dcrat | 22de9a0aef3424a7ad95dfab9b8cfa8275e02083db45647aa8a953a2a6393007

Analysis

max time kernel
96s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper (1).exe
Size

4.5MB
MD5

7c4f42168b6b77b79cec709462d83822
SHA1

fe554500b94cb7e3b3ecb373fbbfec6bdf9228df
SHA256

22de9a0aef3424a7ad95dfab9b8cfa8275e02083db45647aa8a953a2a6393007
SHA512

2b8103bdc5ef177527c5b9889517c004f3d50fd534cd7cd180556ae348bebf16e471459205800932aa3230987d82060e79b9be78aa9a5bbb50d93b6ac5e58a4b
SSDEEP

98304:VxkPiumssqzvNazqd81WLyWesy7flqtWRa:kKnsL7Ld1LTehbnR

Score

10^/10

dcrat discovery evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	1932	schtasks.exe	112
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1932	schtasks.exe	112

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x001c00000002aa60-22.dat	dcrat
behavioral2/files/0x001a00000002aa6c-148.dat	dcrat
behavioral2/memory/256-150-0x0000000000460000-0x00000000006BA000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe
1296	powershell.exe
1504	powershell.exe
2020	powershell.exe
4548	powershell.exe
2824	powershell.exe
2500	powershell.exe
2056	powershell.exe
3880	powershell.exe
3100	powershell.exe
2948	powershell.exe
2004	powershell.exe
684	powershell.exe
3124	powershell.exe
2244	powershell.exe
2788	powershell.exe
2900	powershell.exe
760	powershell.exe
1996	powershell.exe
380	powershell.exe
1436	powershell.exe
1516	powershell.exe
5032	powershell.exe
3928	powershell.exe
4396	powershell.exe
4712	powershell.exe
3508	powershell.exe
3296	powershell.exe
3508	powershell.exe
4448	powershell.exe
1180	powershell.exe
2196	powershell.exe
2436	powershell.exe
4300	powershell.exe
1152	powershell.exe
2112	powershell.exe
2260	powershell.exe
1332	powershell.exe
5000	powershell.exe
420	powershell.exe
2000	powershell.exe
3436	powershell.exe
3500	powershell.exe
4724	powershell.exe
4524	powershell.exe
1856	powershell.exe
2936	powershell.exe
2112	powershell.exe
1468	powershell.exe
324	powershell.exe
904	powershell.exe
3132	powershell.exe
2444	powershell.exe
3040	powershell.exe
4660	powershell.exe
1088	powershell.exe
2280	powershell.exe
2692	powershell.exe
1704	powershell.exe
788	powershell.exe
1680	powershell.exe
4188	powershell.exe
3352	powershell.exe
1912	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 64 IoCs

pid	Process
2716	builddcra.exe
2936	Bootstrapper.exe
1880	builddcra.exe
232	Bootstrapper.exe
3144	builddcra.exe
1036	Bootstrapper.exe
4200	builddcra.exe
256	dllsvc.exe
4732	Bootstrapper.exe
4956	builddcra.exe
2972	dllsvc.exe
2640	Bootstrapper.exe
3648	dllhost.exe
3832	builddcra.exe
1380	dllsvc.exe
3952	Bootstrapper.exe
3028	dllsvc.exe
4680	csrss.exe
2504	builddcra.exe
3552	Bootstrapper.exe
1792	dllsvc.exe
1548	builddcra.exe
2240	Bootstrapper.exe
256	dllsvc.exe
1504	builddcra.exe
2960	Bootstrapper.exe
2828	builddcra.exe
4508	Bootstrapper.exe
4536	dllsvc.exe
4596	builddcra.exe
4144	Bootstrapper.exe
2600	dllsvc.exe
3972	builddcra.exe
4224	Bootstrapper.exe
4500	dllsvc.exe
2648	builddcra.exe
796	dllsvc.exe
4976	Bootstrapper.exe
236	builddcra.exe
1384	dllsvc.exe
2996	Bootstrapper.exe
2676	builddcra.exe
5112	dllsvc.exe
2700	Bootstrapper.exe
876	builddcra.exe
2456	Bootstrapper.exe
4192	dllsvc.exe
4400	builddcra.exe
3564	dllsvc.exe
3000	Bootstrapper.exe
2216	builddcra.exe
2056	dllsvc.exe
1552	Bootstrapper.exe
2000	builddcra.exe
2980	dllsvc.exe
3184	Bootstrapper.exe
2648	builddcra.exe
3908	dllsvc.exe
2216	Bootstrapper.exe
4728	builddcra.exe
4372	dllsvc.exe
396	Bootstrapper.exe
3568	builddcra.exe
3340	Bootstrapper.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office16\7a0fd90576e088	dllsvc.exe
File created	C:\Program Files (x86)\Windows Mail\wscript.exe	dllsvc.exe
File created	C:\Program Files\Microsoft Office 15\wininit.exe	dllsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\csrss.exe	dllsvc.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\886983d96e3d3e	dllsvc.exe
File created	C:\Program Files\Microsoft Office\Office16\explorer.exe	dllsvc.exe
File created	C:\Program Files\Internet Explorer\images\cmd.exe	dllsvc.exe
File opened for modification	C:\Program Files\Internet Explorer\images\cmd.exe	dllsvc.exe
File created	C:\Program Files\Internet Explorer\images\ebf1f9fa8afd6d	dllsvc.exe
File created	C:\Program Files (x86)\Windows Mail\817c8c8ec737a7	dllsvc.exe
File created	C:\Program Files\Microsoft Office 15\56085415360792	dllsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\OCR\en-us\w32tm.exe	dllsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builddcra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	dllsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	dllsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	builddcra.exe

Modifies registry key 1 TTPs 30 IoCs

Modify Registry

T1112

pid	Process
2340	reg.exe
1172	reg.exe
3304	reg.exe
4420	reg.exe
3336	reg.exe
4432	reg.exe
684	reg.exe
3924	reg.exe
2828	reg.exe
2112	reg.exe
864	reg.exe
2828	reg.exe
1880	reg.exe
2720	reg.exe
4140	reg.exe
3436	reg.exe
3116	reg.exe
2064	reg.exe
1616	reg.exe
4804	reg.exe
2212	reg.exe
3712	reg.exe
3436	reg.exe
3296	reg.exe
876	reg.exe
3904	reg.exe
1980	reg.exe
2676	reg.exe
3816	reg.exe
3144	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2664	schtasks.exe
240	schtasks.exe
1352	schtasks.exe
2000	schtasks.exe
2240	schtasks.exe
1436	schtasks.exe
4072	schtasks.exe
4628	schtasks.exe
4236	schtasks.exe
1680	schtasks.exe
3168	schtasks.exe
3256	schtasks.exe
2552	schtasks.exe
3556	schtasks.exe
2056	schtasks.exe
5112	schtasks.exe
3124	schtasks.exe
3028	schtasks.exe
1260	schtasks.exe
2648	schtasks.exe
2028	schtasks.exe
892	schtasks.exe
332	schtasks.exe
1712	schtasks.exe
4568	schtasks.exe
4088	schtasks.exe
2040	schtasks.exe
3392	schtasks.exe
3292	schtasks.exe
1088	schtasks.exe
8	schtasks.exe
3604	schtasks.exe
1128	schtasks.exe
684	schtasks.exe
4196	schtasks.exe
3120	schtasks.exe
2536	schtasks.exe
3576	schtasks.exe
1840	schtasks.exe
3880	schtasks.exe
4840	schtasks.exe
2600	schtasks.exe
4620	schtasks.exe
2128	schtasks.exe
2708	schtasks.exe
4020	schtasks.exe
1356	schtasks.exe
5056	schtasks.exe
2044	schtasks.exe
2408	schtasks.exe
1516	schtasks.exe
760	schtasks.exe
1748	schtasks.exe
1396	schtasks.exe
768	schtasks.exe
2260	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2816	powershell.exe
2816	powershell.exe
5032	powershell.exe
5032	powershell.exe
3124	powershell.exe
3124	powershell.exe
2676	powershell.exe
2676	powershell.exe
3508	powershell.exe
3508	powershell.exe
420	powershell.exe
420	powershell.exe
2244	powershell.exe
2244	powershell.exe
2000	powershell.exe
2000	powershell.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
256	dllsvc.exe
3436	powershell.exe
3436	powershell.exe
380	powershell.exe
380	powershell.exe
2972	dllsvc.exe
2972	dllsvc.exe
2972	dllsvc.exe
2972	dllsvc.exe
2972	dllsvc.exe
4448	powershell.exe
4448	powershell.exe
2500	powershell.exe
3648	dllhost.exe
2500	powershell.exe
2056	powershell.exe
2056	powershell.exe
1680	powershell.exe
1680	powershell.exe
1856	powershell.exe
1856	powershell.exe
2936	powershell.exe
2936	powershell.exe
3880	powershell.exe
3880	powershell.exe
3928	powershell.exe
3928	powershell.exe
3976	powershell.exe
3976	powershell.exe
3500	powershell.exe
3500	powershell.exe
3040	powershell.exe
3040	powershell.exe
2216	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	256	dllsvc.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	2972	dllsvc.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	3648	dllhost.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1380	dllsvc.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	3028	dllsvc.exe
Token: SeDebugPrivilege	4680	csrss.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1792	dllsvc.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	256	dllsvc.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	4536	dllsvc.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2600	dllsvc.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	4500	dllsvc.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	796	dllsvc.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1384	dllsvc.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	5112	dllsvc.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4192	dllsvc.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	3564	dllsvc.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2056	dllsvc.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2980	dllsvc.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	3908	dllsvc.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	4372	dllsvc.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 2816	3584	Bootstrapper (1).exe	81
PID 3584 wrote to memory of 2816	3584	Bootstrapper (1).exe	81
PID 3584 wrote to memory of 2716	3584	Bootstrapper (1).exe	83
PID 3584 wrote to memory of 2716	3584	Bootstrapper (1).exe	83
PID 3584 wrote to memory of 2716	3584	Bootstrapper (1).exe	83
PID 3584 wrote to memory of 5032	3584	Bootstrapper (1).exe	84
PID 3584 wrote to memory of 5032	3584	Bootstrapper (1).exe	84
PID 2716 wrote to memory of 4000	2716	builddcra.exe	86
PID 2716 wrote to memory of 4000	2716	builddcra.exe	86
PID 2716 wrote to memory of 4000	2716	builddcra.exe	86
PID 3584 wrote to memory of 2936	3584	Bootstrapper (1).exe	87
PID 3584 wrote to memory of 2936	3584	Bootstrapper (1).exe	87
PID 2936 wrote to memory of 3124	2936	Bootstrapper.exe	88
PID 2936 wrote to memory of 3124	2936	Bootstrapper.exe	88
PID 2936 wrote to memory of 1880	2936	Bootstrapper.exe	90
PID 2936 wrote to memory of 1880	2936	Bootstrapper.exe	90
PID 2936 wrote to memory of 1880	2936	Bootstrapper.exe	90
PID 2936 wrote to memory of 2676	2936	Bootstrapper.exe	91
PID 2936 wrote to memory of 2676	2936	Bootstrapper.exe	91
PID 1880 wrote to memory of 4424	1880	builddcra.exe	93
PID 1880 wrote to memory of 4424	1880	builddcra.exe	93
PID 1880 wrote to memory of 4424	1880	builddcra.exe	93
PID 2936 wrote to memory of 232	2936	Bootstrapper.exe	94
PID 2936 wrote to memory of 232	2936	Bootstrapper.exe	94
PID 232 wrote to memory of 3508	232	Bootstrapper.exe	95
PID 232 wrote to memory of 3508	232	Bootstrapper.exe	95
PID 232 wrote to memory of 3144	232	Bootstrapper.exe	97
PID 232 wrote to memory of 3144	232	Bootstrapper.exe	97
PID 232 wrote to memory of 3144	232	Bootstrapper.exe	97
PID 232 wrote to memory of 420	232	Bootstrapper.exe	98
PID 232 wrote to memory of 420	232	Bootstrapper.exe	98
PID 3144 wrote to memory of 4872	3144	builddcra.exe	100
PID 3144 wrote to memory of 4872	3144	builddcra.exe	100
PID 3144 wrote to memory of 4872	3144	builddcra.exe	100
PID 232 wrote to memory of 1036	232	Bootstrapper.exe	101
PID 232 wrote to memory of 1036	232	Bootstrapper.exe	101
PID 1036 wrote to memory of 2244	1036	Bootstrapper.exe	102
PID 1036 wrote to memory of 2244	1036	Bootstrapper.exe	102
PID 1036 wrote to memory of 4200	1036	Bootstrapper.exe	104
PID 1036 wrote to memory of 4200	1036	Bootstrapper.exe	104
PID 1036 wrote to memory of 4200	1036	Bootstrapper.exe	104
PID 1036 wrote to memory of 2000	1036	Bootstrapper.exe	105
PID 1036 wrote to memory of 2000	1036	Bootstrapper.exe	105
PID 4000 wrote to memory of 4776	4000	WScript.exe	107
PID 4000 wrote to memory of 4776	4000	WScript.exe	107
PID 4000 wrote to memory of 4776	4000	WScript.exe	107
PID 4200 wrote to memory of 1416	4200	builddcra.exe	110
PID 4200 wrote to memory of 1416	4200	builddcra.exe	110
PID 4200 wrote to memory of 1416	4200	builddcra.exe	110
PID 4776 wrote to memory of 256	4776	cmd.exe	109
PID 4776 wrote to memory of 256	4776	cmd.exe	109
PID 1036 wrote to memory of 4732	1036	Bootstrapper.exe	111
PID 1036 wrote to memory of 4732	1036	Bootstrapper.exe	111
PID 256 wrote to memory of 2812	256	dllsvc.exe	125
PID 256 wrote to memory of 2812	256	dllsvc.exe	125
PID 4776 wrote to memory of 1616	4776	cmd.exe	127
PID 4776 wrote to memory of 1616	4776	cmd.exe	127
PID 4776 wrote to memory of 1616	4776	cmd.exe	127
PID 2812 wrote to memory of 2368	2812	cmd.exe	128
PID 2812 wrote to memory of 2368	2812	cmd.exe	128
PID 4732 wrote to memory of 3436	4732	Bootstrapper.exe	129
PID 4732 wrote to memory of 3436	4732	Bootstrapper.exe	129
PID 4424 wrote to memory of 1628	4424	WScript.exe	131
PID 4424 wrote to memory of 1628	4424	WScript.exe	131

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\builddcra.exe
  "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:256
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3wA4xjqWRi.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2368
        
        C:\comperf\dllhost.exe
        
        "C:\comperf\dllhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3648
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
    "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
      - C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EsHQ1vyYQm.bat"
        7⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1296
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3508
  - - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
      "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        6⤵
        
        PID:3924
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:4804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:420
  - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
      - C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3296
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        6⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        9⤵
        
        PID:1900
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        7⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        9⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        10⤵
        
        PID:4560
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        11⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        8⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        10⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        11⤵
        
        PID:3524
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        9⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        13⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        10⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        12⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        14⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        11⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        13⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        14⤵
        
        PID:3648
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        15⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        12⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        16⤵
        Modifies registry key
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        13⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        17⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        14⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        17⤵
        
        PID:3712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2340
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        18⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        15⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:1436
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        19⤵
        Modifies registry key
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        16⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        20⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        17⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        21⤵
        Modifies registry key
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        18⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        20⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        21⤵
        
        PID:492
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        22⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        19⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        22⤵
        
        PID:4052
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        23⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        23⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        20⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        23⤵
        
        PID:3496
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        24⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        24⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        21⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        23⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        25⤵
        
        PID:672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        25⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        22⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        24⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        26⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        26⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        23⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        24⤵
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        27⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        27⤵
        Modifies registry key
        
        PID:3116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        24⤵
        
        PID:1452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        25⤵
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        26⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        28⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        28⤵
        Modifies registry key
        
        PID:3436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        25⤵
        
        PID:3244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        26⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        26⤵
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        28⤵
        
        PID:4364
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        29⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        29⤵
        Modifies registry key
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        26⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        26⤵
        
        PID:5116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        27⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        28⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        29⤵
        
        PID:772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:672
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        30⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        30⤵
        Modifies registry key
        
        PID:1980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        27⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        27⤵
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        28⤵
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        30⤵
        
        PID:3584
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        31⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        31⤵
        Modifies registry key
        
        PID:4432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        28⤵
        
        PID:1472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        30⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        31⤵
        
        PID:744
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:4376
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        32⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        32⤵
        Modifies registry key
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        29⤵
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        30⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        31⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        32⤵
        
        PID:3432
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        33⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        33⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        30⤵
        
        PID:240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        31⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        32⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        33⤵
        
        PID:3788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:3128
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        34⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        34⤵
        Modifies registry key
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        31⤵
        
        PID:3448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        32⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        33⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        34⤵
        
        PID:3244
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        35⤵
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        32⤵
        
        PID:1844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        33⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        34⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        35⤵
        
        PID:2196
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        36⤵
        
        PID:1272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        33⤵
        
        PID:4880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        34⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        35⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comperf\a7KpSV310bdVN.bat" "
        36⤵
        
        PID:4776
        
        C:\comperf\dllsvc.exe
        
        "C:\comperf\dllsvc.exe"
        37⤵
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        34⤵
        
        PID:3568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        35⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        36⤵
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        36⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        35⤵
        
        PID:2056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        36⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        37⤵
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        36⤵
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\builddcra.exe'
        37⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\builddcra.exe
        
        "C:\Users\Admin\AppData\Local\Temp\builddcra.exe"
        37⤵
        
        PID:576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe"
        38⤵
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
        37⤵
        
        PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\comperf\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\comperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\comperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office16\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\images\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\images\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Packages\Microsoft.OneDriveSync_8wekyb3d8bbwe\S-1-5-21-2410826464-2353372766-2364966905-1000\SystemAppData\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.OneDriveSync_8wekyb3d8bbwe\S-1-5-21-2410826464-2353372766-2364966905-1000\SystemAppData\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Packages\Microsoft.OneDriveSync_8wekyb3d8bbwe\S-1-5-21-2410826464-2353372766-2364966905-1000\SystemAppData\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllsvcd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllsvcd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "w32tmw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\w32tm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "w32tm" /sc ONLOGON /tr "'C:\Users\Default\Desktop\w32tm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "w32tmw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\w32tm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\comperf\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\comperf\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\comperf\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Desktop\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllsvc.exe.log

Filesize
1KB

MD5
4a154b138b22d8614bea6d4aa8bffecf

SHA1
e234d740d83d68c2233e8bf3ffd65406d5ca9563

SHA256
0c84f439b774b18f2f98ff2bd65b31a7540a064ec20aed0b5cd5fdd7546d56f6

SHA512
c3f7dabc72ddc377d50843b5e3a2bdc1600cee7d5dcdc52b7db9c675fbc5cb510be01ffe911462fd4e5af95737108ae1b19d006c00be5217f489c3772b7a68ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21017c68eaf9461301de459f4f07e888

SHA1
41ff30fc8446508d4c3407c79e798cf6eaa5bb73

SHA256
03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

SHA512
956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9deb31d63c251368f1dcf297650b2997

SHA1
02a6835b82971ae7dba9d97e528412fac5247714

SHA256
9c598fb1420e5646126e8f7a42a3ea94b1050017e9cb67bbe6429f08c1bc2893

SHA512
0d6c8958a051b75f0d0a53e336954e102e642ad79a96f39fb1ed6643d77f9b54725b27eef460e33c89ff1d6136155cb6d873c25f9ae3dfc4a9d3a9346816477a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a0490168f1e6406fd416f4a83181e02

SHA1
8c32007b782f879b8c5ae90455306e9ea535a2aa

SHA256
2281a3c2a0985c153806ec9845f38e3e4c8dd5725fc1596732c4cfa457e30472

SHA512
235fe82c16ac3e9bfcae1ff8ba26eaddee72a8e65ecf8e60bc182c80e10b1436b45495b164e4cdc9d8a1ef46600a632f1f134f85b741e65e0886aec3a3c10600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
856900844f6f1c326c89d0bcfb2f0c28

SHA1
1caad440d46fa8c0cbed4822b4be2bbdddba97c2

SHA256
ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32

SHA512
ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
55f30089624be31af328ba4e012ae45a

SHA1
121c28de7a5afe828ea395d94be8f5273817b678

SHA256
28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473

SHA512
ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1189a72e42e2321edf1ed3a8d5568687

SHA1
a2142fc754d6830de107d9d46f398483156f16a6

SHA256
009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea

SHA512
b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8b1612dbdb34a3353094bdbe66cbd64

SHA1
be78a2b53e7c7b3fff38a98c880552fd3595b269

SHA256
b4149219a8ec6b3ab1f7f7a9fac30c9c1537d08a54270305f9a3077c79520692

SHA512
e011a96a3e85e6e5d0f4e746912d158a419533a3a3759a062e95c6f76630121891d9a8ea574344adb4f1996f871036c29675e03c05c63551eec2d088535534c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050578bcbe71fcf8467e66dd700f1a0b

SHA1
edc182f324a85f530077aff358c2b5269b088fc1

SHA256
ac02bf4fb18fffdf076eb0ef1169af67cbcb1306a009f4821f3b8546764b4a50

SHA512
f0ba63e42038eaf1017367674ad0dde48e7f39e1473680247027b07cf7aa03562cc52b9f91b1f63eaa684235f42d78761e522cacaad2a4fac9f1e8f96685d381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9d17e8585400bc639a8b261083920ec3

SHA1
aef71cce477bd67115a4e2a0a86e6b8f0f62e30a

SHA256
81fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1

SHA512
235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Temp\3wA4xjqWRi.bat

Filesize
187B

MD5
5e0b15f7be8d35c4d21e1f159145efce

SHA1
1d639416f37e43abbbace3a401ce78d29d888c09

SHA256
0d918ed570057bf0d3da355487cfd622e9921740776fc97e78de4662b48e2eaf

SHA512
ac544f3531e6fd63db903b5ab57ac9b896c9a348f238609d5a7d226d0245918b963478b8d15f709f03b93069118457335f37a63e4e66bd79ece0b3f2d927ba90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe

Filesize
2.4MB

MD5
ba1d62f77cebf019a1d3f0652674cdad

SHA1
7b00c804043e8976b24cc585914445be6c3fea97

SHA256
216b461e0cd23e62e8855ee5110c7d75ef1cdec6283a61a706ba865576a17291

SHA512
dffd72b51a1856f50acedecf423280c775eb6b38938e827f628cc71b1ed24ed094dc6e991fc669a4c441856b4aedf20cce09037813d4a5235635562cf7fd3264

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsHQ1vyYQm.bat

Filesize
196B

MD5
80a5219d55de7237fd15c59c421202bd

SHA1
fa6d172227cdf09f90e9ee67f490a42700d669a5

SHA256
507149c1dd2600ee55b65ed2bbf637129561d6744af09a5510d3f472e93878fe

SHA512
1b2fb0983c4309ae13bb6f5507bdc0d95fd92e9cd0a1c72fc8bd8b6f9632f51176a3e13930ddf3046a14171eb4deb15de2460ae664f2cea734220619f122f7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qynwjauc.3pd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\builddcra.exe

Filesize
2.6MB

MD5
b9e78cd151376b28540383585cf3b627

SHA1
ba37c39f08818ca55bce28a8f517c478be0d7bc4

SHA256
23b01671304f338e0dc57576c2b5a8f1bc84bbdbb308e53c3eb19c93e5630429

SHA512
695175fd66e752dd999a26358c3c01e022d6e555a1463542f9204b7e3e41be39ac078d10e3b8ebe1572e3a02fccc5b1500e8f37c832eebcbfd095a95c72d973f

Download Submit
C:\comperf\2Z3KvKosyH1QI8XVE8Ix.vbe

Filesize
198B

MD5
6a682ea741b4cac053982cc652084128

SHA1
88bef1788763769fc90da0f4eb73b68701fd5743

SHA256
f2a11c919613a346685a9f9258dc20126b70533e906280695d8e9baf536513a3

SHA512
17637f5891033c6cf60e05e2144ca3c24ad15fbc00028807a508a6f803e2b716368134f116f6d90affea697551fa658b48f322a7acf007d6874676c3c72720e5

Download Submit
C:\comperf\a7KpSV310bdVN.bat

Filesize
135B

MD5
bbcfd74f565598850d41288cdceea4cd

SHA1
0a5b7c7829100488e0adc2f37613bdc7ed539b8a

SHA256
defd700a60ab5471b4fe34675192b15d871c2d4e82add05721eb71e7087a87ad

SHA512
b5bb49072c8280fdf261a4b3d8c49be69e490a279320aa93fa8d09db4f4e198e6691ed122a095e7ed8a979b83b0e6010b0ce371174b890a8479260fa662bda05

Download Submit
C:\comperf\dllsvc.exe

Filesize
2.3MB

MD5
49a5efae18888864bb51c13b75bcbf19

SHA1
731bbd33178eb7ff05546df9d060c536454c80b3

SHA256
f652249db5c846fa8019b6ccc05378c7d0ca12515bfbb53a2ac2dea8f5d418cf

SHA512
b8b309e6dd35f2dfb9eaf3ce6ba80a07970c597ced4d24ec4725e18d11248be6e344ef4aa0c5c4ea838fb784ceaed4c275b46c466052b92603331b0873fdc045

Download Submit
memory/256-154-0x000000001B120000-0x000000001B13C000-memory.dmp

Filesize
112KB

Download
memory/256-158-0x000000001B180000-0x000000001B18A000-memory.dmp

Filesize
40KB

Download
memory/256-157-0x000000001B160000-0x000000001B176000-memory.dmp

Filesize
88KB

Download
memory/256-156-0x000000001B140000-0x000000001B148000-memory.dmp

Filesize
32KB

Download
memory/256-155-0x000000001BA00000-0x000000001BA50000-memory.dmp

Filesize
320KB

Download
memory/256-159-0x000000001B9B0000-0x000000001BA06000-memory.dmp

Filesize
344KB

Download
memory/256-163-0x000000001BA70000-0x000000001BA7C000-memory.dmp

Filesize
48KB

Download
memory/256-162-0x000000001BA60000-0x000000001BA68000-memory.dmp

Filesize
32KB

Download
memory/256-161-0x000000001BA50000-0x000000001BA5E000-memory.dmp

Filesize
56KB

Download
memory/256-160-0x000000001B190000-0x000000001B19C000-memory.dmp

Filesize
48KB

Download
memory/256-150-0x0000000000460000-0x00000000006BA000-memory.dmp

Filesize
2.4MB

Download
memory/2816-14-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/2816-17-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/2816-13-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/2816-12-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/2816-11-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/2816-10-0x000001EB47260000-0x000001EB47282000-memory.dmp

Filesize
136KB

Download
memory/2936-58-0x0000000000930000-0x0000000000B98000-memory.dmp

Filesize
2.4MB

Download
memory/2972-209-0x000000001B970000-0x000000001B9C6000-memory.dmp

Filesize
344KB

Download
memory/3584-59-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-25-0x00007FFB676F0000-0x00007FFB681B2000-memory.dmp

Filesize
10.8MB

Download
memory/3584-0-0x00007FFB676F3000-0x00007FFB676F5000-memory.dmp

Filesize
8KB

Download
memory/3584-1-0x00000000002A0000-0x0000000000722000-memory.dmp

Filesize
4.5MB

Download
memory/3648-274-0x00000000026A0000-0x00000000026F6000-memory.dmp

Filesize
344KB

Download