phemedrone | bbbab2c33667db752e39cb3b1f8f25268e765f975a2891fb252c71c16f11f62b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe
Size

284KB
MD5

ec46ff697f5c18c43434dce6236aeaf6
SHA1

c77d4a14822e6c5f7bcffdc0a5e6a1345c948e84
SHA256

bbbab2c33667db752e39cb3b1f8f25268e765f975a2891fb252c71c16f11f62b
SHA512

d065758bf6397d348678c0aae5df77d68188fe55a26557770aa055fa330243050189862651bdbb5dde60d13cdf323f2fc5815d4090294fb9c22b714cd96d07d9
SSDEEP

6144:F8emLf5K/nSiKWiB3XjdOwkL1xO51jwoT98Laf6TUIa1bq/KMw:qeAxKPPiB3zEjLPCUkf6J

Score

10^/10

phemedrone xworm execution rat stealer trojan

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\msedge.exe	family_xworm
behavioral1/memory/3312-42-0x0000000000690000-0x00000000006A4000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
452	powershell.exe
4616	powershell.exe
3128	powershell.exe
532	powershell.exe
4464	powershell.exe
2468	powershell.exe
1820	powershell.exe
728	powershell.exe
2060	powershell.exe
1192	powershell.exe
3376	powershell.exe
4592	powershell.exe
3480	powershell.exe
5056	powershell.exe
828	powershell.exe
3972	powershell.exe
440	powershell.exe
1976	powershell.exe
4928	powershell.exe
3536	powershell.exe
2632	powershell.exe
3996	powershell.exe
2192	powershell.exe
1264	powershell.exe
2172	powershell.exe
1536	powershell.exe
3728	powershell.exe
312	powershell.exe
1576	powershell.exe
3776	powershell.exe
400	powershell.exe
4928	powershell.exe
2872	powershell.exe
1820	powershell.exe
5000	powershell.exe
3860	powershell.exe
5004	powershell.exe
4452	powershell.exe
3432	powershell.exe
4844	powershell.exe
3000	powershell.exe
1424	powershell.exe
1456	powershell.exe
2180	powershell.exe
3508	powershell.exe
1396	powershell.exe
4472	powershell.exe
1976	powershell.exe
3876	powershell.exe
2196	powershell.exe
3812	powershell.exe
2392	powershell.exe
2708	powershell.exe
940	powershell.exe
1372	powershell.exe
3992	powershell.exe
4660	powershell.exe
4200	powershell.exe
3340	powershell.exe
3972	powershell.exe
1516	powershell.exe
3304	powershell.exe
1808	powershell.exe
1364	powershell.exe

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

launcher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exemsedge.exemsedge.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exelauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	launcher.exe

Drops startup file 4 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 64 IoCs

Processes:

msedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exemsedge.exeOtupevi.exe

pid	process
3312	msedge.exe
4168	Otupevi.exe
4476	msedge.exe
3972	Otupevi.exe
3192	msedge.exe
3476	Otupevi.exe
2460	msedge.exe
400	Otupevi.exe
3736	msedge.exe
3080	Otupevi.exe
4472	msedge.exe
4228	msedge.exe
3192	Otupevi.exe
1112	msedge.exe
2828	Otupevi.exe
2744	msedge.exe
1212	Otupevi.exe
4044	msedge.exe
3764	Otupevi.exe
4992	msedge.exe
5020	Otupevi.exe
216	msedge.exe
1684	Otupevi.exe
4988	msedge.exe
3820	Otupevi.exe
2532	msedge.exe
5020	Otupevi.exe
800	msedge.exe
2312	Otupevi.exe
4360	msedge.exe
1956	Otupevi.exe
2120	msedge.exe
1396	Otupevi.exe
2968	msedge.exe
4556	Otupevi.exe
4656	msedge.exe
1896	Otupevi.exe
216	msedge.exe
3008	Otupevi.exe
2968	msedge.exe
3736	Otupevi.exe
1288	msedge.exe
2164	Otupevi.exe
3612	msedge.exe
4040	Otupevi.exe
4716	msedge.exe
668	msedge.exe
3960	Otupevi.exe
1892	msedge.exe
4992	Otupevi.exe
1232	msedge.exe
1272	Otupevi.exe
2644	msedge.exe
4992	Otupevi.exe
220	msedge.exe
1244	Otupevi.exe
4928	msedge.exe
4124	Otupevi.exe
3436	msedge.exe
3964	Otupevi.exe
804	msedge.exe
4900	Otupevi.exe
3420	msedge.exe
4896	Otupevi.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

70 ip-api.com
80 ip-api.com
14 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
70	ip-api.com
80	ip-api.com
14	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4936 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4936 schtasks.exe
5004 schtasks.exe

pid	process
4936	timeout.exe

pid	process
4936	schtasks.exe
5004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
548	powershell.exe
548	powershell.exe
2192	powershell.exe
2192	powershell.exe
452	powershell.exe
452	powershell.exe
1192	powershell.exe
1192	powershell.exe
4616	powershell.exe
4616	powershell.exe
4444	powershell.exe
4444	powershell.exe
3516	powershell.exe
3516	powershell.exe
1424	powershell.exe
1424	powershell.exe
4028	powershell.exe
4028	powershell.exe
2392	powershell.exe
2392	powershell.exe
1820	powershell.exe
1820	powershell.exe
1456	powershell.exe
1456	powershell.exe
4460	powershell.exe
4460	powershell.exe
2708	powershell.exe
2708	powershell.exe
3468	powershell.exe
3468	powershell.exe
2196	powershell.exe
2196	powershell.exe
1976	powershell.exe
1976	powershell.exe
100	taskmgr.exe
100	taskmgr.exe
2404	powershell.exe
2404	powershell.exe
2404	powershell.exe
100	taskmgr.exe
100	taskmgr.exe
312	powershell.exe
312	powershell.exe
312	powershell.exe
100	taskmgr.exe
100	taskmgr.exe
1420	powershell.exe
1420	powershell.exe
1420	powershell.exe
100	taskmgr.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
100	taskmgr.exe
100	taskmgr.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
100	taskmgr.exe
2292	powershell.exe
2292	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

100 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

launcher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exelauncher.exepowershell.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exetaskmgr.exepowershell.exemsedge.exepowershell.exemsedge.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exelauncher.exepowershell.exepowershell.exemsedge.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4760	launcher.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3312	msedge.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	3524	launcher.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4476	msedge.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	5064	launcher.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	3192	msedge.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	3716	launcher.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	2460	msedge.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	3312	msedge.exe
Token: SeDebugPrivilege	2288	launcher.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	100	taskmgr.exe
Token: SeSystemProfilePrivilege	100	taskmgr.exe
Token: SeCreateGlobalPrivilege	100	taskmgr.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3736	msedge.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	4472	msedge.exe
Token: SeDebugPrivilege	1432	launcher.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	4228	msedge.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2060	launcher.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1112	msedge.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3052	launcher.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	2744	msedge.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2636	launcher.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	4044	msedge.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2488	launcher.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	4992	msedge.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1620	launcher.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	216	msedge.exe
Token: SeDebugPrivilege	4160	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe
100	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

launcher.exelauncher.exelauncher.exemsedge.exelauncher.exelauncher.exe

description	pid	process	target process
PID 4760 wrote to memory of 548	4760	launcher.exe	powershell.exe
PID 4760 wrote to memory of 548	4760	launcher.exe	powershell.exe
PID 4760 wrote to memory of 3524	4760	launcher.exe	launcher.exe
PID 4760 wrote to memory of 3524	4760	launcher.exe	launcher.exe
PID 4760 wrote to memory of 2192	4760	launcher.exe	powershell.exe
PID 4760 wrote to memory of 2192	4760	launcher.exe	powershell.exe
PID 4760 wrote to memory of 3312	4760	launcher.exe	msedge.exe
PID 4760 wrote to memory of 3312	4760	launcher.exe	msedge.exe
PID 4760 wrote to memory of 452	4760	launcher.exe	powershell.exe
PID 4760 wrote to memory of 452	4760	launcher.exe	powershell.exe
PID 4760 wrote to memory of 4168	4760	launcher.exe	Otupevi.exe
PID 4760 wrote to memory of 4168	4760	launcher.exe	Otupevi.exe
PID 3524 wrote to memory of 1192	3524	launcher.exe	powershell.exe
PID 3524 wrote to memory of 1192	3524	launcher.exe	powershell.exe
PID 3524 wrote to memory of 5064	3524	launcher.exe	launcher.exe
PID 3524 wrote to memory of 5064	3524	launcher.exe	launcher.exe
PID 3524 wrote to memory of 4616	3524	launcher.exe	powershell.exe
PID 3524 wrote to memory of 4616	3524	launcher.exe	powershell.exe
PID 3524 wrote to memory of 4476	3524	launcher.exe	msedge.exe
PID 3524 wrote to memory of 4476	3524	launcher.exe	msedge.exe
PID 3524 wrote to memory of 4444	3524	launcher.exe	powershell.exe
PID 3524 wrote to memory of 4444	3524	launcher.exe	powershell.exe
PID 3524 wrote to memory of 3972	3524	launcher.exe	Otupevi.exe
PID 3524 wrote to memory of 3972	3524	launcher.exe	Otupevi.exe
PID 5064 wrote to memory of 3516	5064	launcher.exe	powershell.exe
PID 5064 wrote to memory of 3516	5064	launcher.exe	powershell.exe
PID 5064 wrote to memory of 3716	5064	launcher.exe	launcher.exe
PID 5064 wrote to memory of 3716	5064	launcher.exe	launcher.exe
PID 5064 wrote to memory of 1424	5064	launcher.exe	powershell.exe
PID 5064 wrote to memory of 1424	5064	launcher.exe	powershell.exe
PID 5064 wrote to memory of 3192	5064	launcher.exe	msedge.exe
PID 5064 wrote to memory of 3192	5064	launcher.exe	msedge.exe
PID 5064 wrote to memory of 4028	5064	launcher.exe	powershell.exe
PID 5064 wrote to memory of 4028	5064	launcher.exe	powershell.exe
PID 5064 wrote to memory of 3476	5064	launcher.exe	Otupevi.exe
PID 5064 wrote to memory of 3476	5064	launcher.exe	Otupevi.exe
PID 3312 wrote to memory of 2392	3312	msedge.exe	powershell.exe
PID 3312 wrote to memory of 2392	3312	msedge.exe	powershell.exe
PID 3312 wrote to memory of 1820	3312	msedge.exe	powershell.exe
PID 3312 wrote to memory of 1820	3312	msedge.exe	powershell.exe
PID 3312 wrote to memory of 1456	3312	msedge.exe	powershell.exe
PID 3312 wrote to memory of 1456	3312	msedge.exe	powershell.exe
PID 3312 wrote to memory of 4460	3312	msedge.exe	powershell.exe
PID 3312 wrote to memory of 4460	3312	msedge.exe	powershell.exe
PID 3716 wrote to memory of 2708	3716	launcher.exe	powershell.exe
PID 3716 wrote to memory of 2708	3716	launcher.exe	powershell.exe
PID 3716 wrote to memory of 2288	3716	launcher.exe	launcher.exe
PID 3716 wrote to memory of 2288	3716	launcher.exe	launcher.exe
PID 3716 wrote to memory of 3468	3716	launcher.exe	powershell.exe
PID 3716 wrote to memory of 3468	3716	launcher.exe	powershell.exe
PID 3716 wrote to memory of 2460	3716	launcher.exe	msedge.exe
PID 3716 wrote to memory of 2460	3716	launcher.exe	msedge.exe
PID 3716 wrote to memory of 2196	3716	launcher.exe	powershell.exe
PID 3716 wrote to memory of 2196	3716	launcher.exe	powershell.exe
PID 3716 wrote to memory of 400	3716	launcher.exe	Otupevi.exe
PID 3716 wrote to memory of 400	3716	launcher.exe	Otupevi.exe
PID 3312 wrote to memory of 4936	3312	msedge.exe	schtasks.exe
PID 3312 wrote to memory of 4936	3312	msedge.exe	schtasks.exe
PID 2288 wrote to memory of 1976	2288	launcher.exe	powershell.exe
PID 2288 wrote to memory of 1976	2288	launcher.exe	powershell.exe
PID 2288 wrote to memory of 1432	2288	launcher.exe	launcher.exe
PID 2288 wrote to memory of 1432	2288	launcher.exe	launcher.exe
PID 2288 wrote to memory of 2404	2288	launcher.exe	powershell.exe
PID 2288 wrote to memory of 2404	2288	launcher.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
6⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
8⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
9⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
10⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
12⤵
- Checks computer location settings
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
13⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
13⤵
- Checks computer location settings
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:3508

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
14⤵
- Checks computer location settings
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
15⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
15⤵
- Checks computer location settings
PID:728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
16⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
16⤵
- Checks computer location settings
PID:4016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
17⤵
- Command and Scripting Interpreter: PowerShell
PID:3480

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
17⤵
- Checks computer location settings
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
18⤵
- Command and Scripting Interpreter: PowerShell
PID:2172

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
18⤵
- Checks computer location settings
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
19⤵
- Command and Scripting Interpreter: PowerShell
PID:3536

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
19⤵
- Checks computer location settings
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
20⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
20⤵
- Checks computer location settings
PID:2708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
21⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
21⤵
- Checks computer location settings
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
22⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
22⤵
- Checks computer location settings
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
23⤵
- Command and Scripting Interpreter: PowerShell
PID:1516

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
23⤵
- Checks computer location settings
PID:516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
24⤵
- Command and Scripting Interpreter: PowerShell
PID:3432

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
24⤵
- Checks computer location settings
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
25⤵
- Command and Scripting Interpreter: PowerShell
PID:4844

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
25⤵
- Checks computer location settings
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
26⤵
- Command and Scripting Interpreter: PowerShell
PID:1536

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
26⤵
- Checks computer location settings
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
27⤵
- Command and Scripting Interpreter: PowerShell
PID:5000

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
27⤵
- Checks computer location settings
PID:2416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
28⤵
- Command and Scripting Interpreter: PowerShell
PID:2632

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
28⤵
- Checks computer location settings
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
29⤵
- Command and Scripting Interpreter: PowerShell
PID:3860

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
29⤵
- Checks computer location settings
PID:1472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
30⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
30⤵
- Checks computer location settings
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
31⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
31⤵
- Checks computer location settings
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
32⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
32⤵
- Checks computer location settings
PID:2960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
33⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
33⤵
- Checks computer location settings
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
34⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
34⤵
- Checks computer location settings
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
35⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
35⤵
- Checks computer location settings
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
36⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
36⤵
- Checks computer location settings
PID:668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
37⤵
- Command and Scripting Interpreter: PowerShell
PID:4928

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
37⤵
- Checks computer location settings
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
38⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
38⤵
- Checks computer location settings
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
39⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
39⤵
- Checks computer location settings
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
40⤵
- Command and Scripting Interpreter: PowerShell
PID:3972

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
40⤵
- Checks computer location settings
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
41⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
41⤵
- Checks computer location settings
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
42⤵
- Command and Scripting Interpreter: PowerShell
PID:4472

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
42⤵
- Checks computer location settings
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
43⤵
- Command and Scripting Interpreter: PowerShell
PID:3728

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
43⤵
- Checks computer location settings
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
44⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
44⤵
- Checks computer location settings
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
45⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
45⤵
- Checks computer location settings
PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
46⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
46⤵
- Checks computer location settings
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
47⤵
- Command and Scripting Interpreter: PowerShell
PID:1808

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
47⤵
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
47⤵
- Command and Scripting Interpreter: PowerShell
PID:4660

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
47⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
47⤵
- Command and Scripting Interpreter: PowerShell
PID:3812

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
47⤵
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
46⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
46⤵
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
46⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
46⤵
PID:3616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
45⤵
- Command and Scripting Interpreter: PowerShell
PID:2468

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
45⤵
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
45⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
45⤵
PID:4764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
44⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
44⤵
PID:368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
44⤵
- Command and Scripting Interpreter: PowerShell
PID:1364

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
44⤵
PID:4100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
43⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
43⤵
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
43⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
43⤵
PID:980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
42⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
42⤵
PID:4016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
42⤵
- Command and Scripting Interpreter: PowerShell
PID:3000

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
42⤵
PID:3188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
41⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
41⤵
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
41⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
41⤵
PID:1072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
40⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
40⤵
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
40⤵
- Command and Scripting Interpreter: PowerShell
PID:5004

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
40⤵
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
39⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
39⤵
PID:3996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
39⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
39⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
38⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
38⤵
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
38⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
38⤵
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
37⤵
- Command and Scripting Interpreter: PowerShell
PID:2872

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
37⤵
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
37⤵
- Command and Scripting Interpreter: PowerShell
PID:3304

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
37⤵
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
36⤵
- Command and Scripting Interpreter: PowerShell
PID:1396

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
36⤵
PID:3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
36⤵
- Command and Scripting Interpreter: PowerShell
PID:2196

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
36⤵
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
35⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
35⤵
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
35⤵
- Command and Scripting Interpreter: PowerShell
PID:3996

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
35⤵
PID:2960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
34⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
34⤵
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
34⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
34⤵
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
33⤵
- Command and Scripting Interpreter: PowerShell
PID:828

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
33⤵
PID:2872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
33⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
33⤵
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
32⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
32⤵
- Executes dropped EXE
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
32⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
32⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
31⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
31⤵
- Executes dropped EXE
PID:804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
31⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
31⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
30⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
30⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
30⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
30⤵
- Executes dropped EXE
PID:3964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
29⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
29⤵
- Executes dropped EXE
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
29⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
29⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
28⤵
- Command and Scripting Interpreter: PowerShell
PID:3376

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
28⤵
- Executes dropped EXE
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
28⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
28⤵
- Executes dropped EXE
PID:1244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
27⤵
- Command and Scripting Interpreter: PowerShell
PID:4464

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
27⤵
- Executes dropped EXE
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
27⤵
- Command and Scripting Interpreter: PowerShell
PID:3992

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
27⤵
- Executes dropped EXE
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
26⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
26⤵
- Executes dropped EXE
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
26⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
26⤵
- Executes dropped EXE
PID:1272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
25⤵
- Command and Scripting Interpreter: PowerShell
PID:400

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
25⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
25⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
25⤵
- Executes dropped EXE
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
24⤵
- Command and Scripting Interpreter: PowerShell
PID:3776

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
24⤵
- Executes dropped EXE
PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
24⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
24⤵
- Executes dropped EXE
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
23⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
23⤵
- Executes dropped EXE
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
23⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
23⤵
- Executes dropped EXE
PID:4040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
22⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
22⤵
- Executes dropped EXE
PID:1288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
22⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
22⤵
- Executes dropped EXE
PID:2164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
21⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
21⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
21⤵
- Command and Scripting Interpreter: PowerShell
PID:3972

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
21⤵
- Executes dropped EXE
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
20⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
20⤵
- Executes dropped EXE
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
20⤵
- Command and Scripting Interpreter: PowerShell
PID:5056

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
20⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
19⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
19⤵
- Executes dropped EXE
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
19⤵
- Command and Scripting Interpreter: PowerShell
PID:1820

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
19⤵
- Executes dropped EXE
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
18⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
18⤵
- Executes dropped EXE
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
18⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
18⤵
- Executes dropped EXE
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
17⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
17⤵
- Executes dropped EXE
PID:2120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
17⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
17⤵
- Executes dropped EXE
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
16⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
16⤵
- Executes dropped EXE
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
16⤵
- Command and Scripting Interpreter: PowerShell
PID:3340

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
16⤵
- Executes dropped EXE
PID:1956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
15⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
15⤵
- Executes dropped EXE
PID:800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
15⤵
- Command and Scripting Interpreter: PowerShell
PID:4200

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
15⤵
- Executes dropped EXE
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:1976

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
14⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:532

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
14⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
13⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
13⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
14⤵
PID:3712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\msedge.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
14⤵
- Command and Scripting Interpreter: PowerShell
PID:4928

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\msedge.exe"
14⤵
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
13⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
13⤵
- Executes dropped EXE
PID:3820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
12⤵
- Executes dropped EXE
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
11⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
10⤵
- Executes dropped EXE
PID:3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
9⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
8⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
7⤵
- Executes dropped EXE
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
6⤵
- Executes dropped EXE
PID:3080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
5⤵
- Executes dropped EXE
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
4⤵
- Executes dropped EXE
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
3⤵
- Executes dropped EXE
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\msedge.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\msedge.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "msedge"
3⤵
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3776.tmp.bat""
3⤵
PID:2104

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
"C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
2⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:100

C:\Users\Admin\msedge.exe
C:\Users\Admin\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\msedge.exe
C:\Users\Admin\msedge.exe
1⤵
- Executes dropped EXE
PID:668

C:\Users\Admin\msedge.exe
C:\Users\Admin\msedge.exe
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f41f42c322498af0591f396c59dd4304

SHA1
e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

SHA256
d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

SHA512
2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54ae5e62408d2ee2d9408ddd3bdf1752

SHA1
946b2c7b408272a8c5586020cfb541b2fa144160

SHA256
979084632c4103f3c09d9280cca1e4ad6404548368afc9530aefc9197cfe34f3

SHA512
a3255b4248a4e7a1cb7482398f10fd826947b14909bf1f18098797b4099a194dad06a31e771ae9b714135963051d2f4e2b489100adbb35c5acaa3ba05c63eb3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a2c8179aaa149c0b9791b73ce44c04d1

SHA1
703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

SHA256
c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

SHA512
2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0093819c829dd30c13746f256efba97f

SHA1
f095cbb1d10a54a91d7d341c4098d44973d3ec50

SHA256
5f936c252c9ed7d08d4a73b86230d9877173b44c36544f0b24eae3eb38617401

SHA512
72aac852de41473494d2263aa44dbabfb1f318f8a21ebdfe080c4a98b9288db07e9641a935d9a640b5e879f28a0560cae53bd4191ac94d315b87746e57e69af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0aa63dbb46d451e47a7a682c64af776d

SHA1
3b0026f2dae8e9c491ccaa40133755779de35aaa

SHA256
9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b

SHA512
4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6defdce6eb413df1f365143c8c9300d0

SHA1
e24e2eae96347b7a97d18242c3286dabd20b1cc4

SHA256
c47180307096bca7215dd7ee769dac5b3b672fcbd4c1075dd841c984dd6e0525

SHA512
90aa2360fc89dd46409bbb01d301c5fe0f3659522dc4cff8d9305bc27fe3a8962987a0bb2a6c5f0818e6ae2ca663cf0d5e7fe7eb8e4588145367241bb1e81d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb033be02578f9635ec47bdc1de5c3fb

SHA1
ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

SHA256
bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

SHA512
4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Otupevi.exe

Filesize
121KB

MD5
8ec6238ed8d4909bdde76b64fb9d1e7f

SHA1
5b8fcf12943eb425e47ba2e09a760a465fde9085

SHA256
cecbc104cfe47d1488d61b4e23b518476f194122539965c20309aa01067712b5

SHA512
75281075f3732c1ba70fc0a372facd8714d14bf4a7c7fbce16d3fb51fdcaf2fc5207a769ef109e836e2d4946b42a444f571cbc4349a6444b0f2387d028accebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sjaitvdj.ggr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
54KB

MD5
16d1b3f8692406090091552236e3741a

SHA1
f0536b741c4cafc3dc8620ceab331f88559de5e8

SHA256
e561a3147c1fe5b010d90a6e6f270fc6bcfc87628cdc58cde35ab5a1c1922ba6

SHA512
6c4ebcbb9158734a9cd21184ce7bceb9002dd8eacb790bd5bd3514d004e8c896112717ca2113626a3726c423cf7a64fded3cbfc3d3477057f62cc16a8e0ec727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Filesize
771B

MD5
4bf2e64229ad74d65ffbc6b4e83f6f4c

SHA1
5b84bc11a7be7e0227f37f22b0ac73b54cc72ece

SHA256
04c4e54f022204a5d94283dea8a66098f05a35da21d6ab4f906a3abb0704262b

SHA512
dac8efa0b77d3cf7cba44a4caa53606822ad672ce376d6c840f64c50fdfb00be3d871f22b23f7196451ea5359aa01ffb6645ef942536017777d41f2f50c36d77

Download Submit
memory/100-286-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-274-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-281-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-275-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-285-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-284-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-283-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-282-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-280-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/100-276-0x000001B6F7640000-0x000001B6F7641000-memory.dmp

Filesize
4KB

Download
memory/548-14-0x0000022DD0FE0000-0x0000022DD1002000-memory.dmp

Filesize
136KB

Download
memory/548-18-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/548-15-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/548-13-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/548-12-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/3312-42-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download
memory/3312-534-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/4168-66-0x00000000009D0000-0x00000000009F4000-memory.dmp

Filesize
144KB

Download
memory/4760-0-0x00007FFBCA443000-0x00007FFBCA445000-memory.dmp

Filesize
8KB

Download
memory/4760-67-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/4760-2-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

Filesize
10.8MB

Download
memory/4760-1-0x0000000000330000-0x000000000037C000-memory.dmp

Filesize
304KB

Download