phemedrone | 8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175

Analysis

max time kernel
32s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe
Size

291KB
MD5

11501a69ddf54287446e4cffa4d268a3
SHA1

09bab84093ed44ec38bc240459c9e1905762110f
SHA256

8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175
SHA512

bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d
SSDEEP

6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J

Score

10^/10

phemedrone xworm execution rat stealer trojan

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\msedge.exe	family_xworm
behavioral1/memory/552-42-0x0000000000DC0000-0x0000000000DD6000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 34 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2676	powershell.exe
4452	powershell.exe
1848	powershell.exe
3124	powershell.exe
208	powershell.exe
3280	powershell.exe
3960	powershell.exe
64	powershell.exe
4636	powershell.exe
4148	powershell.exe
3964	powershell.exe
4592	powershell.exe
3844	powershell.exe
3188	powershell.exe
3840	powershell.exe
1352	powershell.exe
2392	powershell.exe
1184	powershell.exe
1344	powershell.exe
1792	powershell.exe
4848	powershell.exe
3504	powershell.exe
972	powershell.exe
2316	powershell.exe
3940	powershell.exe
3504	powershell.exe
1332	powershell.exe
3892	powershell.exe
3980	powershell.exe
3648	powershell.exe
3928	powershell.exe
3940	powershell.exe
3460	powershell.exe
5028	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

launcher.exelauncher.exelauncher.exelauncher.exemsedge.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launcher.exe

Drops startup file 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 20 IoCs

Processes:

msedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exe

pid	process
552	msedge.exe
1692	Otupevi.exe
4920	msedge.exe
4864	Otupevi.exe
1532	msedge.exe
316	Otupevi.exe
4412	msedge.exe
1436	Otupevi.exe
2292	msedge.exe
4884	Otupevi.exe
472	msedge.exe
2848	Otupevi.exe
3968	msedge.exe
220	Otupevi.exe
1788	msedge.exe
1852	Otupevi.exe
4152	msedge.exe
4264	Otupevi.exe
4460	msedge.exe
4236	Otupevi.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
17 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

840 schtasks.exe

flow	ioc
12	ip-api.com
17	ip-api.com

pid	process
840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
4848	powershell.exe
4848	powershell.exe
3960	powershell.exe
3960	powershell.exe
3844	powershell.exe
3844	powershell.exe
3124	powershell.exe
3124	powershell.exe
64	powershell.exe
64	powershell.exe
3980	powershell.exe
3980	powershell.exe
208	powershell.exe
208	powershell.exe
3188	powershell.exe
3188	powershell.exe
3504	powershell.exe
3504	powershell.exe
2676	powershell.exe
2676	powershell.exe
3840	powershell.exe
3840	powershell.exe
4452	powershell.exe
4452	powershell.exe
1352	powershell.exe
1352	powershell.exe
1848	powershell.exe
1848	powershell.exe
4636	powershell.exe
4636	powershell.exe
1332	powershell.exe
1332	powershell.exe
2392	powershell.exe
2392	powershell.exe
3648	powershell.exe
3648	powershell.exe
972	powershell.exe
972	powershell.exe
1184	powershell.exe
1184	powershell.exe
2316	powershell.exe
2316	powershell.exe
3928	powershell.exe
3928	powershell.exe
1344	powershell.exe
1344	powershell.exe
3940	powershell.exe
3940	powershell.exe
3460	powershell.exe
3460	powershell.exe
4148	powershell.exe
4148	powershell.exe
3964	powershell.exe
3964	powershell.exe
5028	powershell.exe
5028	powershell.exe
3940	powershell.exe
3940	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

launcher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2428	launcher.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	552	msedge.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	2340	launcher.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	4920	msedge.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	2168	launcher.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	1532	msedge.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1316	launcher.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	552	msedge.exe
Token: SeDebugPrivilege	4412	msedge.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	688	launcher.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	2292	msedge.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2372	launcher.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	472	msedge.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3148	launcher.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3968	msedge.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4988	launcher.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	1788	msedge.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4224	launcher.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4152	msedge.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	688	launcher.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	4460	msedge.exe
Token: SeDebugPrivilege	1792	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

launcher.exelauncher.exelauncher.exemsedge.exelauncher.exelauncher.exe

description	pid	process	target process
PID 2428 wrote to memory of 4848	2428	launcher.exe	powershell.exe
PID 2428 wrote to memory of 4848	2428	launcher.exe	powershell.exe
PID 2428 wrote to memory of 2340	2428	launcher.exe	launcher.exe
PID 2428 wrote to memory of 2340	2428	launcher.exe	launcher.exe
PID 2428 wrote to memory of 3960	2428	launcher.exe	powershell.exe
PID 2428 wrote to memory of 3960	2428	launcher.exe	powershell.exe
PID 2428 wrote to memory of 552	2428	launcher.exe	msedge.exe
PID 2428 wrote to memory of 552	2428	launcher.exe	msedge.exe
PID 2428 wrote to memory of 3844	2428	launcher.exe	powershell.exe
PID 2428 wrote to memory of 3844	2428	launcher.exe	powershell.exe
PID 2428 wrote to memory of 1692	2428	launcher.exe	Otupevi.exe
PID 2428 wrote to memory of 1692	2428	launcher.exe	Otupevi.exe
PID 2340 wrote to memory of 3124	2340	launcher.exe	powershell.exe
PID 2340 wrote to memory of 3124	2340	launcher.exe	powershell.exe
PID 2340 wrote to memory of 2168	2340	launcher.exe	launcher.exe
PID 2340 wrote to memory of 2168	2340	launcher.exe	launcher.exe
PID 2340 wrote to memory of 64	2340	launcher.exe	powershell.exe
PID 2340 wrote to memory of 64	2340	launcher.exe	powershell.exe
PID 2340 wrote to memory of 4920	2340	launcher.exe	msedge.exe
PID 2340 wrote to memory of 4920	2340	launcher.exe	msedge.exe
PID 2340 wrote to memory of 3980	2340	launcher.exe	powershell.exe
PID 2340 wrote to memory of 3980	2340	launcher.exe	powershell.exe
PID 2340 wrote to memory of 4864	2340	launcher.exe	Otupevi.exe
PID 2340 wrote to memory of 4864	2340	launcher.exe	Otupevi.exe
PID 2168 wrote to memory of 208	2168	launcher.exe	powershell.exe
PID 2168 wrote to memory of 208	2168	launcher.exe	powershell.exe
PID 2168 wrote to memory of 1316	2168	launcher.exe	launcher.exe
PID 2168 wrote to memory of 1316	2168	launcher.exe	launcher.exe
PID 2168 wrote to memory of 3188	2168	launcher.exe	powershell.exe
PID 2168 wrote to memory of 3188	2168	launcher.exe	powershell.exe
PID 2168 wrote to memory of 1532	2168	launcher.exe	msedge.exe
PID 2168 wrote to memory of 1532	2168	launcher.exe	msedge.exe
PID 2168 wrote to memory of 3504	2168	launcher.exe	powershell.exe
PID 2168 wrote to memory of 3504	2168	launcher.exe	powershell.exe
PID 552 wrote to memory of 2676	552	msedge.exe	powershell.exe
PID 552 wrote to memory of 2676	552	msedge.exe	powershell.exe
PID 2168 wrote to memory of 316	2168	launcher.exe	Otupevi.exe
PID 2168 wrote to memory of 316	2168	launcher.exe	Otupevi.exe
PID 552 wrote to memory of 3840	552	msedge.exe	powershell.exe
PID 552 wrote to memory of 3840	552	msedge.exe	powershell.exe
PID 552 wrote to memory of 4452	552	msedge.exe	powershell.exe
PID 552 wrote to memory of 4452	552	msedge.exe	powershell.exe
PID 552 wrote to memory of 1352	552	msedge.exe	powershell.exe
PID 552 wrote to memory of 1352	552	msedge.exe	powershell.exe
PID 1316 wrote to memory of 1848	1316	launcher.exe	powershell.exe
PID 1316 wrote to memory of 1848	1316	launcher.exe	powershell.exe
PID 1316 wrote to memory of 688	1316	launcher.exe	launcher.exe
PID 1316 wrote to memory of 688	1316	launcher.exe	launcher.exe
PID 1316 wrote to memory of 4636	1316	launcher.exe	powershell.exe
PID 1316 wrote to memory of 4636	1316	launcher.exe	powershell.exe
PID 552 wrote to memory of 840	552	msedge.exe	schtasks.exe
PID 552 wrote to memory of 840	552	msedge.exe	schtasks.exe
PID 1316 wrote to memory of 4412	1316	launcher.exe	msedge.exe
PID 1316 wrote to memory of 4412	1316	launcher.exe	msedge.exe
PID 1316 wrote to memory of 1332	1316	launcher.exe	powershell.exe
PID 1316 wrote to memory of 1332	1316	launcher.exe	powershell.exe
PID 1316 wrote to memory of 1436	1316	launcher.exe	Otupevi.exe
PID 1316 wrote to memory of 1436	1316	launcher.exe	Otupevi.exe
PID 688 wrote to memory of 2392	688	launcher.exe	powershell.exe
PID 688 wrote to memory of 2392	688	launcher.exe	powershell.exe
PID 688 wrote to memory of 2372	688	launcher.exe	launcher.exe
PID 688 wrote to memory of 2372	688	launcher.exe	launcher.exe
PID 688 wrote to memory of 3648	688	launcher.exe	powershell.exe
PID 688 wrote to memory of 3648	688	launcher.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
6⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
8⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
10⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
11⤵
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
11⤵
- Executes dropped EXE
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
10⤵
- Executes dropped EXE
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
9⤵
- Executes dropped EXE
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
8⤵
- Executes dropped EXE
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
7⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
6⤵
- Executes dropped EXE
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
5⤵
- Executes dropped EXE
PID:1436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
4⤵
- Executes dropped EXE
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
3⤵
- Executes dropped EXE
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\msedge.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
2⤵
- Executes dropped EXE
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log
Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
db81557a0755ca16b544b7355796be92

SHA1
732bf1a03a73c46d9721748df25dcf73b5486580

SHA256
2c17c6ddb02edb0be9969807f731af271376eda280833974e81ff296d2c35765

SHA512
dad3410b3851bfb8bd504ee72b99e2ee1b398b9f14e9f46130b38314e3706cab7afc0de34874be23c4c028d56cc98c0185b2b08d7c245dce3906e26f9974f342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
367da361d214538015b4dba19126ffab

SHA1
0f3b71fc77b6021c8a2523c283d773b5c275f000

SHA256
c26f0f8ae25a52931b7ca924e9e3fff5d0a63b96f78c178f2eebf864ec0e998b

SHA512
26a7c2ed414a5657d6464920854b88c1beec5f7d1b37b58e9fcc4145dd76d94f2bef642a64496f7ee011dfa52d9527caf4cf8a19d6e3acfb266f1101a06cb134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7a923b3fd4bf95a727c3c95919741938

SHA1
8a619db2348ac04dccbfb6148100fcf3a114a312

SHA256
9b318d199c45c2483216308beae77a597832523a966a0b0ffc3d2b94586d3aad

SHA512
48b5599c9585853af9a026269c9909a1263c7bb32ff90b77412751b48f789438b4df9a19f829331e7f75c8651f80639076ab996101f4b342d111b1c18edc8c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9512d7fc6bd7fd6f9a322fa248957468

SHA1
850ce09fca7a17159c8b8ad5b2002a61ed392c3d

SHA256
40c6527c0a447fb33683b5577fa1c0cd6e8be07e78ff57083f6f3339519dddd7

SHA512
5c402ac4544931469549a353d22b96ef5157d6b4dd5e71c1e93bb7f5a2ac6197eb13dc29162cfb70cbcfd814527c604b08fd02b42c5d64ad00391dd73f10c4de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6b1c84e3d5385578f9f762f086ab45ba

SHA1
8891589c31628d85d961a82fab925c7198674bf8

SHA256
a146fa0f0cedfee4f25d00ea5fdb22f517bea44764cc56b4a9841b960b74aa6d

SHA512
0aa8676b90507421e6263d0ccc4b0ce7ea2b45f814809834dafa0ac2a9d335db9637c2ace12681a9de8a51af13da8ecc71e392017b166cd090288df12b14528d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
0342b267f79ac6d33bf583a0b3b04dd1

SHA1
78ef2010a90ff2fa10d68628b39647d9773983ab

SHA256
dc0ea9007b6ac003b0f10a0f34361ee5defb05495c29a35d2951c4e4a604f1c5

SHA512
c484d055c44f353d1eeb1b626751d8863b0ed5af13376f46b62726568e8c7e4589986a7badf1a3de40f69c40ae6a4fa8fd4b2e47180a7cad17daa3943faf00d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
feb028aa874409cb8c24605b9e4830a1

SHA1
bd9921e19c400753e3551278c1afc0ff40723204

SHA256
fc5c62ede159be7b39dceb57ef6656bf3e4522f2298cc2b083553f23dbe767af

SHA512
68e7976dba0f0eeb9bc245ced528d5b74bc12be5960ead1b86d4b874344adc286506975382a530c38c666ed82302bcbc65d7a2f1629e79564e31f36d4ce50b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e25058a5d8ac6b42d8c7c9883c598303

SHA1
bd9e6194a36a959772fc020f905244900ffc3d57

SHA256
9f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51

SHA512
0146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6115924914d99b02793be952e93f1b2d

SHA1
1d3d4b64d1a9d6b634caf6c7e6acb2151f689f8d

SHA256
471a4b98b4c5ad7326cafe5520c19ec60bb2eb11424d34e3260b2732b4991b86

SHA512
b52003ce863e808fd4cfabc6abdf39d479f174eb04104879f068f8ad1c068f3fc40b94f438bae6376729fedfeefab5322d07d3b2eebd5501cafff18f53de1e86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2d06ce10e4e5b9e174b5ebbdad300fad

SHA1
bcc1c231e22238cef02ae25331320060ada2f131

SHA256
87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

SHA512
38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
19e57a3db75c1ab8def6883f624dbf44

SHA1
27749506c5a84a107e8d5e5dc8f1f54dc9d4f754

SHA256
6f55255cc5fcd0fa67b7ff9822c9589e82c59302cbba14f266ba4eca304b8f19

SHA512
47adba0dc3da2711b617a66f19d801c5ee0c382299dd27c89dec4a3a9676acf1984d9b7a9d5028c83e1315e3c9b29afc3a12f5ece528ab8d11d18f05842db6ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cdcbefa35d50716aa0ecc9dde5aeecd0

SHA1
1295b48f89518c5603d7e20ced808cb6f92e5916

SHA256
7c7e8fef645249b4f3a2976f83d058447a87184af57b94a9805c7155d59dd57c

SHA512
758467bbc503d14948d162449667fe43ceb161f85faefb3785d989f91c557b01f4f15a551ce0d2ad37f5ef5bff3e38e8eebd82041919ecb15628d73f84bb68f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
Filesize
121KB

MD5
8ec6238ed8d4909bdde76b64fb9d1e7f

SHA1
5b8fcf12943eb425e47ba2e09a760a465fde9085

SHA256
cecbc104cfe47d1488d61b4e23b518476f194122539965c20309aa01067712b5

SHA512
75281075f3732c1ba70fc0a372facd8714d14bf4a7c7fbce16d3fb51fdcaf2fc5207a769ef109e836e2d4946b42a444f571cbc4349a6444b0f2387d028accebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zevaef0o.21g.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe
Filesize
64KB

MD5
2c3e1012f82fbe50509db62017302567

SHA1
0c3bcdf9a21e0a2505942cfd5f53279f89acb885

SHA256
8a59d37451b5a84dc78c9bef33a183128e48e02367b0ffa786965b41ca1f2237

SHA512
77d921b91a646e708555107705f32d55eedfb3b5298be889a7c0f0d9d02b6e3483de7ff147db4c71c571fe366224cdc5e98a89b14df831197d63d9a9a6bb1f43

Download Submit
memory/552-434-0x000000001D540000-0x000000001D54C000-memory.dmp

Filesize
48KB

Download
memory/552-42-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

Filesize
88KB

Download
memory/1692-66-0x0000000000860000-0x0000000000884000-memory.dmp

Filesize
144KB

Download
memory/2428-0-0x00007FFFF8D43000-0x00007FFFF8D45000-memory.dmp

Filesize
8KB

Download
memory/2428-1-0x00000000008E0000-0x000000000092E000-memory.dmp

Filesize
312KB

Download
memory/2428-2-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/2428-67-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/4848-3-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/4848-10-0x000001A11AF10000-0x000001A11AF32000-memory.dmp

Filesize
136KB

Download
memory/4848-14-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/4848-15-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download
memory/4848-18-0x00007FFFF8D40000-0x00007FFFF9801000-memory.dmp

Filesize
10.8MB

Download