Overview

overview

10

Static

static

3

launcher.exe

windows7-x64

10

launcher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    launcher.exe

  • Size

    121KB

  • MD5

    8356aac5412d5225bf9821d741134fa8

  • SHA1

    9a511abb8f1ede32717302c52ef85b16d1f77702

  • SHA256

    b824428a19f5ea337430fcd7ca5cfaa67d58a5c27e6ae3e4d5688a85f85dbbde

  • SHA512

    a03f1f026ef9a08204b169091b3fc472a10c72e1057ebc706d47ec0d9528a51d2284e6b0a65dfcd0926a9b5ecc1bc64aa2912362bd638ac643c54f64fce9675c

  • SSDEEP

    3072:Tkwn4I8IB14Lf5KoiWoS6vKWxVvZqBWHj0MW1Di/orr9lLsy:Ywx8emLf5K/nSiKW3vj0MW1WQ9lL

Score
10/10
gurcuphemedronexwormexecutionratstealertrojan

Malware Config

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendMessage?chat_id=7184004788

Signatures

  • Detect Xworm Payload 2 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

    stealergurcu
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 41 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 12 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 20 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:812
      • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
        "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5060
        • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2944
          • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
            "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4960
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:672
            • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
              "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
              6⤵
              • Checks computer location settings
              • Suspicious use of AdjustPrivilegeToken
              PID:4736
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1808
              • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
                7⤵
                • Checks computer location settings
                • Suspicious use of AdjustPrivilegeToken
                PID:3592
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4616
                • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                  "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
                  8⤵
                  • Checks computer location settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3308
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4620
                  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
                    9⤵
                    • Checks computer location settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3976
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2112
                    • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                      "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
                      10⤵
                      • Checks computer location settings
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3280
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
                        11⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1416
                      • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                        "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
                        11⤵
                          PID:3884
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'
                            12⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:1052
                          • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
                            "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
                            12⤵
                              PID:884
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                              12⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:1332
                            • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                              "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                              12⤵
                                PID:2924
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                                12⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:860
                              • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                                "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                                12⤵
                                  PID:4616
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                                11⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4508
                              • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                                "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4476
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                                11⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2524
                              • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                                "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                                11⤵
                                • Executes dropped EXE
                                PID:2156
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                              10⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4252
                            • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                              "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2108
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                              10⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3320
                            • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                              "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                              10⤵
                              • Executes dropped EXE
                              PID:964
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4068
                          • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                            "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                            9⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2376
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                              10⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious use of AdjustPrivilegeToken
                              PID:748
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                              10⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious use of AdjustPrivilegeToken
                              PID:948
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\msedge.exe'
                              10⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:4528
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                              10⤵
                              • Command and Scripting Interpreter: PowerShell
                              PID:4336
                            • C:\Windows\System32\schtasks.exe
                              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\msedge.exe"
                              10⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:5048
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1364
                          • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                            "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                            9⤵
                            • Executes dropped EXE
                            PID:5092
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2924
                        • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                          "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3528
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                          8⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4400
                        • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                          "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                          8⤵
                          • Executes dropped EXE
                          PID:4168
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4416
                      • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2444
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1424
                      • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:2376
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5072
                    • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                      "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:664
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1860
                    • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                      "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:764
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                    5⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5116
                  • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3632
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                    5⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3972
                  • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                    "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:4504
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1572
                • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4032
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:540
                • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                  "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:4104
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1756
              • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:5080
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3604
              • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                3⤵
                • Executes dropped EXE
                PID:4736
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2776
            • C:\Users\Admin\AppData\Local\Temp\msedge.exe
              "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
              2⤵
              • Checks computer location settings
              • Drops startup file
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2604
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:316
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4788
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\msedge.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4532
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1216
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\msedge.exe"
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1000
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /delete /f /tn "msedge"
                3⤵
                  PID:3224
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp.bat""
                  3⤵
                    PID:5040
                    • C:\Windows\system32\timeout.exe
                      timeout 3
                      4⤵
                      • Delays execution with timeout.exe
                      PID:4732
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
                  2⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4208
                • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                  "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:4920
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /4
                1⤵
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:736

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Launcher.exe.log
                Filesize

                1KB

                MD5

                bb6a89a9355baba2918bb7c32eca1c94

                SHA1

                976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

                SHA256

                192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

                SHA512

                efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log
                Filesize

                654B

                MD5

                2ff39f6c7249774be85fd60a8f9a245e

                SHA1

                684ff36b31aedc1e587c8496c02722c6698c1c4e

                SHA256

                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                SHA512

                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                1fee44d99fc4afa998e1fbe887d4133f

                SHA1

                4ce4177db7e940ba0b7adf9ce7fa5dc0732481f3

                SHA256

                43dc153f22a8d306e0c130d1231bb60778c6f4e0bd20be875e79771c71392391

                SHA512

                a6abcb17b4c739f96172f7dc6ee5ba9e8e2c6c73286d1af85644b3cae1c18cfc4613bf84d0d88eff4d952cf4bb66161309dc1293b2d9a45841024d1260d73a4d

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                b55e7e7e1cf4dcec63b70cf4b4f2333c

                SHA1

                91c510eeaacc274510566a3d18dda6088329f79b

                SHA256

                793434f4b09af5f4a51854beb619163aec5444c2aa203daf884e6d88ff4046f9

                SHA512

                83fd25e83437f680667df840b9ad1ff1b513103a15862341b9b6c3ffa50dbcb7c423e256d384ab99d08df3752be4418febcde8b3744972ff6444b03b7c764fef

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                22310ad6749d8cc38284aa616efcd100

                SHA1

                440ef4a0a53bfa7c83fe84326a1dff4326dcb515

                SHA256

                55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

                SHA512

                2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                ba169f4dcbbf147fe78ef0061a95e83b

                SHA1

                92a571a6eef49fff666e0f62a3545bcd1cdcda67

                SHA256

                5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                SHA512

                8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                6abce0438ba510d72488c7236fded601

                SHA1

                88c8118facfa4685553cc1db948773a9ab95171d

                SHA256

                6ec1f525e465016931f20c2c622ecaa89af5601a605a15b04f760f17938a7afe

                SHA512

                ef601544b8f3c8e596dae459eccb977b0fcabcb3b1ad6cec53171a7dd759ee1401a639d81d8455a00b011415c43eedfe4e7461a7032fc8d435090d20b34a825e

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                62d94562013cad250e309b4091503254

                SHA1

                f658f6e53e980694f5ff5bae10455c21ee059a2e

                SHA256

                1ff2d02730e490230262e82169d667b1db011b405f53b3bb4345ed1ee3efc1d5

                SHA512

                282e6777407b759ba15e7410cefc8652ae362a5e9ae13dfb355a3044154ca018a8de2b98df0e83012ae98279480ee3b517c62d33c8122f078ea5f3732aaa2a97

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                cae60f0ddddac635da71bba775a2c5b4

                SHA1

                386f1a036af61345a7d303d45f5230e2df817477

                SHA256

                b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

                SHA512

                28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                5fbb56518e82d1b1e5ef6be3b6693880

                SHA1

                4e7671d0193b6f640d81b3fb91ac17ca67e0632b

                SHA256

                760d5623e712e53485c80330b3e2567577ffcf9397a94c3085bd1999f4650a40

                SHA512

                ff2fff83f094820da4157c907be06039dcc58b1a23e867ba58c0c3f40d8bbd90022161dc3d77c082a765f7f4104f683be995b994183d1899c73bd9131fe614d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                7d1065573a0dbb09303ef324ab9b41a7

                SHA1

                9d0099e575b74d00fa39e3a7e84933c4ed753fc2

                SHA256

                1a6b86d72340011d4bb464c09cf11806b1b371bb70b3e287d3f569e15bcafd97

                SHA512

                bfcd159a47a36bf4fab290631859bd56aabca5577368bae5705cbc254de36a97122d6864a0aecfd8c6d0adb8ed7b3b52fbd4aa6694b9cfa5a9f211e79b39f7a0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                110b59ca4d00786d0bde151d21865049

                SHA1

                557e730d93fdf944a0cad874022df1895fb5b2e2

                SHA256

                77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

                SHA512

                cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                3a6bad9528f8e23fb5c77fbd81fa28e8

                SHA1

                f127317c3bc6407f536c0f0600dcbcf1aabfba36

                SHA256

                986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                SHA512

                846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                0256bd284691ed0fc502ef3c8a7e58dc

                SHA1

                dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

                SHA256

                e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

                SHA512

                c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                ce4540390cc4841c8973eb5a3e9f4f7d

                SHA1

                2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

                SHA256

                e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

                SHA512

                2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                eb1ad317bd25b55b2bbdce8a28a74a94

                SHA1

                98a3978be4d10d62e7411946474579ee5bdc5ea6

                SHA256

                9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                SHA512

                d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                82a6ead21862d224786c9d152ef719c9

                SHA1

                6b228ba74b8c92744a66b229a0bda73e03275952

                SHA256

                2bd89dd18ed5ccc85f446836227e12e84238ec1881e78f908469471c00f18ecd

                SHA512

                4b95be65195eaf94cead5270a98d3827b0cbfea870b029188846f12c93759108b4c0ed9ed4223a500a2aaf97a4daab02535537c79b67438645adaad528379e01

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                fd98baf5a9c30d41317663898985593b

                SHA1

                ea300b99f723d2429d75a6c40e0838bf60f17aad

                SHA256

                9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

                SHA512

                bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                10890cda4b6eab618e926c4118ab0647

                SHA1

                1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

                SHA256

                00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

                SHA512

                a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                6d14ccefeb263594e60b1765e131f7a3

                SHA1

                4a9ebdc0dff58645406c40b7b140e1b174756721

                SHA256

                57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

                SHA512

                2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                e60eb305a7b2d9907488068b7065abd3

                SHA1

                1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

                SHA256

                ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

                SHA512

                95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                9078a011b49db705765cff4b845368b0

                SHA1

                533576940a2780b894e1ae46b17d2f4224051b77

                SHA256

                c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615

                SHA512

                48e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                15dde0683cd1ca19785d7262f554ba93

                SHA1

                d039c577e438546d10ac64837b05da480d06bf69

                SHA256

                d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                SHA512

                57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                54522d22658e4f8f87ecb947b71b8feb

                SHA1

                6a6144bdf9c445099f52211b6122a2ecf72b77e9

                SHA256

                af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

                SHA512

                55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                60945d1a2e48da37d4ce8d9c56b6845a

                SHA1

                83e80a6acbeb44b68b0da00b139471f428a9d6c1

                SHA256

                314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

                SHA512

                5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                c08aea9c78561a5f00398a723fdf2925

                SHA1

                2c880cbb5d02169a86bb9517ce2a0184cb177c6e

                SHA256

                63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

                SHA512

                d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                83685d101174171875b4a603a6c2a35c

                SHA1

                37be24f7c4525e17fa18dbd004186be3a9209017

                SHA256

                0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

                SHA512

                005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
                Filesize

                121KB

                MD5

                8ec6238ed8d4909bdde76b64fb9d1e7f

                SHA1

                5b8fcf12943eb425e47ba2e09a760a465fde9085

                SHA256

                cecbc104cfe47d1488d61b4e23b518476f194122539965c20309aa01067712b5

                SHA512

                75281075f3732c1ba70fc0a372facd8714d14bf4a7c7fbce16d3fb51fdcaf2fc5207a769ef109e836e2d4946b42a444f571cbc4349a6444b0f2387d028accebd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jj2c1k5j.dfc.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\msedge.exe
                Filesize

                64KB

                MD5

                2c3e1012f82fbe50509db62017302567

                SHA1

                0c3bcdf9a21e0a2505942cfd5f53279f89acb885

                SHA256

                8a59d37451b5a84dc78c9bef33a183128e48e02367b0ffa786965b41ca1f2237

                SHA512

                77d921b91a646e708555107705f32d55eedfb3b5298be889a7c0f0d9d02b6e3483de7ff147db4c71c571fe366224cdc5e98a89b14df831197d63d9a9a6bb1f43

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp.bat
                Filesize

                158B

                MD5

                76139bd8638637fe874cf883b71088ff

                SHA1

                b733dc9eee479ae54c927f48a978250b6a87c6d9

                SHA256

                6d6aedb5ef5e3486de860e1453a93cc4745cc9f3f1dd87855cfb752efb045f50

                SHA512

                4d0d5006ecfab6c9ef5f9ebe489448a94285eef94f511efc86e512fde211c07da5be058938e4ede0321797da5525d3476a1fee7c1dfc28e8402cda0eaaf9b998

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk
                Filesize

                775B

                MD5

                94c787af66997d4e477cd0c6c6201d5a

                SHA1

                35806083a16efcfcff9584b9efe7530b189c6f5d

                SHA256

                3d19633f390bdc81d4891e976e4459a8bf8fa5ec6b75dc700ef1bc12b9241d94

                SHA512

                21c50196c2eb79e42381dc2277b12d086492575d8461c5ac99601a90bd297f990f7b79b790c7455d3f20d4aebd23f8c88e79e2d25835218c1fb67e1c9f428e3f

                Download Submit

              • memory/736-122-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-125-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-116-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-115-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-114-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-121-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-126-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-124-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-123-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/736-120-0x0000014678210000-0x0000014678211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/748-550-0x000001F632D60000-0x000001F632DA8000-memory.dmp

                Filesize

                288KB

                Download

              • memory/748-551-0x000001F632EF0000-0x000001F63310C000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/1052-596-0x000001D675830000-0x000001D675878000-memory.dmp

                Filesize

                288KB

                Download

              • memory/1052-597-0x000001D675D90000-0x000001D675FAC000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/1500-18-0x00007FFD531C0000-0x00007FFD53C81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1500-4-0x0000016067110000-0x0000016067132000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1500-14-0x00007FFD531C0000-0x00007FFD53C81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1500-15-0x00007FFD531C0000-0x00007FFD53C81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1500-3-0x00007FFD531C0000-0x00007FFD53C81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1520-2-0x00007FFD531C0000-0x00007FFD53C81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1520-0-0x00007FFD531C3000-0x00007FFD531C5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1520-67-0x00007FFD531C0000-0x00007FFD53C81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1520-1-0x00000000004B0000-0x00000000004D4000-memory.dmp

                Filesize

                144KB

                Download

              • memory/2604-42-0x00000000002C0000-0x00000000002D6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/4336-595-0x0000012C78410000-0x0000012C7862C000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/4336-594-0x0000012C783B0000-0x0000012C783F8000-memory.dmp

                Filesize

                288KB

                Download

              • memory/4528-572-0x00000247F9D60000-0x00000247F9DA8000-memory.dmp

                Filesize

                288KB

                Download

              • memory/4528-573-0x00000247F9DB0000-0x00000247F9FCC000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/4788-195-0x00000190204B0000-0x00000190206CC000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/4920-66-0x0000000000B10000-0x0000000000B34000-memory.dmp

                Filesize

                144KB

                Download

              • memory/5060-138-0x00000291C0A60000-0x00000291C0C7C000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/5116-241-0x0000026937C20000-0x0000026937E3C000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/5116-240-0x0000026937A80000-0x0000026937AC8000-memory.dmp

                Filesize

                288KB

                Download