4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/geek.bat
Size

1KB
MD5

0234fed5fac93a5888925331acabd441
SHA1

4af4ac61ccacfb361c39d86b7c7700476deca049
SHA256

9090767211e7b2b5c23304712fe55e3beeea78364a95088bab3554174fc51eee
SHA512

df148b1b048336731293ce6d2c5d0e7bb0dd0806254aa447d47e0216885a93f284c2aa93bddca67dd2b345f549837f8942b3f088092c58ffff238ae91b861636

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://community.chocolatey.org/install.ps1

Signatures

Blocklisted process makes network request 64 IoCs

Processes:

flow	pid	process
5	2412	powershell.exe
6	2412	powershell.exe
8	2592	powershell.exe
9	2592	powershell.exe
11	2884	powershell.exe
12	2884	powershell.exe
14	1400	powershell.exe
15	1400	powershell.exe
17	1464	powershell.exe
18	1464	powershell.exe
20	2996	powershell.exe
21	2996	powershell.exe
23	2804	powershell.exe
24	2804	powershell.exe
26	2964	powershell.exe
27	2964	powershell.exe
29	1844	powershell.exe
30	1844	powershell.exe
32	1672	powershell.exe
33	1672	powershell.exe
35	2232	powershell.exe
36	2232	powershell.exe
38	2352	powershell.exe
39	2352	powershell.exe
41	2556	powershell.exe
42	2556	powershell.exe
44	2752	powershell.exe
45	2752	powershell.exe
47	904	powershell.exe
48	904	powershell.exe
50	816	powershell.exe
51	816	powershell.exe
53	3068	powershell.exe
54	3068	powershell.exe
56	2352	powershell.exe
57	2352	powershell.exe
59	2876	powershell.exe
60	2876	powershell.exe
62	844	powershell.exe
63	844	powershell.exe
65	448	powershell.exe
66	448	powershell.exe
68	2152	powershell.exe
69	2152	powershell.exe
71	1620	powershell.exe
72	1620	powershell.exe
74	2764	powershell.exe
75	2764	powershell.exe
77	2512	powershell.exe
78	2512	powershell.exe
80	1072	powershell.exe
81	1072	powershell.exe
83	2720	powershell.exe
84	2720	powershell.exe
86	1476	powershell.exe
87	1476	powershell.exe
89	3032	powershell.exe
90	3032	powershell.exe
92	2364	powershell.exe
93	2364	powershell.exe
95	2012	powershell.exe
96	2012	powershell.exe
98	2684	powershell.exe
99	2684	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2592	powershell.exe
1720	powershell.exe
2684	powershell.exe
1940	powershell.exe
3032	powershell.exe
2764	powershell.exe
2012	powershell.exe
2964	powershell.exe
1740	powershell.exe
1428	powershell.exe
2352	powershell.exe
2044	powershell.exe
844	powershell.exe
1572	powershell.exe
2996	powershell.exe
2804	powershell.exe
1844	powershell.exe
408	powershell.exe
2752	powershell.exe
2032	powershell.exe
904	powershell.exe
448	powershell.exe
1672	powershell.exe
2352	powershell.exe
2808	powershell.exe
2360	powershell.exe
2400	powershell.exe
688	powershell.exe
2740	powershell.exe
2036	powershell.exe
1268	powershell.exe
2192	powershell.exe
816	powershell.exe
2152	powershell.exe
2224	powershell.exe
1464	powershell.exe
868	powershell.exe
2876	powershell.exe
1620	powershell.exe
1016	powershell.exe
1072	powershell.exe
2720	powershell.exe
776	powershell.exe
2556	powershell.exe
2512	powershell.exe
3032	powershell.exe
2776	powershell.exe
2412	powershell.exe
2856	powershell.exe
1656	powershell.exe
2232	powershell.exe
2932	powershell.exe
916	powershell.exe
1476	powershell.exe
2884	powershell.exe
1204	powershell.exe
3068	powershell.exe
3056	powershell.exe
2684	powershell.exe
3052	powershell.exe
1400	powershell.exe
1424	powershell.exe
916	powershell.exe
2364	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1552	powershell.exe
1552	powershell.exe
2412	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2940	powershell.exe
2940	powershell.exe
2592	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
1720	powershell.exe
1720	powershell.exe
2884	powershell.exe
1884	powershell.exe
1884	powershell.exe
1884	powershell.exe
776	powershell.exe
776	powershell.exe
1400	powershell.exe
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe
688	powershell.exe
688	powershell.exe
1464	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
1424	powershell.exe
1424	powershell.exe
2996	powershell.exe
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe
2856	powershell.exe
2856	powershell.exe
2804	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
1656	powershell.exe
1656	powershell.exe
2964	powershell.exe
1516	powershell.exe
1516	powershell.exe
1516	powershell.exe
1740	powershell.exe
1740	powershell.exe
1844	powershell.exe
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe
408	powershell.exe
408	powershell.exe
1672	powershell.exe
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
2740	powershell.exe
2740	powershell.exe
2232	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exepowershell.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 2644 wrote to memory of 2332	2644	cmd.exe	fltMC.exe
PID 2644 wrote to memory of 2332	2644	cmd.exe	fltMC.exe
PID 2644 wrote to memory of 2332	2644	cmd.exe	fltMC.exe
PID 2644 wrote to memory of 572	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 572	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 572	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 1552	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 1552	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 1552	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2412	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2412	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2412	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2716	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2716	2644	cmd.exe	powershell.exe
PID 2644 wrote to memory of 2716	2644	cmd.exe	powershell.exe
PID 2716 wrote to memory of 2396	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 2396	2716	powershell.exe	cmd.exe
PID 2716 wrote to memory of 2396	2716	powershell.exe	cmd.exe
PID 2396 wrote to memory of 2772	2396	cmd.exe	fltMC.exe
PID 2396 wrote to memory of 2772	2396	cmd.exe	fltMC.exe
PID 2396 wrote to memory of 2772	2396	cmd.exe	fltMC.exe
PID 2396 wrote to memory of 2600	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2600	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2600	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2940	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2940	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2940	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2592	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2592	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2592	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2392	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2392	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2392	2396	cmd.exe	powershell.exe
PID 2392 wrote to memory of 2912	2392	powershell.exe	cmd.exe
PID 2392 wrote to memory of 2912	2392	powershell.exe	cmd.exe
PID 2392 wrote to memory of 2912	2392	powershell.exe	cmd.exe
PID 2912 wrote to memory of 2304	2912	cmd.exe	fltMC.exe
PID 2912 wrote to memory of 2304	2912	cmd.exe	fltMC.exe
PID 2912 wrote to memory of 2304	2912	cmd.exe	fltMC.exe
PID 2912 wrote to memory of 1708	2912	cmd.exe	cmd.exe
PID 2912 wrote to memory of 1708	2912	cmd.exe	cmd.exe
PID 2912 wrote to memory of 1708	2912	cmd.exe	cmd.exe
PID 2912 wrote to memory of 1720	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1720	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1720	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 2884	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 2884	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 2884	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1884	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1884	2912	cmd.exe	powershell.exe
PID 2912 wrote to memory of 1884	2912	cmd.exe	powershell.exe
PID 1884 wrote to memory of 2936	1884	powershell.exe	cmd.exe
PID 1884 wrote to memory of 2936	1884	powershell.exe	cmd.exe
PID 1884 wrote to memory of 2936	1884	powershell.exe	cmd.exe
PID 2936 wrote to memory of 1076	2936	cmd.exe	fltMC.exe
PID 2936 wrote to memory of 1076	2936	cmd.exe	fltMC.exe
PID 2936 wrote to memory of 1076	2936	cmd.exe	fltMC.exe
PID 2936 wrote to memory of 2108	2936	cmd.exe	cmd.exe
PID 2936 wrote to memory of 2108	2936	cmd.exe	cmd.exe
PID 2936 wrote to memory of 2108	2936	cmd.exe	cmd.exe
PID 2936 wrote to memory of 776	2936	cmd.exe	powershell.exe
PID 2936 wrote to memory of 776	2936	cmd.exe	powershell.exe
PID 2936 wrote to memory of 776	2936	cmd.exe	powershell.exe
PID 2936 wrote to memory of 1400	2936	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy AllSigned
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\fltMC.exe
      fltmc
      4⤵
      PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:2600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy AllSigned
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\system32\fltMC.exe
        
        fltmc
        6⤵
        
        PID:2304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        6⤵
        
        PID:1708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        8⤵
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        8⤵
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        9⤵
        
        PID:940
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        10⤵
        
        PID:1240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        10⤵
        
        PID:344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        11⤵
        
        PID:2160
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        12⤵
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        12⤵
        
        PID:1848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        12⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        13⤵
        
        PID:2852
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        14⤵
        
        PID:2836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        14⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        14⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        15⤵
        
        PID:2624
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        16⤵
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        16⤵
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        16⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        17⤵
        
        PID:1920
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        18⤵
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        18⤵
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        18⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        19⤵
        
        PID:832
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        20⤵
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        20⤵
        
        PID:1412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        20⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        21⤵
        
        PID:1632
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        22⤵
        
        PID:564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        22⤵
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        22⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        22⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        23⤵
        
        PID:1520
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        24⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        24⤵
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        24⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        25⤵
        
        PID:2772
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        26⤵
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        26⤵
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        26⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        27⤵
        
        PID:2028
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        28⤵
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        28⤵
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        28⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        29⤵
        
        PID:1740
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        30⤵
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        30⤵
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        30⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        31⤵
        
        PID:408
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        32⤵
        
        PID:1960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        32⤵
        
        PID:804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        32⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        33⤵
        
        PID:2252
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        34⤵
        
        PID:980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        34⤵
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        34⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        34⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        35⤵
        
        PID:1532
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        36⤵
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        36⤵
        
        PID:1048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        36⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        37⤵
        
        PID:1640
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        38⤵
        
        PID:2236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        38⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        38⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        39⤵
        
        PID:2024
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        40⤵
        
        PID:2976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        40⤵
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        40⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        40⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        41⤵
        
        PID:2912
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        42⤵
        
        PID:936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        42⤵
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        42⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        43⤵
        
        PID:1240
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        44⤵
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        44⤵
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        44⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        44⤵
        
        PID:1348
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        45⤵
        
        PID:1228
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        46⤵
        
        PID:940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        46⤵
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        46⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        46⤵
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        47⤵
        
        PID:2428
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        48⤵
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        48⤵
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        48⤵
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        48⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        48⤵
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        49⤵
        
        PID:2444
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        50⤵
        
        PID:2084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        50⤵
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        50⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        50⤵
        
        PID:2036
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        51⤵
        
        PID:1764
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        52⤵
        
        PID:1728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        52⤵
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        52⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        52⤵
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        53⤵
        
        PID:2056
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        54⤵
        
        PID:2972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        54⤵
        
        PID:1412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        54⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        54⤵
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        55⤵
        
        PID:1740
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        56⤵
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        56⤵
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        56⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        56⤵
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        57⤵
        
        PID:1792
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        58⤵
        
        PID:1108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        58⤵
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        58⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        58⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        59⤵
        
        PID:2200
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        60⤵
        
        PID:980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        60⤵
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        60⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        60⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        60⤵
        
        PID:2636
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        61⤵
        
        PID:2112
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        62⤵
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        62⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        62⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        62⤵
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        63⤵
        
        PID:2612
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        64⤵
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        64⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        64⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        64⤵
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        65⤵
        
        PID:1364
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        66⤵
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        66⤵
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat"'
        66⤵
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\geek.bat" "
        67⤵
        
        PID:324
        
        C:\Windows\system32\fltMC.exe
        
        fltmc
        68⤵
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        68⤵
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy AllSigned
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ad13ea6a026745529c678c121bbade6e

SHA1
23f61724a3423fb638a4e3d8f90febb44e94ce35

SHA256
81950c674986c31bd70f24dffa7d8ea4512f9869f43eb9c60fcde41bd18839bf

SHA512
a19183f9148aea2be4e618fd4919ca13d6a9fe2c0e04d78e11a6dacbab6e1b1848a7db9ca63daf7346fe4c31c29198eb9c5868dc53508e5e048c6bbc0587c134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQCJUNOJ06GAMJIRC49K.temp

Filesize
7KB

MD5
51e97018280221896a206247ad9aad3b

SHA1
607c553ffca6924c4676b0fb9646daa3401b76c0

SHA256
1f4a990460cc372abde5a9790471611dcaa58accd373bd25f1700646758c03af

SHA512
c35b63a751003fd09e3a3eeaf4fee975e06adabbb187db870ec6115bfb71613a47966ecd402e8a667acd71fd2b8f9de733815e8326b322f8b503895a38856ead

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1552-6-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-8-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-10-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-9-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-11-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-12-0x000007FEF65C0000-0x000007FEF6F5D000-memory.dmp

Filesize
9.6MB

Download
memory/1552-4-0x000007FEF687E000-0x000007FEF687F000-memory.dmp

Filesize
4KB

Download
memory/1552-7-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1552-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2412-19-0x0000000002C20000-0x0000000002C28000-memory.dmp

Filesize
32KB

Download
memory/2412-18-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download