dcrat | 22de9a0aef3424a7ad95dfab9b8cfa8275e02083db45647aa8a953a2a6393007

Analysis

max time kernel
92s
max time network
115s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-11-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper (1).exe
Size

4.5MB
MD5

7c4f42168b6b77b79cec709462d83822
SHA1

fe554500b94cb7e3b3ecb373fbbfec6bdf9228df
SHA256

22de9a0aef3424a7ad95dfab9b8cfa8275e02083db45647aa8a953a2a6393007
SHA512

2b8103bdc5ef177527c5b9889517c004f3d50fd534cd7cd180556ae348bebf16e471459205800932aa3230987d82060e79b9be78aa9a5bbb50d93b6ac5e58a4b
SSDEEP

98304:VxkPiumssqzvNazqd81WLyWesy7flqtWRa:kKnsL7Ld1LTehbnR

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5748	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5452	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5280	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	220	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	220	schtasks.exe	89

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00290000000450dd-24.dat	dcrat
behavioral1/files/0x00280000000450e0-145.dat	dcrat
behavioral1/memory/4944-147-0x0000000000DB0000-0x000000000100A000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 50 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3472	powershell.exe
5964	powershell.exe
5112	powershell.exe
5232	powershell.exe
5944	powershell.exe
3236	powershell.exe
3140	powershell.exe
6044	powershell.exe
2820	powershell.exe
5296	powershell.exe
4904	powershell.exe
3140	powershell.exe
2108	powershell.exe
2236	powershell.exe
6052	powershell.exe
5184	powershell.exe
5928	powershell.exe
2004	powershell.exe
5388	powershell.exe
2556	powershell.exe
4148	powershell.exe
4924	powershell.exe
3236	powershell.exe
5780	powershell.exe
2588	powershell.exe
1168	powershell.exe
3236	powershell.exe
2172	powershell.exe
5956	powershell.exe
5028	powershell.exe
5080	powershell.exe
3912	powershell.exe
5308	powershell.exe
5180	powershell.exe
6112	powershell.exe
2548	powershell.exe
952	powershell.exe
5560	powershell.exe
1136	powershell.exe
4548	powershell.exe
4072	powershell.exe
4004	powershell.exe
3060	powershell.exe
1208	powershell.exe
3128	powershell.exe
924	powershell.exe
708	powershell.exe
4976	powershell.exe
3992	powershell.exe
4560	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 54 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	dllsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	builddcra.exe

Executes dropped EXE 54 IoCs

pid	Process
5768	builddcra.exe
6056	Bootstrapper.exe
4576	builddcra.exe
5560	Bootstrapper.exe
2040	builddcra.exe
2820	Bootstrapper.exe
4944	dllsvc.exe
3140	builddcra.exe
1140	cmd.exe
2328	Bootstrapper.exe
5864	dllsvc.exe
1308	builddcra.exe
2924	Bootstrapper.exe
2800	dllsvc.exe
5536	builddcra.exe
1144	Bootstrapper.exe
5208	dllsvc.exe
5052	builddcra.exe
6028	Bootstrapper.exe
2624	dllsvc.exe
5448	builddcra.exe
2696	Bootstrapper.exe
1700	dllsvc.exe
3628	builddcra.exe
4292	dllsvc.exe
5536	Bootstrapper.exe
2472	builddcra.exe
5188	dllsvc.exe
2464	Bootstrapper.exe
5180	builddcra.exe
1864	Bootstrapper.exe
4896	dllsvc.exe
2748	builddcra.exe
5260	Bootstrapper.exe
4708	dllsvc.exe
4496	builddcra.exe
3676	Bootstrapper.exe
2816	dllsvc.exe
5924	builddcra.exe
4684	dllsvc.exe
3140	Bootstrapper.exe
744	builddcra.exe
3396	dllsvc.exe
4748	Bootstrapper.exe
1616	builddcra.exe
1628	Bootstrapper.exe
1232	dllsvc.exe
1132	builddcra.exe
3348	Bootstrapper.exe
6076	dllsvc.exe
928	builddcra.exe
5176	Bootstrapper.exe
5908	dllsvc.exe
1612	builddcra.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\Bootstrapper.exe	dllsvc.exe
File created	C:\Program Files (x86)\Windows Mail\b8014f78f41eb1	dllsvc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\RuntimeBroker.exe	dllsvc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\9e8d7a4ca61bd9	dllsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\uk-UA\RuntimeBroker.exe	dllsvc.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\uk-UA\9e8d7a4ca61bd9	dllsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\dllsvc.exe	dllsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	builddcra.exe

Modifies registry key 1 TTPs 21 IoCs

Modify Registry

T1112

pid	Process
1144	reg.exe
2296	reg.exe
5156	reg.exe
2044	reg.exe
3148	reg.exe
1528	reg.exe
5072	reg.exe
5840	reg.exe
1996	reg.exe
6000	reg.exe
5500	reg.exe
1388	reg.exe
6028	reg.exe
440	reg.exe
2400	reg.exe
5124	reg.exe
5948	reg.exe
5096	reg.exe
1268	reg.exe
2148	reg.exe
1184	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
464	schtasks.exe
1612	schtasks.exe
1208	schtasks.exe
2388	schtasks.exe
1720	schtasks.exe
4816	schtasks.exe
4488	schtasks.exe
3452	schtasks.exe
972	schtasks.exe
232	schtasks.exe
2524	schtasks.exe
224	schtasks.exe
5280	schtasks.exe
6108	schtasks.exe
5452	schtasks.exe
4712	schtasks.exe
4708	schtasks.exe
5024	schtasks.exe
4072	schtasks.exe
6088	schtasks.exe
4836	schtasks.exe
2832	schtasks.exe
4976	schtasks.exe
5076	schtasks.exe
1824	schtasks.exe
2096	schtasks.exe
4648	schtasks.exe
5096	schtasks.exe
2376	schtasks.exe
5748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	powershell.exe
5028	powershell.exe
5112	powershell.exe
5112	powershell.exe
3128	powershell.exe
3128	powershell.exe
5780	powershell.exe
5780	powershell.exe
5080	powershell.exe
5080	powershell.exe
5184	powershell.exe
5184	powershell.exe
5232	powershell.exe
5232	powershell.exe
4944	dllsvc.exe
4944	dllsvc.exe
4944	dllsvc.exe
924	powershell.exe
924	powershell.exe
924	powershell.exe
1140	cmd.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
6044	powershell.exe
6044	powershell.exe
6044	powershell.exe
5928	powershell.exe
5928	powershell.exe
5928	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
5944	powershell.exe
5944	powershell.exe
5944	powershell.exe
3236	powershell.exe
3236	powershell.exe
3236	powershell.exe
5560	powershell.exe
5560	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1168	powershell.exe
1168	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
4548	powershell.exe
4548	powershell.exe
5308	powershell.exe
5308	powershell.exe
5308	powershell.exe
5296	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeIncreaseQuotaPrivilege	5028	powershell.exe
Token: SeSecurityPrivilege	5028	powershell.exe
Token: SeTakeOwnershipPrivilege	5028	powershell.exe
Token: SeLoadDriverPrivilege	5028	powershell.exe
Token: SeSystemProfilePrivilege	5028	powershell.exe
Token: SeSystemtimePrivilege	5028	powershell.exe
Token: SeProfSingleProcessPrivilege	5028	powershell.exe
Token: SeIncBasePriorityPrivilege	5028	powershell.exe
Token: SeCreatePagefilePrivilege	5028	powershell.exe
Token: SeBackupPrivilege	5028	powershell.exe
Token: SeRestorePrivilege	5028	powershell.exe
Token: SeShutdownPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeSystemEnvironmentPrivilege	5028	powershell.exe
Token: SeRemoteShutdownPrivilege	5028	powershell.exe
Token: SeUndockPrivilege	5028	powershell.exe
Token: SeManageVolumePrivilege	5028	powershell.exe
Token: 33	5028	powershell.exe
Token: 34	5028	powershell.exe
Token: 35	5028	powershell.exe
Token: 36	5028	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeIncreaseQuotaPrivilege	5112	powershell.exe
Token: SeSecurityPrivilege	5112	powershell.exe
Token: SeTakeOwnershipPrivilege	5112	powershell.exe
Token: SeLoadDriverPrivilege	5112	powershell.exe
Token: SeSystemProfilePrivilege	5112	powershell.exe
Token: SeSystemtimePrivilege	5112	powershell.exe
Token: SeProfSingleProcessPrivilege	5112	powershell.exe
Token: SeIncBasePriorityPrivilege	5112	powershell.exe
Token: SeCreatePagefilePrivilege	5112	powershell.exe
Token: SeBackupPrivilege	5112	powershell.exe
Token: SeRestorePrivilege	5112	powershell.exe
Token: SeShutdownPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeSystemEnvironmentPrivilege	5112	powershell.exe
Token: SeRemoteShutdownPrivilege	5112	powershell.exe
Token: SeUndockPrivilege	5112	powershell.exe
Token: SeManageVolumePrivilege	5112	powershell.exe
Token: 33	5112	powershell.exe
Token: 34	5112	powershell.exe
Token: 35	5112	powershell.exe
Token: 36	5112	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	powershell.exe
Token: SeSecurityPrivilege	3128	powershell.exe
Token: SeTakeOwnershipPrivilege	3128	powershell.exe
Token: SeLoadDriverPrivilege	3128	powershell.exe
Token: SeSystemProfilePrivilege	3128	powershell.exe
Token: SeSystemtimePrivilege	3128	powershell.exe
Token: SeProfSingleProcessPrivilege	3128	powershell.exe
Token: SeIncBasePriorityPrivilege	3128	powershell.exe
Token: SeCreatePagefilePrivilege	3128	powershell.exe
Token: SeBackupPrivilege	3128	powershell.exe
Token: SeRestorePrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeSystemEnvironmentPrivilege	3128	powershell.exe
Token: SeRemoteShutdownPrivilege	3128	powershell.exe
Token: SeUndockPrivilege	3128	powershell.exe
Token: SeManageVolumePrivilege	3128	powershell.exe
Token: 33	3128	powershell.exe
Token: 34	3128	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 5028	4544	Bootstrapper (1).exe	83
PID 4544 wrote to memory of 5028	4544	Bootstrapper (1).exe	83
PID 4544 wrote to memory of 5768	4544	Bootstrapper (1).exe	90
PID 4544 wrote to memory of 5768	4544	Bootstrapper (1).exe	90
PID 4544 wrote to memory of 5768	4544	Bootstrapper (1).exe	90
PID 4544 wrote to memory of 5112	4544	Bootstrapper (1).exe	91
PID 4544 wrote to memory of 5112	4544	Bootstrapper (1).exe	91
PID 4544 wrote to memory of 6056	4544	Bootstrapper (1).exe	93
PID 4544 wrote to memory of 6056	4544	Bootstrapper (1).exe	93
PID 5768 wrote to memory of 4388	5768	builddcra.exe	94
PID 5768 wrote to memory of 4388	5768	builddcra.exe	94
PID 5768 wrote to memory of 4388	5768	builddcra.exe	94
PID 6056 wrote to memory of 3128	6056	Bootstrapper.exe	96
PID 6056 wrote to memory of 3128	6056	Bootstrapper.exe	96
PID 6056 wrote to memory of 4576	6056	Bootstrapper.exe	100
PID 6056 wrote to memory of 4576	6056	Bootstrapper.exe	100
PID 6056 wrote to memory of 4576	6056	Bootstrapper.exe	100
PID 6056 wrote to memory of 5780	6056	Bootstrapper.exe	101
PID 6056 wrote to memory of 5780	6056	Bootstrapper.exe	101
PID 4576 wrote to memory of 5564	4576	builddcra.exe	103
PID 4576 wrote to memory of 5564	4576	builddcra.exe	103
PID 4576 wrote to memory of 5564	4576	builddcra.exe	103
PID 6056 wrote to memory of 5560	6056	Bootstrapper.exe	104
PID 6056 wrote to memory of 5560	6056	Bootstrapper.exe	104
PID 5560 wrote to memory of 5080	5560	Bootstrapper.exe	105
PID 5560 wrote to memory of 5080	5560	Bootstrapper.exe	105
PID 5560 wrote to memory of 2040	5560	Bootstrapper.exe	107
PID 5560 wrote to memory of 2040	5560	Bootstrapper.exe	107
PID 5560 wrote to memory of 2040	5560	Bootstrapper.exe	107
PID 5560 wrote to memory of 5184	5560	Bootstrapper.exe	108
PID 5560 wrote to memory of 5184	5560	Bootstrapper.exe	108
PID 2040 wrote to memory of 5032	2040	builddcra.exe	110
PID 2040 wrote to memory of 5032	2040	builddcra.exe	110
PID 2040 wrote to memory of 5032	2040	builddcra.exe	110
PID 5560 wrote to memory of 2820	5560	Bootstrapper.exe	111
PID 5560 wrote to memory of 2820	5560	Bootstrapper.exe	111
PID 4388 wrote to memory of 2156	4388	WScript.exe	112
PID 4388 wrote to memory of 2156	4388	WScript.exe	112
PID 4388 wrote to memory of 2156	4388	WScript.exe	112
PID 2156 wrote to memory of 4944	2156	cmd.exe	114
PID 2156 wrote to memory of 4944	2156	cmd.exe	114
PID 2820 wrote to memory of 5232	2820	Bootstrapper.exe	115
PID 2820 wrote to memory of 5232	2820	Bootstrapper.exe	115
PID 2820 wrote to memory of 3140	2820	Bootstrapper.exe	142
PID 2820 wrote to memory of 3140	2820	Bootstrapper.exe	142
PID 2820 wrote to memory of 3140	2820	Bootstrapper.exe	142
PID 2820 wrote to memory of 924	2820	Bootstrapper.exe	143
PID 2820 wrote to memory of 924	2820	Bootstrapper.exe	143
PID 3140 wrote to memory of 3120	3140	builddcra.exe	150
PID 3140 wrote to memory of 3120	3140	builddcra.exe	150
PID 3140 wrote to memory of 3120	3140	builddcra.exe	150
PID 4944 wrote to memory of 1140	4944	dllsvc.exe	151
PID 4944 wrote to memory of 1140	4944	dllsvc.exe	151
PID 2156 wrote to memory of 6028	2156	cmd.exe	152
PID 2156 wrote to memory of 6028	2156	cmd.exe	152
PID 2156 wrote to memory of 6028	2156	cmd.exe	152
PID 2820 wrote to memory of 2328	2820	Bootstrapper.exe	153
PID 2820 wrote to memory of 2328	2820	Bootstrapper.exe	153
PID 5564 wrote to memory of 904	5564	WScript.exe	154
PID 5564 wrote to memory of 904	5564	WScript.exe	154
PID 5564 wrote to memory of 904	5564	WScript.exe	154
PID 904 wrote to memory of 5864	904	cmd.exe	156
PID 904 wrote to memory of 5864	904	cmd.exe	156
PID 2328 wrote to memory of 2588	2328	Bootstrapper.exe	157

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\builddcra.exe
  "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5768
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4944
      - C:\Users\Default User\cmd.exe
        
        "C:\Users\Default User\cmd.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        System policy modification
        
        PID:1140
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:6056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
    "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        6⤵
        Executes dropped EXE
        
        PID:5864
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5780
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
      "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        7⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5232
    - - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        8⤵
        Executes dropped EXE
        
        PID:5208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
    - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        9⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        10⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        11⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        12⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:1184
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        13⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5560
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        12⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        14⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        14⤵
        Modifies registry key
        
        PID:5124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        13⤵
        Checks computer location settings
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        15⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        14⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        16⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        16⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        15⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        17⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        16⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        18⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        18⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        17⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        19⤵
        Executes dropped EXE
        
        PID:6076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        Modifies registry key
        
        PID:5156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        18⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        20⤵
        Executes dropped EXE
        
        PID:5908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        20⤵
        Modifies registry key
        
        PID:6000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        20⤵
        
        PID:64
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        21⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        Modifies registry key
        
        PID:5500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        21⤵
        
        PID:3068
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        22⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        22⤵
        Modifies registry key
        
        PID:1388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        20⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        21⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        22⤵
        
        PID:5248
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        23⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        Modifies registry key
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        20⤵
        
        PID:1176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        21⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        22⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        23⤵
        
        PID:2456
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        24⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        24⤵
        Modifies registry key
        
        PID:5096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        21⤵
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        22⤵
        
        PID:224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        23⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        24⤵
        
        PID:5176
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        25⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        Modifies registry key
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        22⤵
        
        PID:4884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        23⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        24⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        25⤵
        
        PID:1292
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        26⤵
        
        PID:3628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        23⤵
        
        PID:3040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        24⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        25⤵
        
        PID:6036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        24⤵
        
        PID:6080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        25⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        26⤵
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        25⤵
        
        PID:5964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        26⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        27⤵
        
        PID:252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Bootstrapper.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bootstrapper" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Bootstrapper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Bootstrapper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\comperf\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\comperf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\comperf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\bin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\bin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk-1.8\bin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\uk-UA\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\Bootstrapper.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bootstrapper" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Bootstrapper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BootstrapperB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\Bootstrapper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\comperf\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\comperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\comperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Downloads\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllsvc.exe.log

Filesize
1KB

MD5
61405cd7cb2bca4dfa54e14d1654ed7c

SHA1
bfc9618fcb1c1e0b7f0f7b3be5a6bd1a93bb992b

SHA256
fe0cfcd7729f9a68f46afcb3b105fdf637099b6043a41d9a27ed9bb5b281826a

SHA512
5f705e9b17b94515f19c2b7da03d7af6e4a08032f1fad1b3d1e1a73b8a0c68b105cb964b9f66016dc9a7abac1ed83c21a29bdcda6efd734f4e0594aef34da733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a180160461270886e84f88a3f52d5909

SHA1
f7e75d6ccfc2608e1c5b811be339377938f394fb

SHA256
da083f8768ac9145a807e0e711a10b573700a0ccda37b888faf311ff0bef6ce5

SHA512
0f2abfd5908fb97be5796fff5e19f957ac6a34fe9f8a1f97f537d3fcc6cf3b09d43d0ad945ad02ffbef287122af5ea704490138a4630ad9cc82cc620b7e2139d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1850b4d1d958b9bc9ce7a2affc90629

SHA1
35eec79e235d17968ededb4a78811351e56ac12b

SHA256
9707d903fc879a939f3dca6f1a42cc06f3968be097cdd20f67b8a26ff100e481

SHA512
c4f48ead5347e58f40411d836b64261c3e176946437da0f9435ea66371a4bdeb16bc50ecb566f8f63e2cdb1aacceeac914fe031706b37846358c6c4dc371265d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38ca1a109e14171bd3a3a8a1cec17399

SHA1
1564aeca3bbf2eaacd775e7026b1e4f8942d9118

SHA256
ba0f9fc15a3eec415f1d9f9f9b9638c60f24aecc14062493b20cdb98e1dd0ea1

SHA512
cada941969630d3baef3003e2bf46cff50a1fc242616292d275006c4fb8b641848e4b2f9666189cbd2de2b20fc7c603b5fcbe394b925ccd055bd1e02abe36561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c238412481a146ab11982ee82490777c

SHA1
61451087cbd22daf63c18b6c3c939fe0952f27c3

SHA256
25f1c3a4b36ae44eb159193c17cc953ae3fa576928f2384865ab837a964bd9f2

SHA512
4ee702b05336364af8cb89a6dd162b9404a8307c5fef96b7af82e8db55459b65b0ce1ce6f6e3018aa213a73f42ba5dc80d8550e45baf756ef0b8b8459e7f9f9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddf8b6e433710ffdaea57f2788aa3e3c

SHA1
389604befd7a4abb9f940f842a0944dd80cf9c94

SHA256
738c4c6c360bf6d6a34832a9d8334b8a30a4da028b56a63568d5e8682d26d91d

SHA512
294bf7bf25a3bb856ea247b298189602d5c6b021bfaa1e859bb458579efa87f6f2f2c8a9f4a8ee64dcad6b5aa8dc0661c4bee2e349d4392626994c06757b7e5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
452e60ef28961bb887ae86b5ac76daca

SHA1
04be9209a5d0e211a421bd9dc760708f6d98bf77

SHA256
7fdc29cae80b887d2c2820beb80f9eb69124e8109486ffe0d4608578c6732270

SHA512
13943bd2bfa8552410ee2d5053f407f630aebe5b76d75b61b47e3ee0f87fca78bc0203cff48d5c57c4dc546129ee743edfaad0c58d607e1737695b0663f7238e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bebb202dbfff00f6f870d5a0d6f09972

SHA1
6f6e4e95a33d3510e9524163f1c86dff47301799

SHA256
3dd1797687c992aa6a3d80a6bf4783fe775bbe429c9c824012986208de2f81d9

SHA512
1c9dcb76207cdfc2f97768a1af19d36fb25cf9ad6417d8a8053dbd88905013266e60e5c4e32f1b602ace7b5ac8950f77148d41c3c1bd3dda147a3e42f68c3838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c345fcb621e9acc56a89299e103791d9

SHA1
a3fabd3ad100362ebce298f912ee3e28bb443b27

SHA256
a379d2071e0d5e9091d486903d9a79ed8bfe4f71d9820d07b04f3e7e01c3f044

SHA512
c6e05aac672a43217e9d2630611ced2cedd27ce88abf63c945d39f1a779288ea8e9c8ac072ff1c2c2fa0f9fe58c1ac825c891eeff05e4b3bfc417fa632bbcb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a452679b670c7af53a82d96a7f4994df

SHA1
f7ade9468898a457d2d875d80d003553096baa3b

SHA256
c56939bcf8f1adeed5b8a39c735a071a2f1bf3d5f4700f67e13af5d5c206e477

SHA512
4c447936c631f7fee474b67d5014509d3af7141b5eb61f397476f71806f84522007110e155dff8302f82a8a7bd7fca567ff341b3cf566d7892ece319aae1f0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f520befe20466581f75ccf29b069b9b0

SHA1
93e44c33725dc43953ae9088c8db6e17bfcc039b

SHA256
a0fc414bd8c6c7ee1814319986266b69b326acc226b0b80bb89a52ea3fc73fcd

SHA512
644d4da32718d5359d8aee95fb788238e39723bbef0a74210b0bcf5d8d807af1f0eefc9d003ac65e4b374cd5e02dc5ddc8479ffbee1496321a0b63ed91e961fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63848dde0a71e3f72c4d317d04304f4a

SHA1
6d97385fb2a76d1de4df43adf09131230d6659a6

SHA256
91d59864d1b7b6648bc84c54b113204761c262e7d4f6160215655a1de6feb0c0

SHA512
524414346f4f8d5431bf1277203141da1eda3cf74ce6897a55ff74137974fcf4c4bffb748d3da677c7a997eedfda834c7a36d8330606f630af9920b9093a9bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1771f6251d2757dc5e8ed002029e35e5

SHA1
871c6950788ff5779ed84e89593683e1a4f5629f

SHA256
d34917f13ae4b2e8eefda80e46b0e97e0acc1dab6e3e3c1b93b869cb53a77be4

SHA512
3512b17367ceaa609b57718aea88515eb53d5a8cfb37879bccfc40794df3f9e2fe9e3e454fc8a756e2d7154ff901f35c5141b6ff5ca5ba0a1743a260cd13a3a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02b03e025ece1515bfd95c479b9a86c2

SHA1
f6fe4c5fae8c09b953c7e7992e2be1d1d6c798e2

SHA256
ca7b173195702b7dc7dc7df2d8cbbd66f03c4214f2e598372e2682098d4f6f71

SHA512
a61deb29ffc7bc42cc943cd59fb3c5b4d89105eba8683e42baefd89008548d7f8150ffe50cef4c87651146d5904e18ed35294275466e6ca19b174cfed4ee2c81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
86e9bb614b068c82324ad0d4a40873e3

SHA1
f4daa894cbb81e17c073831a9e3fb16f843096af

SHA256
b9418d65c749b50516b4b8010c9e379cd21a99d578d1dbc401187b90a72c57fe

SHA512
75851fbdb4f2937822968f1bd5b8ed74d6bc6318964f152b06d8d168f28267e88e81f9daade23dff7ae0ea825bce6d9ca8d12d0b0b96c5b0d83a4c7136fd3941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eba89ea720877977b48e1ed1dc0f6779

SHA1
b77d5c3b6ffd3975236ce36c6694d25f6ed0dfe9

SHA256
bc2a6c89f01d8a0aff370cf6b2da584409c86746e06907a88797bece6a1914f6

SHA512
1facdb9868d80f9a265ab3cf0c355518c285a7f1a9a5a418628788b00f156c90df6d2e57231ace97de7212ff9147a667d8e2f1dc16af85c635136bbab5970cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3166af632810a02e6d427c3554f251f5

SHA1
e6f99f9ac43ef3c2d86144b09b43315ac78b1188

SHA256
3db0b1610a167e570ca00c0714b36e0e872851ffc09765797674e06302290355

SHA512
30f4fe4866053aaeb511f58abcfda32b06bac234e2592e8e8ecb4117edc3aa1b756fc8bf33bf338ec550575eef048f84cdd0dad96861ad0ab0fc05f4dd80bc56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
650756f37f15f837914577997aebf22d

SHA1
1abbcd817eeacd805dc18745ec87d20b6df877f2

SHA256
100a91aff78da5496031e78c752d8d654ed9ed8721533f82b04166c74316034e

SHA512
28312e0a643d79f5c50da4c25412ce2325038a8fe387e0929430c83277c7a84581fb73405b09db141bffaa9feaebcbf662ec4fb9b1df3cfe34f3830d98a08a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f90e6edb8fbd4ac39d03e962976056d0

SHA1
2e28b313b74a6134d8f87c1b7d1767a9880f799a

SHA256
edde4bbee65d8bba1fe57cc649df9774b4f4ddcbdb4a4ab984355c050b4fc1e7

SHA512
0e987e06864a123db045d0d66a2195ebcf3d93ce0461639914a024895f8e2627f0920d41c75da37f11f51c8f88d47eb319e00fe3d55f1c6d66012e8b9a3828d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
2.4MB

MD5
ba1d62f77cebf019a1d3f0652674cdad

SHA1
7b00c804043e8976b24cc585914445be6c3fea97

SHA256
216b461e0cd23e62e8855ee5110c7d75ef1cdec6283a61a706ba865576a17291

SHA512
dffd72b51a1856f50acedecf423280c775eb6b38938e827f628cc71b1ed24ed094dc6e991fc669a4c441856b4aedf20cce09037813d4a5235635562cf7fd3264

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_db5d3102.ge2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\builddcra.exe

Filesize
2.6MB

MD5
b9e78cd151376b28540383585cf3b627

SHA1
ba37c39f08818ca55bce28a8f517c478be0d7bc4

SHA256
23b01671304f338e0dc57576c2b5a8f1bc84bbdbb308e53c3eb19c93e5630429

SHA512
695175fd66e752dd999a26358c3c01e022d6e555a1463542f9204b7e3e41be39ac078d10e3b8ebe1572e3a02fccc5b1500e8f37c832eebcbfd095a95c72d973f

Download Submit
C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe

Filesize
198B

MD5
6a682ea741b4cac053982cc652084128

SHA1
88bef1788763769fc90da0f4eb73b68701fd5743

SHA256
f2a11c919613a346685a9f9258dc20126b70533e906280695d8e9baf536513a3

SHA512
17637f5891033c6cf60e05e2144ca3c24ad15fbc00028807a508a6f803e2b716368134f116f6d90affea697551fa658b48f322a7acf007d6874676c3c72720e5

Download Submit
C:\comperf\a7KpSV310bdVN.bat

Filesize
135B

MD5
bbcfd74f565598850d41288cdceea4cd

SHA1
0a5b7c7829100488e0adc2f37613bdc7ed539b8a

SHA256
defd700a60ab5471b4fe34675192b15d871c2d4e82add05721eb71e7087a87ad

SHA512
b5bb49072c8280fdf261a4b3d8c49be69e490a279320aa93fa8d09db4f4e198e6691ed122a095e7ed8a979b83b0e6010b0ce371174b890a8479260fa662bda05

Download Submit
C:\comperf\dllsvc.exe

Filesize
2.3MB

MD5
49a5efae18888864bb51c13b75bcbf19

SHA1
731bbd33178eb7ff05546df9d060c536454c80b3

SHA256
f652249db5c846fa8019b6ccc05378c7d0ca12515bfbb53a2ac2dea8f5d418cf

SHA512
b8b309e6dd35f2dfb9eaf3ce6ba80a07970c597ced4d24ec4725e18d11248be6e344ef4aa0c5c4ea838fb784ceaed4c275b46c466052b92603331b0873fdc045

Download Submit
memory/1140-203-0x0000000003250000-0x00000000032A6000-memory.dmp

Filesize
344KB

Download
memory/4544-1-0x0000000000500000-0x0000000000982000-memory.dmp

Filesize
4.5MB

Download
memory/4544-26-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/4544-0-0x00007FFBCCB73000-0x00007FFBCCB75000-memory.dmp

Filesize
8KB

Download
memory/4544-65-0x00007FFBCCB73000-0x00007FFBCCB75000-memory.dmp

Filesize
8KB

Download
memory/4544-70-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/4944-167-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/4944-165-0x0000000003380000-0x000000000338E000-memory.dmp

Filesize
56KB

Download
memory/4944-166-0x000000001BE10000-0x000000001BE18000-memory.dmp

Filesize
32KB

Download
memory/4944-164-0x0000000003370000-0x000000000337C000-memory.dmp

Filesize
48KB

Download
memory/4944-163-0x000000001BDC0000-0x000000001BE16000-memory.dmp

Filesize
344KB

Download
memory/4944-162-0x0000000003360000-0x000000000336A000-memory.dmp

Filesize
40KB

Download
memory/4944-159-0x000000001BD70000-0x000000001BDC0000-memory.dmp

Filesize
320KB

Download
memory/4944-160-0x0000000001940000-0x0000000001948000-memory.dmp

Filesize
32KB

Download
memory/4944-161-0x0000000003340000-0x0000000003356000-memory.dmp

Filesize
88KB

Download
memory/4944-147-0x0000000000DB0000-0x000000000100A000-memory.dmp

Filesize
2.4MB

Download
memory/4944-158-0x0000000001920000-0x000000000193C000-memory.dmp

Filesize
112KB

Download
memory/5028-14-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/5028-15-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/5028-16-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/5028-13-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/5028-12-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/5028-19-0x00007FFBCCB70000-0x00007FFBCD632000-memory.dmp

Filesize
10.8MB

Download
memory/5028-2-0x0000020F5E0C0000-0x0000020F5E0E2000-memory.dmp

Filesize
136KB

Download
memory/6044-240-0x0000028CC5B60000-0x0000028CC5D7D000-memory.dmp

Filesize
2.1MB

Download
memory/6056-71-0x0000000000B50000-0x0000000000DB8000-memory.dmp

Filesize
2.4MB

Download