Analysis
-
max time kernel
39s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 15:43
Static task
static1
Behavioral task
behavioral1
Sample
launcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
launcher.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
launcher.exe
-
Size
290KB
-
MD5
f88e545bdd58b37a68bc7713d1384889
-
SHA1
a3217c5d7d100b26026bf996cdf5ac9044803d5c
-
SHA256
935bd6efb26aacc691dc4dc21587da49979df1bfe9312557751290b52e040850
-
SHA512
f0512e6b08c377eefa87b8c1e6de8060c50258d87ed25e7034b1c70738fc5e81794450f4b04e390e36a5e52adbff526f1c499cae29d34561fa7eb5e19269d313
-
SSDEEP
6144:qr8emLf5K/nSiKWiB3XjdOwkL1xO7Yd+U9dLgHf6TUIa1bq/KMw:PeAxKPPiB3zEjLP+Yd6f6J
Malware Config
Extracted
phemedrone
https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023423-34.dat family_xworm behavioral2/memory/4716-41-0x0000000000760000-0x0000000000776000-memory.dmp family_xworm -
Phemedrone
An information and wallet stealer written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 37 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 868 powershell.exe 2008 powershell.exe 4760 powershell.exe 2984 powershell.exe 4656 powershell.exe 1912 powershell.exe 1588 powershell.exe 1076 powershell.exe 2480 powershell.exe 3900 powershell.exe 3812 powershell.exe 1992 powershell.exe 4892 powershell.exe 700 powershell.exe 2348 powershell.exe 628 powershell.exe 4368 powershell.exe 3976 powershell.exe 4540 powershell.exe 3700 powershell.exe 5016 powershell.exe 4568 powershell.exe 4332 powershell.exe 1536 powershell.exe 1636 powershell.exe 636 powershell.exe 1164 powershell.exe 2532 powershell.exe 2416 powershell.exe 2376 powershell.exe 3240 powershell.exe 3056 powershell.exe 3732 powershell.exe 1292 powershell.exe 3732 powershell.exe 2384 powershell.exe 2420 powershell.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation launcher.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe -
Executes dropped EXE 23 IoCs
pid Process 4716 msedge.exe 1224 Otupevi.exe 4332 msedge.exe 3984 Otupevi.exe 856 msedge.exe 4236 Otupevi.exe 2416 msedge.exe 3548 Otupevi.exe 2164 msedge.exe 3596 Otupevi.exe 1768 msedge.exe 4184 Otupevi.exe 5092 msedge.exe 2108 Otupevi.exe 4428 msedge.exe 4532 msedge.exe 3748 Otupevi.exe 3616 msedge.exe 1236 Otupevi.exe 2588 msedge.exe 4152 Otupevi.exe 4304 msedge.exe 2532 Otupevi.exe -
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe" launcher.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com 14 ip-api.com 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 396 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 powershell.exe 2376 powershell.exe 3240 powershell.exe 3240 powershell.exe 3732 powershell.exe 3732 powershell.exe 4540 powershell.exe 4540 powershell.exe 4892 powershell.exe 4892 powershell.exe 772 taskmgr.exe 772 taskmgr.exe 868 powershell.exe 868 powershell.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 1536 powershell.exe 1536 powershell.exe 1636 powershell.exe 1636 powershell.exe 772 taskmgr.exe 636 powershell.exe 636 powershell.exe 636 powershell.exe 3056 powershell.exe 3056 powershell.exe 3056 powershell.exe 2384 powershell.exe 2384 powershell.exe 2384 powershell.exe 772 taskmgr.exe 772 taskmgr.exe 1912 powershell.exe 1912 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 772 taskmgr.exe 3732 powershell.exe 3732 powershell.exe 3732 powershell.exe 2984 powershell.exe 2984 powershell.exe 2984 powershell.exe 772 taskmgr.exe 2420 powershell.exe 2420 powershell.exe 772 taskmgr.exe 772 taskmgr.exe 1076 powershell.exe 1076 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 772 taskmgr.exe 2480 powershell.exe 2480 powershell.exe 2480 powershell.exe 772 taskmgr.exe 772 taskmgr.exe 1292 powershell.exe 1292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4112 launcher.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 3240 powershell.exe Token: SeDebugPrivilege 4716 msedge.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeDebugPrivilege 3548 launcher.exe Token: SeDebugPrivilege 4540 powershell.exe Token: SeDebugPrivilege 4892 powershell.exe Token: SeDebugPrivilege 772 taskmgr.exe Token: SeSystemProfilePrivilege 772 taskmgr.exe Token: SeCreateGlobalPrivilege 772 taskmgr.exe Token: SeDebugPrivilege 4332 msedge.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 3280 launcher.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 856 msedge.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 5112 launcher.exe Token: SeDebugPrivilege 3732 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 4716 msedge.exe Token: SeDebugPrivilege 2416 msedge.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 2708 launcher.exe Token: SeDebugPrivilege 1076 powershell.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 2164 msedge.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 3680 launcher.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1768 msedge.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 1708 launcher.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 5092 msedge.exe Token: SeDebugPrivilege 3700 powershell.exe Token: SeDebugPrivilege 4428 msedge.exe Token: SeDebugPrivilege 4740 launcher.exe Token: SeDebugPrivilege 628 powershell.exe Token: SeDebugPrivilege 4368 powershell.exe Token: SeDebugPrivilege 4532 msedge.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 1872 launcher.exe Token: SeDebugPrivilege 5016 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 3616 msedge.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 636 launcher.exe Token: SeDebugPrivilege 3900 powershell.exe Token: SeDebugPrivilege 4568 powershell.exe Token: SeDebugPrivilege 2588 msedge.exe Token: SeDebugPrivilege 3812 powershell.exe Token: SeDebugPrivilege 3932 launcher.exe Token: SeDebugPrivilege 1992 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeDebugPrivilege 4304 msedge.exe Token: SeDebugPrivilege 4760 powershell.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe -
Suspicious use of SendNotifyMessage 43 IoCs
pid Process 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe 772 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2928 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4112 wrote to memory of 2376 4112 launcher.exe 83 PID 4112 wrote to memory of 2376 4112 launcher.exe 83 PID 4112 wrote to memory of 3548 4112 launcher.exe 87 PID 4112 wrote to memory of 3548 4112 launcher.exe 87 PID 4112 wrote to memory of 3240 4112 launcher.exe 88 PID 4112 wrote to memory of 3240 4112 launcher.exe 88 PID 4112 wrote to memory of 4716 4112 launcher.exe 91 PID 4112 wrote to memory of 4716 4112 launcher.exe 91 PID 4112 wrote to memory of 3732 4112 launcher.exe 92 PID 4112 wrote to memory of 3732 4112 launcher.exe 92 PID 4112 wrote to memory of 1224 4112 launcher.exe 94 PID 4112 wrote to memory of 1224 4112 launcher.exe 94 PID 3548 wrote to memory of 4540 3548 launcher.exe 98 PID 3548 wrote to memory of 4540 3548 launcher.exe 98 PID 3548 wrote to memory of 3280 3548 launcher.exe 100 PID 3548 wrote to memory of 3280 3548 launcher.exe 100 PID 3548 wrote to memory of 4892 3548 launcher.exe 101 PID 3548 wrote to memory of 4892 3548 launcher.exe 101 PID 3548 wrote to memory of 4332 3548 launcher.exe 105 PID 3548 wrote to memory of 4332 3548 launcher.exe 105 PID 3548 wrote to memory of 868 3548 launcher.exe 106 PID 3548 wrote to memory of 868 3548 launcher.exe 106 PID 3548 wrote to memory of 3984 3548 launcher.exe 108 PID 3548 wrote to memory of 3984 3548 launcher.exe 108 PID 3280 wrote to memory of 1536 3280 launcher.exe 111 PID 3280 wrote to memory of 1536 3280 launcher.exe 111 PID 3280 wrote to memory of 5112 3280 launcher.exe 113 PID 3280 wrote to memory of 5112 3280 launcher.exe 113 PID 3280 wrote to memory of 1636 3280 launcher.exe 114 PID 3280 wrote to memory of 1636 3280 launcher.exe 114 PID 3280 wrote to memory of 856 3280 launcher.exe 118 PID 3280 wrote to memory of 856 3280 launcher.exe 118 PID 3280 wrote to memory of 636 3280 launcher.exe 119 PID 3280 wrote to memory of 636 3280 launcher.exe 119 PID 4716 wrote to memory of 3056 4716 msedge.exe 121 PID 4716 wrote to memory of 3056 4716 msedge.exe 121 PID 3280 wrote to memory of 4236 3280 launcher.exe 123 PID 3280 wrote to memory of 4236 3280 launcher.exe 123 PID 4716 wrote to memory of 2384 4716 msedge.exe 126 PID 4716 wrote to memory of 2384 4716 msedge.exe 126 PID 4716 wrote to memory of 1912 4716 msedge.exe 128 PID 4716 wrote to memory of 1912 4716 msedge.exe 128 PID 4716 wrote to memory of 1588 4716 msedge.exe 130 PID 4716 wrote to memory of 1588 4716 msedge.exe 130 PID 5112 wrote to memory of 3732 5112 launcher.exe 132 PID 5112 wrote to memory of 3732 5112 launcher.exe 132 PID 5112 wrote to memory of 2708 5112 launcher.exe 134 PID 5112 wrote to memory of 2708 5112 launcher.exe 134 PID 5112 wrote to memory of 2984 5112 launcher.exe 135 PID 5112 wrote to memory of 2984 5112 launcher.exe 135 PID 4716 wrote to memory of 396 4716 msedge.exe 137 PID 4716 wrote to memory of 396 4716 msedge.exe 137 PID 5112 wrote to memory of 2416 5112 launcher.exe 139 PID 5112 wrote to memory of 2416 5112 launcher.exe 139 PID 5112 wrote to memory of 2420 5112 launcher.exe 140 PID 5112 wrote to memory of 2420 5112 launcher.exe 140 PID 5112 wrote to memory of 3548 5112 launcher.exe 142 PID 5112 wrote to memory of 3548 5112 launcher.exe 142 PID 2708 wrote to memory of 1076 2708 launcher.exe 145 PID 2708 wrote to memory of 1076 2708 launcher.exe 145 PID 2708 wrote to memory of 3680 2708 launcher.exe 147 PID 2708 wrote to memory of 3680 2708 launcher.exe 147 PID 2708 wrote to memory of 700 2708 launcher.exe 148 PID 2708 wrote to memory of 700 2708 launcher.exe 148 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"3⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"4⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"5⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"6⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"7⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"8⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"9⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"10⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"11⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"12⤵PID:3908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"12⤵
- Executes dropped EXE
PID:2532
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"11⤵
- Executes dropped EXE
PID:4152
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"10⤵
- Executes dropped EXE
PID:1236
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"9⤵
- Executes dropped EXE
PID:3748
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"8⤵
- Executes dropped EXE
PID:2108
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"7⤵
- Executes dropped EXE
PID:4184
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"6⤵
- Executes dropped EXE
PID:3596
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"5⤵
- Executes dropped EXE
PID:3548
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"4⤵
- Executes dropped EXE
PID:4236
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"3⤵
- Executes dropped EXE
PID:3984
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:396
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 03⤵PID:4808
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"2⤵
- Executes dropped EXE
PID:1224
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772
-
C:\Users\Admin\AppData\Roaming\msedge.exeC:\Users\Admin\AppData\Roaming\msedge.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3929855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2928
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bb6a89a9355baba2918bb7c32eca1c94
SHA1976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5993af531f0b57e8128ec273731c3a8e2
SHA1a42ea55876f4f390837dd2c95fb7ff2344b6e9e1
SHA256fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62
SHA512bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4
-
Filesize
944B
MD5800b177dc8e90422f2d2b13672e3ab07
SHA11ecd97cc3aec28e977e8155f2356908b184f3146
SHA25624018c11408969d7b64c65a3b80cd4df17533d052b7557478006ea65ff497e6e
SHA5125d59c7357b0ce9b1ee7e339a4f370bf84640c2f1ed050b767f0f1e380f2a432dd375b801ee56dbd5c480738e77e0701606d1e8e338f33b1d8655c31bed8a0638
-
Filesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
Filesize
944B
MD5fb1fbb8252c33d25c03eec10a34da80a
SHA148ab9995c432b77e1dff35fd4146be75f5e5bdaf
SHA25682b5fe563b356199e8b36b9e4939a1a70109f47c8876819217ab7ed757bf77d8
SHA5123b70a72bab968657d5cc6eae40676ccdaf78e4995f3ed5e72b5e5d7e2224f3a9b48d5f52df0ca44079d2c3c57ea9f16c8612487ea36e21414a4622739a8d3cf2
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD5bd2d04a3823d3e21fd5835181caebcaf
SHA12507b0e1b5d177811f5df27fc462ca35c194d197
SHA25629c3c7a21a1b670ace9b6de23ccdca331305c8aa1e806ad2f87ebf9e35b95e30
SHA5123556cf6c246cc0018d55d4de8b949e5b3898ce09612418cab8527b40b1711b51930b03096271e88876a75a2d59a102efd9720ca20de7dc8fae2bba77e4819114
-
Filesize
944B
MD53072fa0040b347c3941144486bf30c6f
SHA1e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA51262df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
Filesize
944B
MD55975b5468bc0f725030e72a3533f91ea
SHA1249a8198bfe39199ec7741708e5436604f035328
SHA256322dbe57f25e9f49c83fbb27ccb175f2cfcadb56593aeb19d6906051f0af5dd2
SHA512ee56afaada20e8cc2e1014f807325eddcb9d2401eb6c38df7d46998cd559e697292661c120057daf47f097e0bf6b6fc318979b07143b5c101809391d533717e1
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD54920f7bec7cdb8ac44637a6af9d2fc6f
SHA1d4c5e3c9397926ec9bdaccdd955e89f5138b1816
SHA2568cc607eab702c5690ee5d64f5d34add46b7093c23751506dad728853a434a277
SHA512321e8178ebd08d680c6d1af467ab73e3055af8c8bb06ee81b1af46bd6718e5a060c339da5a281028c2557ab8d85172921e10363ccd8d411aa0e75f62119838d7
-
Filesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
Filesize
944B
MD501fff31a70e26012f37789b179059e32
SHA1555b6f05cce7daf46920df1c01eb5c55dc62c9e6
SHA256adf65afaf1c83572f05a99bf2ede8eb7be1aab0717d5254f501d5e09ba6f587b
SHA512ac310c9bc5c1effc45e1e425972b09d1f961af216b50e1a504caa046b7f1a5f3179760e0b29591d83756ecb686d17a24770cf06fcea57e6f287ca5bbf6b6971b
-
Filesize
944B
MD5305f66ef4692bfb9b11912e98272e750
SHA14070e6766555ac1062417e950c907cbd3485f3c5
SHA25686ef5fc30e723e4023b040e6e80a9a41b835a2a86fc6c3faea4af3afa896a244
SHA51286f2800d55153a9f8f342983b4c5ad52d632e3dbcf9c28a631b44f265954935cd1e378d395c5699f7ab59c2b050d3f63d85a1606baa97ce97e00eaf30052df6f
-
Filesize
944B
MD5085e0a3b869f290afea5688a8ac4e7c5
SHA10fedef5057708908bcca9e7572be8f46cef4f3ca
SHA2561fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c
SHA512bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede
-
Filesize
944B
MD5e58749a7a1826f6ea62df1e2ef63a32b
SHA1c0bca21658b8be4f37b71eec9578bfefa44f862d
SHA2560e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93
SHA5124cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
944B
MD560945d1a2e48da37d4ce8d9c56b6845a
SHA183e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA5125d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD5b4b6d4cc52b5a3a71149b1f33d94d5de
SHA197d3dbdd24919eab70e3b14c68797cefc07e90dd
SHA256da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe
SHA512fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD5e69c5554cfe965e000e33ee9f1cd88d5
SHA1ef74e8e9a0113870c87ece51d4e86040b1eeecdc
SHA256712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0
SHA5126a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16
-
Filesize
944B
MD5c1b0a9f26c3e1786191e94e419f1fbf9
SHA17f3492f4ec2d93e164f43fe2606b53edcffd8926
SHA256796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113
SHA512fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8
-
Filesize
121KB
MD58ec6238ed8d4909bdde76b64fb9d1e7f
SHA15b8fcf12943eb425e47ba2e09a760a465fde9085
SHA256cecbc104cfe47d1488d61b4e23b518476f194122539965c20309aa01067712b5
SHA51275281075f3732c1ba70fc0a372facd8714d14bf4a7c7fbce16d3fb51fdcaf2fc5207a769ef109e836e2d4946b42a444f571cbc4349a6444b0f2387d028accebd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD5f1189afc4cd432fb5f8725b72ed03ff5
SHA1ab953a4f598e15a185473b364a39996491f1b4b8
SHA2567091e399cf8e6a69d5fca8f007d8588cef7529aecf1e74c7d39b885edd448fff
SHA512d74662b5d786dde5617332821f30c9e472fac0cde0cc3c314ad52ac87bcced2c154823d879a2f581da064348562e4f880dc3df88240ce7ecb1da64be8e2687e2
-
Filesize
766B
MD5f36277112c8c7821d64eb1617fad559e
SHA1e0bc2f84e25463fdaeb0d11ebe46132e359fb1d4
SHA2568f815889c9cfeb932fa546debe6d52cbbebd27323a211b38605aee7e53e6abb4
SHA512e3c4d2ff54711e4e0488be46b96f15af5eaba96ef2c1b1037b5d6dd381234e0568430fc63aa4ccb92316b1edb01a655e1440168d395aaedfd8d53bc77f796711