Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
16-09-2024 16:48
General
-
Target
launcher.exe
-
Size
291KB
-
MD5
11501a69ddf54287446e4cffa4d268a3
-
SHA1
09bab84093ed44ec38bc240459c9e1905762110f
-
SHA256
8664e6d9a120c7eedb3cd40f9e1a16a594cc6bf099b38b6d93181b4469fb9175
-
SHA512
bb7990605ef8c5419cfbf05cb16dd03c1c7b0ea95ca179e8abb8aff99df50fc15e4231ba98e82204d704880b6476b92212d0b3a2e9dbffe56e8b480b80554c5d
-
SSDEEP
6144:K8emLf5K/nSiKWiB3XjdOwkL1xOivj0MW1WQ9mLtf6TUIa1bq/KMw:HeAxKPPiB3zEjLPl0MWkf6J
Score
10/10
Malware Config
Extracted
Family
phemedrone
C2
https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument
Signatures
-
Detect Xworm Payload 2 IoCs
-
Phemedrone
An information and wallet stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 47 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 64 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"6⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"8⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"10⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"12⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"13⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'14⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"14⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'15⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"15⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'16⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"16⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'17⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"17⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'18⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"18⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'19⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"19⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'20⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"20⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'21⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"21⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"22⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'23⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"23⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'24⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"24⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'25⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"25⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'26⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"26⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'27⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"27⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'28⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"28⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'29⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"29⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'30⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"30⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'31⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"31⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'32⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"32⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'33⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"33⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'34⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"34⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'35⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"35⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'36⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"36⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'37⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"37⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'38⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"38⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'39⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"39⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'40⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"40⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'41⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"41⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'42⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"42⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'43⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"43⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'44⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"44⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'45⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"45⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'46⤵
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"46⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'47⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\launcher.exe"C:\Users\Admin\AppData\Local\Temp\launcher.exe"47⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'47⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"47⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'47⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"47⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'46⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"46⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'46⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"46⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'45⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"45⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'45⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"45⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'44⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"44⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'44⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"44⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'43⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"43⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'43⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"43⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'42⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"42⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'42⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"42⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'41⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"41⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'41⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"41⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'40⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"40⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'40⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"40⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'39⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"39⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'39⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"39⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'38⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"38⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'38⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"38⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'37⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"37⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'37⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"37⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'36⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"36⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'36⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"36⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'35⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"35⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'35⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"35⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'34⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"34⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'34⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"34⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'33⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"33⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'33⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"33⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'32⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"32⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'32⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"32⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'31⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"31⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'31⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"31⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'30⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"30⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'30⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"30⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'29⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"29⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'29⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"29⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'28⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"28⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'28⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"28⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'27⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"27⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'27⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"27⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'26⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"26⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'26⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"26⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'25⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"25⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'25⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"25⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'24⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"24⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'24⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"24⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'23⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"23⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'23⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"23⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"22⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"22⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'21⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"21⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'21⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"21⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'20⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"20⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'20⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"20⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'19⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"19⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'19⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"19⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'18⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"18⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'18⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"18⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'17⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"17⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'17⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"17⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"16⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'16⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"16⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'15⤵
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"15⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'15⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"15⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"14⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'14⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"14⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"13⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'13⤵
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"13⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"12⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'11⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"11⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"10⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"9⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\msedge.exe"C:\Users\Admin\AppData\Local\Temp\msedge.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\msedge.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\msedge.exeC:\Users\Admin\msedge.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\msedge.exeC:\Users\Admin\msedge.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bb6a89a9355baba2918bb7c32eca1c94
SHA1976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
944B
MD59c740b7699e2363ac4ecdf496520ca35
SHA1aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA5128885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af
-
Filesize
944B
MD510fb30dc297f99d6ebafa5fee8b24fa2
SHA176904509313a49a765edcde26b69c3a61f9fa225
SHA256567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a
SHA512c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
944B
MD5e3161f4edbc9b963debe22e29658050b
SHA145dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA2561359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2
-
Filesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
Filesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD55f9246b90bb643f1f6e32b638684da6e
SHA17c3d0a783c969d3a55eb92669bd9183f0b7dd603
SHA2564ac95bd39341c98026937c0fc18142ed1d3f034f5073c9b03defdfa1c9be8bad
SHA51257285dcf7c0e0a0f477e3f6ff1aca9223785c221d899a74c02aa8f82619d1d1914562682a85dd4b4fadb25c95d98f016d76bb3c8049d38d8de8fa14db194110d
-
Filesize
944B
MD55bebad5b54fab3fe0a41b565bdfc22f5
SHA155eb1edbcd70473e8e8665597104e41131ef2dad
SHA256fa22d2f9d8c4ce14fb56bdd809ca2a2d656b19a3da49c32d9551696dd8a23251
SHA5124a894cccaf8e1d6f1f5d39e72cd5c6bd66bd99c0a5df23b6e3a9344e5b6debf33f281440ca4c0cddf2349cba762177a9b867455141d4a8c64165cee20f51a1e9
-
Filesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
Filesize
944B
MD560945d1a2e48da37d4ce8d9c56b6845a
SHA183e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA5125d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed
-
Filesize
944B
MD5a1008cfb29cdc25b4180c736ec404335
SHA139760fbcc8c1a64e856e98d61ce194d39b727438
SHA2560eb4209b0f8c0dce02580b4d3ec5692d33be08b1a61858aad0413116afc95558
SHA51200c2cde1601217c28fd71c2daefb21c7fcfeeee7e6badcd1b7f353f4e6df7817f5c4665148a1468b10ea31547642b999e3db5914d6e5f0cb1123243fd9ef213f
-
Filesize
944B
MD54165c906a376e655973cef247b5128f1
SHA1c6299b6ab8b2db841900de376e9c4d676d61131e
SHA256fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4
SHA51215783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
944B
MD50b72469ca0585278ca9c240a42085ad7
SHA1dd0371aab5740e6d5f44d75f02f5f2d0a16089b2
SHA2569e9693e3e021a1a0aeac855d0c2fd330568225282ed4e2d8ea1d876457efa0db
SHA51277929ab5f47ec18e78e9e57f0cb9a41dd02e8974b59f692175fefdd69a6e84c6c289a8e4cb563fb064857f2c3cf6ce330e8efa7dcb352691fdbd662c90c3b577
-
Filesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
Filesize
944B
MD53952e58e5b0dc4ca85530346cab31745
SHA1b40f8e12c28260dc66b36978ffd82f9238f78e8e
SHA2563683911c627d789d95c19767391431323b5232ff2701686955012108acbe9f4f
SHA512c8cab56b5995c4346cddfa52485de4eb8aca345b1b683cad808dfaaf6a665b3fe8141b6fb82838df64587c2390bd6acfb179b150638bdf9654d4ecb4567c4ede
-
Filesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
Filesize
944B
MD5fd98baf5a9c30d41317663898985593b
SHA1ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA2569d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0
-
Filesize
944B
MD5bd41d9e85ce4c2fb194d6fd51ad735e9
SHA10e289f94ca12b8477161d52a205f419b7d48b9f4
SHA25634c4bd5e1fb75db7572e3d7e083c83be356fd3f91a6f7bfd029757fd0471f91d
SHA51297a44d637bf29b3f0f9d04dc8d5be68283f719303de3a7d3b4b483381e21e1feae798e1c622e1040b70ab266e389a68aad9ced42511dd9f9b998cfce8ef27dbf
-
Filesize
121KB
MD58ec6238ed8d4909bdde76b64fb9d1e7f
SHA15b8fcf12943eb425e47ba2e09a760a465fde9085
SHA256cecbc104cfe47d1488d61b4e23b518476f194122539965c20309aa01067712b5
SHA51275281075f3732c1ba70fc0a372facd8714d14bf4a7c7fbce16d3fb51fdcaf2fc5207a769ef109e836e2d4946b42a444f571cbc4349a6444b0f2387d028accebd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
64KB
MD52c3e1012f82fbe50509db62017302567
SHA10c3bcdf9a21e0a2505942cfd5f53279f89acb885
SHA2568a59d37451b5a84dc78c9bef33a183128e48e02367b0ffa786965b41ca1f2237
SHA51277d921b91a646e708555107705f32d55eedfb3b5298be889a7c0f0d9d02b6e3483de7ff147db4c71c571fe366224cdc5e98a89b14df831197d63d9a9a6bb1f43
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
312KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
144KB