phemedrone | 3499997283c0c1dd38ffcfdc2303c5c7ddfa4e946c51725b3b754f53780519ed

Analysis

max time kernel
67s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 17:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

391KB
MD5

bdd5d27003b233535879ec0f2573332d
SHA1

3ccfe1d152315f62b8b103e1876f554af55f272f
SHA256

3499997283c0c1dd38ffcfdc2303c5c7ddfa4e946c51725b3b754f53780519ed
SHA512

d75a07bed98d1181cdb522cb1d20bacde81d3db7b3825edd1a2aa4c02a88bb61c4501c8d48d4d7a3a84f3ea318f7efb95636bf716bed321fba3dd3b34f80e706
SSDEEP

12288:ZKMLC9Cdzw50KaA07u06ZMLzq2XNHJUX:MFCdzyFf0R6ZMxNHJM

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121

Attributes

Install_directory
%Public%
install_file
calc.exe

Extracted

Family

phemedrone

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\calcc.exe	family_xworm
behavioral1/memory/4668-43-0x0000000000910000-0x0000000000928000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 62 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2676	powershell.exe
2312	powershell.exe
1252	powershell.exe
2620	powershell.exe
848	powershell.exe
2312	powershell.exe
2248	powershell.exe
3068	powershell.exe
2496	powershell.exe
3896	powershell.exe
2908	powershell.exe
4476	powershell.exe
2544	powershell.exe
3260	powershell.exe
360	powershell.exe
2272	powershell.exe
2820	powershell.exe
360	powershell.exe
3196	powershell.exe
1272	powershell.exe
2444	powershell.exe
1704	powershell.exe
848	powershell.exe
1436	powershell.exe
432	powershell.exe
876	powershell.exe
1820	powershell.exe
4160	powershell.exe
1476	powershell.exe
2880	powershell.exe
2888	powershell.exe
4316	powershell.exe
2184	powershell.exe
4940	powershell.exe
4316	powershell.exe
4932	powershell.exe
1048	powershell.exe
840	powershell.exe
384	powershell.exe
4736	powershell.exe
3512	powershell.exe
2880	powershell.exe
4664	powershell.exe
1360	powershell.exe
4168	powershell.exe
4308	powershell.exe
3956	powershell.exe
4224	powershell.exe
2308	powershell.exe
2932	powershell.exe
3528	powershell.exe
3484	powershell.exe
3308	powershell.exe
2544	powershell.exe
1584	powershell.exe
3832	powershell.exe
2484	powershell.exe
3864	powershell.exe
3816	powershell.exe
2464	powershell.exe
1180	powershell.exe
2404	powershell.exe

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.execalcc.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exeBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	calcc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Drops startup file 2 IoCs

Processes:

calcc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk	calcc.exe

Executes dropped EXE 39 IoCs

Processes:

calcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalc.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.execalcc.exeSync Center.exe

pid	process
4668	calcc.exe
4612	Sync Center.exe
3768	calcc.exe
1036	Sync Center.exe
680	calcc.exe
2928	Sync Center.exe
612	calcc.exe
3764	Sync Center.exe
4312	calc.exe
2932	calcc.exe
4316	Sync Center.exe
2484	calcc.exe
3172	Sync Center.exe
2068	calcc.exe
4308	Sync Center.exe
4956	calcc.exe
1072	Sync Center.exe
4424	calcc.exe
1964	Sync Center.exe
2004	calcc.exe
3456	Sync Center.exe
1608	calcc.exe
3132	Sync Center.exe
4488	calcc.exe
2960	Sync Center.exe
3652	calcc.exe
3896	Sync Center.exe
4832	calcc.exe
2004	Sync Center.exe
4312	calcc.exe
3424	Sync Center.exe
3996	calcc.exe
2324	Sync Center.exe
2076	calcc.exe
1928	Sync Center.exe
2068	calcc.exe
3632	Sync Center.exe
2320	calcc.exe
3380	Sync Center.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

calcc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc = "C:\\Users\\Public\\calc.exe"	calcc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com
107 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
23	ip-api.com
107	ip-api.com

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "91"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1072 schtasks.exe

pid	process
1072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exe

pid	process
3512	powershell.exe
3512	powershell.exe
2888	powershell.exe
2888	powershell.exe
840	powershell.exe
840	powershell.exe
4612	Sync Center.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
2404	powershell.exe
2404	powershell.exe
2404	powershell.exe
2248	powershell.exe
2248	powershell.exe
2248	powershell.exe
1036	Sync Center.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe
384	powershell.exe
384	powershell.exe
384	powershell.exe
2312	powershell.exe
2312	powershell.exe
2312	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
876	powershell.exe
876	powershell.exe
876	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
2928	Sync Center.exe
2928	Sync Center.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
1820	powershell.exe
1820	powershell.exe
1820	powershell.exe
3764	Sync Center.exe
3764	Sync Center.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
3816	powershell.exe
3816	powershell.exe
3816	powershell.exe
4316	Sync Center.exe
4316	Sync Center.exe
1584	powershell.exe
1584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Bootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.execalc.exeBootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.execalcc.exepowershell.exeSync Center.exeBootstrapper.exepowershell.exepowershell.execalcc.exe

description	pid	process
Token: SeDebugPrivilege	3468	Bootstrapper.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	4668	calcc.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	4612	Sync Center.exe
Token: SeDebugPrivilege	1096	Bootstrapper.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3768	calcc.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1036	Sync Center.exe
Token: SeDebugPrivilege	3088	Bootstrapper.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	680	calcc.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	2928	Sync Center.exe
Token: SeDebugPrivilege	4668	calcc.exe
Token: SeDebugPrivilege	864	Bootstrapper.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	612	calcc.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	3764	Sync Center.exe
Token: SeDebugPrivilege	4312	calc.exe
Token: SeDebugPrivilege	4052	Bootstrapper.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2932	calcc.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	4316	Sync Center.exe
Token: SeDebugPrivilege	4588	Bootstrapper.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	2484	calcc.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3172	Sync Center.exe
Token: SeDebugPrivilege	1636	Bootstrapper.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	2068	calcc.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4308	Sync Center.exe
Token: SeDebugPrivilege	4128	Bootstrapper.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4956	calcc.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	1072	Sync Center.exe
Token: SeDebugPrivilege	2912	Bootstrapper.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	4424	calcc.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1964	Sync Center.exe
Token: SeDebugPrivilege	3632	Bootstrapper.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2004	calcc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2368 LogonUI.exe

pid	process
2368	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Bootstrapper.exeBootstrapper.execalcc.exeBootstrapper.exeBootstrapper.exeBootstrapper.exe

description	pid	process	target process
PID 3468 wrote to memory of 3512	3468	Bootstrapper.exe	powershell.exe
PID 3468 wrote to memory of 3512	3468	Bootstrapper.exe	powershell.exe
PID 3468 wrote to memory of 1096	3468	Bootstrapper.exe	Bootstrapper.exe
PID 3468 wrote to memory of 1096	3468	Bootstrapper.exe	Bootstrapper.exe
PID 3468 wrote to memory of 2888	3468	Bootstrapper.exe	powershell.exe
PID 3468 wrote to memory of 2888	3468	Bootstrapper.exe	powershell.exe
PID 3468 wrote to memory of 4668	3468	Bootstrapper.exe	calcc.exe
PID 3468 wrote to memory of 4668	3468	Bootstrapper.exe	calcc.exe
PID 3468 wrote to memory of 840	3468	Bootstrapper.exe	powershell.exe
PID 3468 wrote to memory of 840	3468	Bootstrapper.exe	powershell.exe
PID 3468 wrote to memory of 4612	3468	Bootstrapper.exe	Sync Center.exe
PID 3468 wrote to memory of 4612	3468	Bootstrapper.exe	Sync Center.exe
PID 1096 wrote to memory of 2308	1096	Bootstrapper.exe	powershell.exe
PID 1096 wrote to memory of 2308	1096	Bootstrapper.exe	powershell.exe
PID 1096 wrote to memory of 3088	1096	Bootstrapper.exe	Bootstrapper.exe
PID 1096 wrote to memory of 3088	1096	Bootstrapper.exe	Bootstrapper.exe
PID 1096 wrote to memory of 2404	1096	Bootstrapper.exe	powershell.exe
PID 1096 wrote to memory of 2404	1096	Bootstrapper.exe	powershell.exe
PID 1096 wrote to memory of 3768	1096	Bootstrapper.exe	calcc.exe
PID 1096 wrote to memory of 3768	1096	Bootstrapper.exe	calcc.exe
PID 1096 wrote to memory of 2248	1096	Bootstrapper.exe	powershell.exe
PID 1096 wrote to memory of 2248	1096	Bootstrapper.exe	powershell.exe
PID 1096 wrote to memory of 1036	1096	Bootstrapper.exe	Sync Center.exe
PID 1096 wrote to memory of 1036	1096	Bootstrapper.exe	Sync Center.exe
PID 4668 wrote to memory of 2880	4668	calcc.exe	powershell.exe
PID 4668 wrote to memory of 2880	4668	calcc.exe	powershell.exe
PID 4668 wrote to memory of 384	4668	calcc.exe	powershell.exe
PID 4668 wrote to memory of 384	4668	calcc.exe	powershell.exe
PID 3088 wrote to memory of 2312	3088	Bootstrapper.exe	powershell.exe
PID 3088 wrote to memory of 2312	3088	Bootstrapper.exe	powershell.exe
PID 4668 wrote to memory of 3864	4668	calcc.exe	powershell.exe
PID 4668 wrote to memory of 3864	4668	calcc.exe	powershell.exe
PID 3088 wrote to memory of 864	3088	Bootstrapper.exe	Bootstrapper.exe
PID 3088 wrote to memory of 864	3088	Bootstrapper.exe	Bootstrapper.exe
PID 3088 wrote to memory of 876	3088	Bootstrapper.exe	powershell.exe
PID 3088 wrote to memory of 876	3088	Bootstrapper.exe	powershell.exe
PID 4668 wrote to memory of 432	4668	calcc.exe	powershell.exe
PID 4668 wrote to memory of 432	4668	calcc.exe	powershell.exe
PID 3088 wrote to memory of 680	3088	Bootstrapper.exe	calcc.exe
PID 3088 wrote to memory of 680	3088	Bootstrapper.exe	calcc.exe
PID 3088 wrote to memory of 4316	3088	Bootstrapper.exe	powershell.exe
PID 3088 wrote to memory of 4316	3088	Bootstrapper.exe	powershell.exe
PID 3088 wrote to memory of 2928	3088	Bootstrapper.exe	Sync Center.exe
PID 3088 wrote to memory of 2928	3088	Bootstrapper.exe	Sync Center.exe
PID 4668 wrote to memory of 1072	4668	calcc.exe	schtasks.exe
PID 4668 wrote to memory of 1072	4668	calcc.exe	schtasks.exe
PID 864 wrote to memory of 2484	864	Bootstrapper.exe	powershell.exe
PID 864 wrote to memory of 2484	864	Bootstrapper.exe	powershell.exe
PID 864 wrote to memory of 4052	864	Bootstrapper.exe	Bootstrapper.exe
PID 864 wrote to memory of 4052	864	Bootstrapper.exe	Bootstrapper.exe
PID 864 wrote to memory of 1704	864	Bootstrapper.exe	powershell.exe
PID 864 wrote to memory of 1704	864	Bootstrapper.exe	powershell.exe
PID 864 wrote to memory of 612	864	Bootstrapper.exe	calcc.exe
PID 864 wrote to memory of 612	864	Bootstrapper.exe	calcc.exe
PID 864 wrote to memory of 1820	864	Bootstrapper.exe	powershell.exe
PID 864 wrote to memory of 1820	864	Bootstrapper.exe	powershell.exe
PID 864 wrote to memory of 3764	864	Bootstrapper.exe	Sync Center.exe
PID 864 wrote to memory of 3764	864	Bootstrapper.exe	Sync Center.exe
PID 4052 wrote to memory of 3196	4052	Bootstrapper.exe	powershell.exe
PID 4052 wrote to memory of 3196	4052	Bootstrapper.exe	powershell.exe
PID 4052 wrote to memory of 4588	4052	Bootstrapper.exe	Bootstrapper.exe
PID 4052 wrote to memory of 4588	4052	Bootstrapper.exe	Bootstrapper.exe
PID 4052 wrote to memory of 2820	4052	Bootstrapper.exe	powershell.exe
PID 4052 wrote to memory of 2820	4052	Bootstrapper.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
      - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        6⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        8⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        10⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        11⤵
        Checks computer location settings
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        12⤵
        Checks computer location settings
        
        PID:4312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        13⤵
        Checks computer location settings
        
        PID:3996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        14⤵
        Checks computer location settings
        
        PID:3776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        15⤵
        Checks computer location settings
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        16⤵
        Checks computer location settings
        
        PID:2268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        17⤵
        Checks computer location settings
        
        PID:1248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        18⤵
        Checks computer location settings
        
        PID:4052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        19⤵
        Checks computer location settings
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        20⤵
        Checks computer location settings
        
        PID:248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        20⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        20⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        19⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        19⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        18⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        18⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        17⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        17⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        16⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        16⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        15⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        15⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        14⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        14⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        13⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        13⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        12⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        12⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        11⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
      - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\calcc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:876
  - - C:\Users\Admin\AppData\Local\Temp\calcc.exe
      "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4316
  - - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
      "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\calcc.exe
    "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
    "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\calcc.exe
  "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calcc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\calc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calc.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:432
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "calc" /tr "C:\Users\Public\calc.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
  "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4612

C:\Users\Public\calc.exe
C:\Users\Public\calc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f1055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sync Center.exe.log

Filesize
1KB

MD5
d7e08a6cf500fe5ab87b41795962ee19

SHA1
dd08782055e3e72f7a8c14ee8a27953825b18c6a

SHA256
e74f68eef03565053effbbfb8a786c8858edea751f40cd8c1030ca673f6ba161

SHA512
d4d694cde80f00642174c564969c228ae69dd31707b8e9cf52b5564b98b34d1c20857fddfeff66b597bab150be18b8166425f6cc1001c6154ba77611f0bec4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\calcc.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fc44f25fc7275fc3d7518362df1d1d98

SHA1
88d0dba20581ad94eebfc2a2fc7a4419870f15ed

SHA256
7b469920f78768e819550eca02666231e97c447b8b01c7a3743d7945dd607e9a

SHA512
9a07c91bd1aeb85d285bc94ce09cd0eb532eb06062872d917b405a221c253775a92d2e98547f3ad3df494cc8a169b6d521e1a2d69c3948b0a3dacd092debaf60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5fbb56518e82d1b1e5ef6be3b6693880

SHA1
4e7671d0193b6f640d81b3fb91ac17ca67e0632b

SHA256
760d5623e712e53485c80330b3e2567577ffcf9397a94c3085bd1999f4650a40

SHA512
ff2fff83f094820da4157c907be06039dcc58b1a23e867ba58c0c3f40d8bbd90022161dc3d77c082a765f7f4104f683be995b994183d1899c73bd9131fe614d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2ea91e7d1b473f8290ae52d13e105194

SHA1
5e565d99a7733250427e70f5f6e1951a081deed6

SHA256
712db2b991a3c11ccd71b36cfe99fad0b5b1eb1026b12d28c35a43334128671a

SHA512
0d6e2f0f8963986cb27a5cb853c5a87af5d2b65142ff082b4a12681b467d4a72efbcaea71307513523915aa4f27e7b238c67f4ab563f69525938f38253599424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04114c0529b116bf66d764ff6a5a8fe3

SHA1
0caeff17d1b2190f76c9bf539105f6c40c92bd14

SHA256
fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532

SHA512
6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
118d5649311b514db219f613211e13a9

SHA1
485cc05e7072d26bf8226062ba1c578d7b30e1c4

SHA256
4fff6897c69cc3e8b9ae3da4d3c221ecbf329a4112d85cb346a4d413b70581dd

SHA512
b458d6703bde28f5d870542c852ad5990592a7a186eb7b4da83b475a94e2d2cdb1105b27d86414708dc613aad902937601d76cedad8304832c4d59ac1c088db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
367da361d214538015b4dba19126ffab

SHA1
0f3b71fc77b6021c8a2523c283d773b5c275f000

SHA256
c26f0f8ae25a52931b7ca924e9e3fff5d0a63b96f78c178f2eebf864ec0e998b

SHA512
26a7c2ed414a5657d6464920854b88c1beec5f7d1b37b58e9fcc4145dd76d94f2bef642a64496f7ee011dfa52d9527caf4cf8a19d6e3acfb266f1101a06cb134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7aaabbabed1e03e27f0fc866977c8233

SHA1
3674b1b903897a04ab60f4d2fab67dc68c8ef1c6

SHA256
afbd524eb67d6bd11320545d9992cde053a81467c26500607c9dfedfc54eb8c4

SHA512
dd3f6e176b3b2521b82cdea1516b1a442967424a961511cf3d5dd8406c3a37b84642364558eee1c90d560c62dd88f14d5504077a081d8fb09a9a2d23d20088d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zimefi3.yl2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\calcc.exe

Filesize
71KB

MD5
36686a659c023c60d85630ef9080ee34

SHA1
c26facc03073d700fc65af33eb2d8a6215f065b6

SHA256
eadd6fd65960900c14dd8e18a16348ec4c6f766e6316428f8cf659d02b43fb49

SHA512
236eab23ae8a565532ffd063a7e31ecc9aa835c63ca243c15ddba652f639dc5249589340812299e523156ac8695571877d1af78c2a481f0b2527d90aa00c3587

Download Submit
memory/3468-2-0x00007FF8F2950000-0x00007FF8F3411000-memory.dmp

Filesize
10.8MB

Download
memory/3468-1-0x00000000000F0000-0x0000000000158000-memory.dmp

Filesize
416KB

Download
memory/3468-0-0x00007FF8F2953000-0x00007FF8F2955000-memory.dmp

Filesize
8KB

Download
memory/3468-68-0x00007FF8F2950000-0x00007FF8F3411000-memory.dmp

Filesize
10.8MB

Download
memory/3512-3-0x00007FF8F2950000-0x00007FF8F3411000-memory.dmp

Filesize
10.8MB

Download
memory/3512-4-0x00007FF8F2950000-0x00007FF8F3411000-memory.dmp

Filesize
10.8MB

Download
memory/3512-10-0x00000193F73D0000-0x00000193F73F2000-memory.dmp

Filesize
136KB

Download
memory/3512-15-0x00007FF8F2950000-0x00007FF8F3411000-memory.dmp

Filesize
10.8MB

Download
memory/3512-16-0x00007FF8F2950000-0x00007FF8F3411000-memory.dmp

Filesize
10.8MB

Download
memory/3512-19-0x00007FF8F2950000-0x00007FF8F3411000-memory.dmp

Filesize
10.8MB

Download
memory/4612-67-0x0000000000E30000-0x0000000000E54000-memory.dmp

Filesize
144KB

Download
memory/4668-43-0x0000000000910000-0x0000000000928000-memory.dmp

Filesize
96KB

Download
memory/4668-657-0x000000001CEB0000-0x000000001CEBC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads