe
4476	powershell.exe
1376	powershell.exe
956	powershell.exe
2528	powershell.exe
2948	powershell.exe
720	powershell.exe
3456	powershell.exe
3036	powershell.exe
4928	powershell.exe

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.execalcc.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	calcc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Launcher.exe

Drops startup file 2 IoCs

Processes:

calcc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe

Executes dropped EXE 42 IoCs

Processes:

calcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.exe

pid	process
4372	calcc.exe
4824	Sync Center.exe
3644	calcc.exe
4644	Sync Center.exe
2244	calcc.exe
2488	Sync Center.exe
2428	calcc.exe
5112	Sync Center.exe
4216	calcc.exe
4336	Sync Center.exe
2184	calcc.exe
3916	Sync Center.exe
4508	calcc.exe
1968	Sync Center.exe
3088	calcc.exe
1084	Sync Center.exe
4476	calcc.exe
4804	Sync Center.exe
5116	calcc.exe
720	Sync Center.exe
1120	calcc.exe
956	Sync Center.exe
1576	calcc.exe
3360	Sync Center.exe
3304	calcc.exe
3752	Sync Center.exe
1904	calcc.exe
232	Sync Center.exe
3296	calcc.exe
3316	Sync Center.exe
3172	calcc.exe
3360	Sync Center.exe
4220	calcc.exe
3316	Sync Center.exe
4500	calcc.exe
2376	Sync Center.exe
4928	calcc.exe
2676	Sync Center.exe
3948	calcc.exe
3172	Sync Center.exe
3288	calcc.exe
3600	Sync Center.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Launcher.exeLauncher.exeLauncher.exeLauncher.execalcc.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exeLauncher.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc = "C:\\Users\\Public\\calc.exe"	calcc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calcc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\calcc.exe"	Launcher.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com
100 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
24	ip-api.com
100	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "91"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings taskmgr.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1912 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	taskmgr.exe

pid	process
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exetaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exe

pid	process
4408	powershell.exe
4408	powershell.exe
3456	powershell.exe
3456	powershell.exe
4648	powershell.exe
4648	powershell.exe
4824	Sync Center.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
652	powershell.exe
652	powershell.exe
652	powershell.exe
2972	powershell.exe
2972	powershell.exe
2972	powershell.exe
4644	Sync Center.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
1824	taskmgr.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
1824	taskmgr.exe
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe
1824	taskmgr.exe
1824	taskmgr.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe
1620	powershell.exe
1620	powershell.exe
1620	powershell.exe
1824	taskmgr.exe
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
2488	Sync Center.exe
2488	Sync Center.exe
1824	taskmgr.exe
1824	taskmgr.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
1824	taskmgr.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
512	powershell.exe
512	powershell.exe
1824	taskmgr.exe
512	powershell.exe
5112	Sync Center.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Launcher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exetaskmgr.exeLauncher.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeLauncher.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1660	Launcher.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	4372	calcc.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4824	Sync Center.exe
Token: SeDebugPrivilege	2948	Launcher.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	3644	calcc.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	4644	Sync Center.exe
Token: SeDebugPrivilege	1824	taskmgr.exe
Token: SeSystemProfilePrivilege	1824	taskmgr.exe
Token: SeCreateGlobalPrivilege	1824	taskmgr.exe
Token: SeDebugPrivilege	4500	Launcher.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	4372	calcc.exe
Token: SeDebugPrivilege	2244	calcc.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	2488	Sync Center.exe
Token: SeDebugPrivilege	4068	Launcher.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2428	calcc.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	5112	Sync Center.exe
Token: SeDebugPrivilege	2004	Launcher.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	4216	calcc.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	4336	Sync Center.exe
Token: SeDebugPrivilege	2948	Launcher.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2184	calcc.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	3916	Sync Center.exe
Token: SeDebugPrivilege	3472	Launcher.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	4508	calcc.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1968	Sync Center.exe
Token: SeDebugPrivilege	732	Launcher.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	3088	calcc.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	1084	Sync Center.exe
Token: SeDebugPrivilege	4428	Launcher.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	4476	calcc.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	4804	Sync Center.exe
Token: SeDebugPrivilege	2144	Launcher.exe
Token: SeDebugPrivilege	1600	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3572 LogonUI.exe

pid	process
3572	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeLauncher.execalcc.exeLauncher.exeLauncher.exeLauncher.exe

description	pid	process	target process
PID 1660 wrote to memory of 4408	1660	Launcher.exe	powershell.exe
PID 1660 wrote to memory of 4408	1660	Launcher.exe	powershell.exe
PID 1660 wrote to memory of 2948	1660	Launcher.exe	Launcher.exe
PID 1660 wrote to memory of 2948	1660	Launcher.exe	Launcher.exe
PID 1660 wrote to memory of 3456	1660	Launcher.exe	powershell.exe
PID 1660 wrote to memory of 3456	1660	Launcher.exe	powershell.exe
PID 1660 wrote to memory of 4372	1660	Launcher.exe	calcc.exe
PID 1660 wrote to memory of 4372	1660	Launcher.exe	calcc.exe
PID 1660 wrote to memory of 4648	1660	Launcher.exe	powershell.exe
PID 1660 wrote to memory of 4648	1660	Launcher.exe	powershell.exe
PID 1660 wrote to memory of 4824	1660	Launcher.exe	Sync Center.exe
PID 1660 wrote to memory of 4824	1660	Launcher.exe	Sync Center.exe
PID 2948 wrote to memory of 2688	2948	Launcher.exe	powershell.exe
PID 2948 wrote to memory of 2688	2948	Launcher.exe	powershell.exe
PID 2948 wrote to memory of 4500	2948	Launcher.exe	Launcher.exe
PID 2948 wrote to memory of 4500	2948	Launcher.exe	Launcher.exe
PID 2948 wrote to memory of 652	2948	Launcher.exe	powershell.exe
PID 2948 wrote to memory of 652	2948	Launcher.exe	powershell.exe
PID 2948 wrote to memory of 3644	2948	Launcher.exe	calcc.exe
PID 2948 wrote to memory of 3644	2948	Launcher.exe	calcc.exe
PID 2948 wrote to memory of 2972	2948	Launcher.exe	powershell.exe
PID 2948 wrote to memory of 2972	2948	Launcher.exe	powershell.exe
PID 2948 wrote to memory of 4644	2948	Launcher.exe	Sync Center.exe
PID 2948 wrote to memory of 4644	2948	Launcher.exe	Sync Center.exe
PID 4372 wrote to memory of 2656	4372	calcc.exe	powershell.exe
PID 4372 wrote to memory of 2656	4372	calcc.exe	powershell.exe
PID 4372 wrote to memory of 4364	4372	calcc.exe	powershell.exe
PID 4372 wrote to memory of 4364	4372	calcc.exe	powershell.exe
PID 4372 wrote to memory of 2256	4372	calcc.exe	powershell.exe
PID 4372 wrote to memory of 2256	4372	calcc.exe	powershell.exe
PID 4372 wrote to memory of 2676	4372	calcc.exe	powershell.exe
PID 4372 wrote to memory of 2676	4372	calcc.exe	powershell.exe
PID 4500 wrote to memory of 1376	4500	Launcher.exe	powershell.exe
PID 4500 wrote to memory of 1376	4500	Launcher.exe	powershell.exe
PID 4500 wrote to memory of 4068	4500	Launcher.exe	Launcher.exe
PID 4500 wrote to memory of 4068	4500	Launcher.exe	Launcher.exe
PID 4500 wrote to memory of 1620	4500	Launcher.exe	powershell.exe
PID 4500 wrote to memory of 1620	4500	Launcher.exe	powershell.exe
PID 4372 wrote to memory of 1912	4372	calcc.exe	schtasks.exe
PID 4372 wrote to memory of 1912	4372	calcc.exe	schtasks.exe
PID 4500 wrote to memory of 2244	4500	Launcher.exe	calcc.exe
PID 4500 wrote to memory of 2244	4500	Launcher.exe	calcc.exe
PID 4500 wrote to memory of 3456	4500	Launcher.exe	powershell.exe
PID 4500 wrote to memory of 3456	4500	Launcher.exe	powershell.exe
PID 4500 wrote to memory of 2488	4500	Launcher.exe	Sync Center.exe
PID 4500 wrote to memory of 2488	4500	Launcher.exe	Sync Center.exe
PID 4068 wrote to memory of 5060	4068	Launcher.exe	powershell.exe
PID 4068 wrote to memory of 5060	4068	Launcher.exe	powershell.exe
PID 4068 wrote to memory of 2004	4068	Launcher.exe	Launcher.exe
PID 4068 wrote to memory of 2004	4068	Launcher.exe	Launcher.exe
PID 4068 wrote to memory of 2268	4068	Launcher.exe	powershell.exe
PID 4068 wrote to memory of 2268	4068	Launcher.exe	powershell.exe
PID 4068 wrote to memory of 2428	4068	Launcher.exe	calcc.exe
PID 4068 wrote to memory of 2428	4068	Launcher.exe	calcc.exe
PID 4068 wrote to memory of 512	4068	Launcher.exe	powershell.exe
PID 4068 wrote to memory of 512	4068	Launcher.exe	powershell.exe
PID 4068 wrote to memory of 5112	4068	Launcher.exe	Sync Center.exe
PID 4068 wrote to memory of 5112	4068	Launcher.exe	Sync Center.exe
PID 2004 wrote to memory of 1336	2004	Launcher.exe	powershell.exe
PID 2004 wrote to memory of 1336	2004	Launcher.exe	powershell.exe
PID 2004 wrote to memory of 2948	2004	Launcher.exe	Launcher.exe
PID 2004 wrote to memory of 2948	2004	Launcher.exe	Launcher.exe
PID 2004 wrote to memory of 3036	2004	Launcher.exe	powershell.exe
PID 2004 wrote to memory of 3036	2004	Launcher.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
3⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
4⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
5⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
6⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
7⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
8⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
9⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
10⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
11⤵
- Checks computer location settings
- Adds Run key to start application
PID:4976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
12⤵
- Command and Scripting Interpreter: PowerShell
PID:1912

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
12⤵
- Checks computer location settings
- Adds Run key to start application
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
13⤵
- Command and Scripting Interpreter: PowerShell
PID:1948

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
13⤵
- Checks computer location settings
- Adds Run key to start application
PID:2200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:732

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
14⤵
- Checks computer location settings
- Adds Run key to start application
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
15⤵
- Command and Scripting Interpreter: PowerShell
PID:1616

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
15⤵
- Checks computer location settings
- Adds Run key to start application
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
16⤵
- Command and Scripting Interpreter: PowerShell
PID:3684

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
16⤵
- Checks computer location settings
- Adds Run key to start application
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
17⤵
- Command and Scripting Interpreter: PowerShell
PID:3248

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
17⤵
- Checks computer location settings
- Adds Run key to start application
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
18⤵
- Command and Scripting Interpreter: PowerShell
PID:1712

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
18⤵
- Checks computer location settings
- Adds Run key to start application
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
19⤵
- Command and Scripting Interpreter: PowerShell
PID:4476

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
19⤵
- Checks computer location settings
- Adds Run key to start application
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
20⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
20⤵
- Checks computer location settings
- Adds Run key to start application
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
21⤵
- Command and Scripting Interpreter: PowerShell
PID:2592

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
21⤵
- Checks computer location settings
- Adds Run key to start application
PID:4008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
22⤵
- Command and Scripting Interpreter: PowerShell
PID:2256

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
22⤵
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
22⤵
- Command and Scripting Interpreter: PowerShell
PID:1632

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
22⤵
- Executes dropped EXE
PID:3288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
22⤵
- Command and Scripting Interpreter: PowerShell
PID:1140

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
22⤵
- Executes dropped EXE
PID:3600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
21⤵
- Command and Scripting Interpreter: PowerShell
PID:4916

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
21⤵
- Executes dropped EXE
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
21⤵
- Command and Scripting Interpreter: PowerShell
PID:1336

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
21⤵
- Executes dropped EXE
PID:3172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
20⤵
- Command and Scripting Interpreter: PowerShell
PID:2004

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
20⤵
- Executes dropped EXE
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
20⤵
- Command and Scripting Interpreter: PowerShell
PID:3472

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
20⤵
- Executes dropped EXE
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
19⤵
- Command and Scripting Interpreter: PowerShell
PID:4272

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
19⤵
- Executes dropped EXE
PID:4500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
19⤵
- Command and Scripting Interpreter: PowerShell
PID:4328

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
19⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
18⤵
- Command and Scripting Interpreter: PowerShell
PID:3300

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
18⤵
- Executes dropped EXE
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
18⤵
- Command and Scripting Interpreter: PowerShell
PID:4928

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
18⤵
- Executes dropped EXE
PID:3316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
17⤵
- Command and Scripting Interpreter: PowerShell
PID:1336

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
17⤵
- Executes dropped EXE
PID:3172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
17⤵
- Command and Scripting Interpreter: PowerShell
PID:720

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
17⤵
- Executes dropped EXE
PID:3360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
16⤵
- Command and Scripting Interpreter: PowerShell
PID:4792

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
16⤵
- Executes dropped EXE
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
16⤵
- Command and Scripting Interpreter: PowerShell
PID:4220

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
16⤵
- Executes dropped EXE
PID:3316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
15⤵
- Command and Scripting Interpreter: PowerShell
PID:2948

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
15⤵
- Executes dropped EXE
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
15⤵
- Command and Scripting Interpreter: PowerShell
PID:3340

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
15⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:1928

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
14⤵
- Executes dropped EXE
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
14⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
14⤵
- Executes dropped EXE
PID:3752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
13⤵
- Command and Scripting Interpreter: PowerShell
PID:4792

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
13⤵
- Executes dropped EXE
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
13⤵
- Command and Scripting Interpreter: PowerShell
PID:3668

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
13⤵
- Executes dropped EXE
PID:3360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
12⤵
- Command and Scripting Interpreter: PowerShell
PID:2300

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
12⤵
- Executes dropped EXE
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
12⤵
- Command and Scripting Interpreter: PowerShell
PID:5048

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
12⤵
- Executes dropped EXE
PID:956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
PID:4644

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
11⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
PID:4636

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
11⤵
- Executes dropped EXE
PID:720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Local\Temp\calcc.exe
"C:\Users\Admin\AppData\Local\Temp\calcc.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calcc.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\calc.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calc.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "calc" /tr "C:\Users\Public\calc.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /s /t 0
3⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38a2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Launcher.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sync Center.exe.log

Filesize
1KB

MD5
19af7425f60a621adee10f759085b772

SHA1
82936a268c9b2af9f38dffa437306d19b6b088f7

SHA256
301e81a7137a0b11527e271cfc7dd554a2ecb50a38e63913debdaef2ac769396

SHA512
2e0a7a6b886d394e24fe89fe95b5af95f7b2603110101234d439864e5db0c7b8637807658fc34addb6fc2ba9c81d8100e73e36a754df68ff356f4aaedecb6de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\calcc.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ce292bb581460978c5b6a6b6c02ea99

SHA1
261d81777c16ad7a104052a3b9d719c26f55ba38

SHA256
e7fcfed5376d00e784f09167de08f1559ae2ffc5a3b3e49c10af538153d7f806

SHA512
af498881c99b46d2a0c6b42d6c96fcc405f220189843d9a4bf0cad6fcdcab29c330322041c96571fb4119fd548f0daaf2e06eabdcc844ab4f645022571116fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb5b12507f0a707644e75afe0341b009

SHA1
ff8bf799cbd23a53db973e38508af3b129294466

SHA256
ea15b7391032b3c560a1439748db31c2ba6452cbe653f5647cb73ce452204747

SHA512
8501aa2f7c89f50cf5b6dff0302453e91f72a1a9d250718c42e2abc288a2359c2a705042b483459691aa60e2bae68a4d54a17d190b5c5a50a2c9e5b74dd27d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
978b5daa0094d9fa8a2bc25ec0bca90c

SHA1
8d5cd8b8cb33aba3344395a73ccc47b258a001b0

SHA256
f662a68fd9faa9e9e41048490990a0f6955589678bda4832e91eb9a38a189c3a

SHA512
02876335964a2559ddaf4843911bded08b30badd7e376a5b1bf5ae6e7e7685cdfbfd4eb53a19a674abed6b0a65df12c4139ea70347a4c69531d790899b4e25b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7becdab2ad9e7d9ddc64007adfe686c2

SHA1
fef71543e091354d4de3a9f7bee4ccb0ee42af4f

SHA256
783470403ea42fc708f0f80a3fa5c88be41dcd378fa0d75446d39beb3275e662

SHA512
1525f9b28f5b76851e50ac904a442f6a1f6f266efabb5b9e1a69049c62ba10fe2d6976cbe9f09a1811fa737838a12665f77e860f569eba317b8344b26d318a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0226685f1147e3a1a4dcf62ad8a59da1

SHA1
146afa36fd4e06472eaf86ceaa77bdf3ade1f41c

SHA256
88c4b71603316658e178872b7e415a4b9023a0e0979661208946b97ba97ea4e6

SHA512
c83051066fe1a24be60793afd4be5e88882beb9f3975a63a64040097b2a78f99c7f24e3a0ab864bdf1ea6a9e64e7ef86fa7c7dcb558db0ea34936dfcb429dc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
29af8a435901d77d6c0a08e494fdd160

SHA1
00ee17be16d2fccd668977caab81546ddceffc5d

SHA256
8774b8e4d75d6815a0d211272e983b0094a7542d1df584f9fc880aa68283a98f

SHA512
7d3e78f5d6d73bbb37ec7ff5b97729a1e542ae6b86eb271516a02ec67eb012872337e57a418a3f7f1b1b8cfafc2bfb246f15b75eaf45ee36fc690d946d873c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b6b941796bf5525b025031b5d2e481ae

SHA1
e4a1fd49400fa5c6331287712663aa4710693c63

SHA256
66dc28a72db204abe693c9386995d316f3d22c7babf3d6c1e22e8f1bd6ef328a

SHA512
0a2d21f3a1e951d5b763c7272d1186a43885c0ccffdb798432248d4ee6e13b129f39bcab5bd565336263f88edf5fd9f713785e7f5b4139bb078384264f27b57f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0aa63dbb46d451e47a7a682c64af776d

SHA1
3b0026f2dae8e9c491ccaa40133755779de35aaa

SHA256
9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b

SHA512
4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d06ce10e4e5b9e174b5ebbdad300fad

SHA1
bcc1c231e22238cef02ae25331320060ada2f131

SHA256
87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

SHA512
38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4165c906a376e655973cef247b5128f1

SHA1
c6299b6ab8b2db841900de376e9c4d676d61131e

SHA256
fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

SHA512
15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_quko5jcm.fp4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\calcc.exe

Filesize
71KB

MD5
36686a659c023c60d85630ef9080ee34

SHA1
c26facc03073d700fc65af33eb2d8a6215f065b6

SHA256
eadd6fd65960900c14dd8e18a16348ec4c6f766e6316428f8cf659d02b43fb49

SHA512
236eab23ae8a565532ffd063a7e31ecc9aa835c63ca243c15ddba652f639dc5249589340812299e523156ac8695571877d1af78c2a481f0b2527d90aa00c3587

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk

Filesize
971B

MD5
3f00386759b93ac93c369d004d080537

SHA1
5f1cf51bf699a848e700ba81efd544cefa35d33d

SHA256
8ece40fbb45697e7d8ba47e0cd94eb78ba547401aa4365b6d2026d4de7fa4778

SHA512
c446d6dabcd17caf750b10b9cd12ee7acba6046e11a5925c08ff146186b762b62b4da87f0466e083a7e50d77c7bce8726053d6b1597cbc8d37ddd0cde84a390a

Download Submit
memory/1660-2-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/1660-0-0x00007FFEFDC73000-0x00007FFEFDC75000-memory.dmp

Filesize
8KB

Download
memory/1660-1-0x0000000000A70000-0x0000000000A96000-memory.dmp

Filesize
152KB

Download
memory/1660-66-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/1824-104-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-109-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-105-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-103-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-110-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-111-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-112-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-113-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-114-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/1824-115-0x00000188B0560000-0x00000188B0561000-memory.dmp

Filesize
4KB

Download
memory/4372-608-0x000000001BA30000-0x000000001BA3C000-memory.dmp

Filesize
48KB

Download
memory/4372-41-0x00000000001A0000-0x00000000001B8000-memory.dmp

Filesize
96KB

Download
memory/4408-14-0x000001BBA7760000-0x000001BBA7782000-memory.dmp

Filesize
136KB

Download
memory/4408-3-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/4408-4-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/4408-17-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/4824-65-0x0000000000A30000-0x0000000000A54000-memory.dmp

Filesize
144KB

Download