Overview

overview

10

Static

static

3

launcher.exe

windows7-x64

1

launcher.exe

windows10-2004-x64

Analysis

  • max time kernel
    39s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 15:43

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    launcher.exe

  • Size

    290KB

  • MD5

    f88e545bdd58b37a68bc7713d1384889

  • SHA1

    a3217c5d7d100b26026bf996cdf5ac9044803d5c

  • SHA256

    935bd6efb26aacc691dc4dc21587da49979df1bfe9312557751290b52e040850

  • SHA512

    f0512e6b08c377eefa87b8c1e6de8060c50258d87ed25e7034b1c70738fc5e81794450f4b04e390e36a5e52adbff526f1c499cae29d34561fa7eb5e19269d313

  • SSDEEP

    6144:qr8emLf5K/nSiKWiB3XjdOwkL1xO7Yd+U9dLgHf6TUIa1bq/KMw:PeAxKPPiB3zEjLP+Yd6f6J

Score
10/10
phemedronexwormexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Signatures

  • Detect Xworm Payload 2 IoCs
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 37 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 23 IoCs
  • Adds Run key to start application 2 TTPs 11 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4540
      • C:\Users\Admin\AppData\Local\Temp\launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        3⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3280
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1536
        • C:\Users\Admin\AppData\Local\Temp\launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
          4⤵
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5112
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3732
          • C:\Users\Admin\AppData\Local\Temp\launcher.exe
            "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
            5⤵
            • Checks computer location settings
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2708
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1076
            • C:\Users\Admin\AppData\Local\Temp\launcher.exe
              "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
              6⤵
              • Checks computer location settings
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              PID:3680
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1292
              • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                7⤵
                • Checks computer location settings
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                PID:1708
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1164
                • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                  8⤵
                  • Checks computer location settings
                  • Adds Run key to start application
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4740
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:628
                  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                    9⤵
                    • Checks computer location settings
                    • Adds Run key to start application
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1872
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5016
                    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                      10⤵
                      • Checks computer location settings
                      • Adds Run key to start application
                      • Suspicious use of AdjustPrivilegeToken
                      PID:636
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                        11⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3900
                      • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                        11⤵
                        • Checks computer location settings
                        • Adds Run key to start application
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3932
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1992
                        • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                          "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                          12⤵
                            PID:3908
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                            12⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4332
                          • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                            "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                            12⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4304
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                            12⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4760
                          • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                            "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                            12⤵
                            • Executes dropped EXE
                            PID:2532
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                          11⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4568
                        • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                          "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                          11⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2588
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                          11⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3812
                        • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                          "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                          11⤵
                          • Executes dropped EXE
                          PID:4152
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2416
                      • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3616
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4656
                      • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                        10⤵
                        • Executes dropped EXE
                        PID:1236
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4368
                    • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                      "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4532
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3976
                    • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                      "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                      9⤵
                      • Executes dropped EXE
                      PID:3748
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2532
                  • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5092
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3700
                  • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                    "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:2108
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2008
                • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1768
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2348
                • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                  "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:4184
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:700
              • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2164
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2480
              • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                6⤵
                • Executes dropped EXE
                PID:3596
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2984
            • C:\Users\Admin\AppData\Local\Temp\msedge.exe
              "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2416
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2420
            • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
              "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
              5⤵
              • Executes dropped EXE
              PID:3548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Users\Admin\AppData\Local\Temp\msedge.exe
            "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:636
          • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
            "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
            4⤵
            • Executes dropped EXE
            PID:4236
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4892
        • C:\Users\Admin\AppData\Local\Temp\msedge.exe
          "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4332
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:868
        • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
          "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
          3⤵
          • Executes dropped EXE
          PID:3984
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3240
      • C:\Users\Admin\AppData\Local\Temp\msedge.exe
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3056
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2384
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1912
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1588
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:396
        • C:\Windows\SYSTEM32\shutdown.exe
          shutdown.exe /f /s /t 0
          3⤵
            PID:4808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3732
        • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
          "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
          2⤵
          • Executes dropped EXE
          PID:1224
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:772
      • C:\Users\Admin\AppData\Roaming\msedge.exe
        C:\Users\Admin\AppData\Roaming\msedge.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4428
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3929855 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:2928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log
        Filesize

        1KB

        MD5

        bb6a89a9355baba2918bb7c32eca1c94

        SHA1

        976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

        SHA256

        192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

        SHA512

        efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        993af531f0b57e8128ec273731c3a8e2

        SHA1

        a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

        SHA256

        fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

        SHA512

        bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        800b177dc8e90422f2d2b13672e3ab07

        SHA1

        1ecd97cc3aec28e977e8155f2356908b184f3146

        SHA256

        24018c11408969d7b64c65a3b80cd4df17533d052b7557478006ea65ff497e6e

        SHA512

        5d59c7357b0ce9b1ee7e339a4f370bf84640c2f1ed050b767f0f1e380f2a432dd375b801ee56dbd5c480738e77e0701606d1e8e338f33b1d8655c31bed8a0638

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        ce4540390cc4841c8973eb5a3e9f4f7d

        SHA1

        2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

        SHA256

        e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

        SHA512

        2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        fb1fbb8252c33d25c03eec10a34da80a

        SHA1

        48ab9995c432b77e1dff35fd4146be75f5e5bdaf

        SHA256

        82b5fe563b356199e8b36b9e4939a1a70109f47c8876819217ab7ed757bf77d8

        SHA512

        3b70a72bab968657d5cc6eae40676ccdaf78e4995f3ed5e72b5e5d7e2224f3a9b48d5f52df0ca44079d2c3c57ea9f16c8612487ea36e21414a4622739a8d3cf2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        9bc110200117a3752313ca2acaf8a9e1

        SHA1

        fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

        SHA256

        c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

        SHA512

        1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd2d04a3823d3e21fd5835181caebcaf

        SHA1

        2507b0e1b5d177811f5df27fc462ca35c194d197

        SHA256

        29c3c7a21a1b670ace9b6de23ccdca331305c8aa1e806ad2f87ebf9e35b95e30

        SHA512

        3556cf6c246cc0018d55d4de8b949e5b3898ce09612418cab8527b40b1711b51930b03096271e88876a75a2d59a102efd9720ca20de7dc8fae2bba77e4819114

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3072fa0040b347c3941144486bf30c6f

        SHA1

        e6dc84a5bd882198583653592f17af1bf8cbfc68

        SHA256

        da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

        SHA512

        62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d8cb3e9459807e35f02130fad3f9860d

        SHA1

        5af7f32cb8a30e850892b15e9164030a041f4bd6

        SHA256

        2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

        SHA512

        045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        22310ad6749d8cc38284aa616efcd100

        SHA1

        440ef4a0a53bfa7c83fe84326a1dff4326dcb515

        SHA256

        55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

        SHA512

        2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        dd1d0b083fedf44b482a028fb70b96e8

        SHA1

        dc9c027937c9f6d52268a1504cbae42a39c8d36a

        SHA256

        cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

        SHA512

        96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        5975b5468bc0f725030e72a3533f91ea

        SHA1

        249a8198bfe39199ec7741708e5436604f035328

        SHA256

        322dbe57f25e9f49c83fbb27ccb175f2cfcadb56593aeb19d6906051f0af5dd2

        SHA512

        ee56afaada20e8cc2e1014f807325eddcb9d2401eb6c38df7d46998cd559e697292661c120057daf47f097e0bf6b6fc318979b07143b5c101809391d533717e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        4920f7bec7cdb8ac44637a6af9d2fc6f

        SHA1

        d4c5e3c9397926ec9bdaccdd955e89f5138b1816

        SHA256

        8cc607eab702c5690ee5d64f5d34add46b7093c23751506dad728853a434a277

        SHA512

        321e8178ebd08d680c6d1af467ab73e3055af8c8bb06ee81b1af46bd6718e5a060c339da5a281028c2557ab8d85172921e10363ccd8d411aa0e75f62119838d7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        a7cc007980e419d553568a106210549a

        SHA1

        c03099706b75071f36c3962fcc60a22f197711e0

        SHA256

        a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

        SHA512

        b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        01fff31a70e26012f37789b179059e32

        SHA1

        555b6f05cce7daf46920df1c01eb5c55dc62c9e6

        SHA256

        adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b

        SHA512

        ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        305f66ef4692bfb9b11912e98272e750

        SHA1

        4070e6766555ac1062417e950c907cbd3485f3c5

        SHA256

        86ef5fc30e723e4023b040e6e80a9a41b835a2a86fc6c3faea4af3afa896a244

        SHA512

        86f2800d55153a9f8f342983b4c5ad52d632e3dbcf9c28a631b44f265954935cd1e378d395c5699f7ab59c2b050d3f63d85a1606baa97ce97e00eaf30052df6f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        085e0a3b869f290afea5688a8ac4e7c5

        SHA1

        0fedef5057708908bcca9e7572be8f46cef4f3ca

        SHA256

        1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

        SHA512

        bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e58749a7a1826f6ea62df1e2ef63a32b

        SHA1

        c0bca21658b8be4f37b71eec9578bfefa44f862d

        SHA256

        0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

        SHA512

        4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        ef72c47dbfaae0b9b0d09f22ad4afe20

        SHA1

        5357f66ba69b89440b99d4273b74221670129338

        SHA256

        692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

        SHA512

        7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        5cfe303e798d1cc6c1dab341e7265c15

        SHA1

        cd2834e05191a24e28a100f3f8114d5a7708dc7c

        SHA256

        c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

        SHA512

        ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        60945d1a2e48da37d4ce8d9c56b6845a

        SHA1

        83e80a6acbeb44b68b0da00b139471f428a9d6c1

        SHA256

        314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

        SHA512

        5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        10890cda4b6eab618e926c4118ab0647

        SHA1

        1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

        SHA256

        00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

        SHA512

        a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        b4b6d4cc52b5a3a71149b1f33d94d5de

        SHA1

        97d3dbdd24919eab70e3b14c68797cefc07e90dd

        SHA256

        da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

        SHA512

        fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        34f595487e6bfd1d11c7de88ee50356a

        SHA1

        4caad088c15766cc0fa1f42009260e9a02f953bb

        SHA256

        0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

        SHA512

        10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e69c5554cfe965e000e33ee9f1cd88d5

        SHA1

        ef74e8e9a0113870c87ece51d4e86040b1eeecdc

        SHA256

        712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0

        SHA512

        6a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        c1b0a9f26c3e1786191e94e419f1fbf9

        SHA1

        7f3492f4ec2d93e164f43fe2606b53edcffd8926

        SHA256

        796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113

        SHA512

        fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        Filesize

        121KB

        MD5

        8ec6238ed8d4909bdde76b64fb9d1e7f

        SHA1

        5b8fcf12943eb425e47ba2e09a760a465fde9085

        SHA256

        cecbc104cfe47d1488d61b4e23b518476f194122539965c20309aa01067712b5

        SHA512

        75281075f3732c1ba70fc0a372facd8714d14bf4a7c7fbce16d3fb51fdcaf2fc5207a769ef109e836e2d4946b42a444f571cbc4349a6444b0f2387d028accebd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eutrms20.354.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\msedge.exe
        Filesize

        62KB

        MD5

        f1189afc4cd432fb5f8725b72ed03ff5

        SHA1

        ab953a4f598e15a185473b364a39996491f1b4b8

        SHA256

        7091e399cf8e6a69d5fca8f007d8588cef7529aecf1e74c7d39b885edd448fff

        SHA512

        d74662b5d786dde5617332821f30c9e472fac0cde0cc3c314ad52ac87bcced2c154823d879a2f581da064348562e4f880dc3df88240ce7ecb1da64be8e2687e2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk
        Filesize

        766B

        MD5

        f36277112c8c7821d64eb1617fad559e

        SHA1

        e0bc2f84e25463fdaeb0d11ebe46132e359fb1d4

        SHA256

        8f815889c9cfeb932fa546debe6d52cbbebd27323a211b38605aee7e53e6abb4

        SHA512

        e3c4d2ff54711e4e0488be46b96f15af5eaba96ef2c1b1037b5d6dd381234e0568430fc63aa4ccb92316b1edb01a655e1440168d395aaedfd8d53bc77f796711

        Download Submit

      • memory/772-110-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-111-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-112-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-113-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-101-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-102-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-109-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-103-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-108-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/772-107-0x00000208E8E70000-0x00000208E8E71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1224-65-0x0000000000F70000-0x0000000000F94000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2376-17-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2376-10-0x000002E6CB370000-0x000002E6CB392000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2376-4-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2376-3-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4112-0-0x00007FF95A9B3000-0x00007FF95A9B5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4112-66-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4112-2-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4112-1-0x00000000003C0000-0x000000000040E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4332-553-0x0000018DCBF30000-0x0000018DCC14C000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4716-41-0x0000000000760000-0x0000000000776000-memory.dmp

        Filesize

        88KB

        Download