phemedrone | 935bd6efb26aacc691dc4dc21587da49979df1bfe9312557751290b52e040850

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe
Size

290KB
MD5

f88e545bdd58b37a68bc7713d1384889
SHA1

a3217c5d7d100b26026bf996cdf5ac9044803d5c
SHA256

935bd6efb26aacc691dc4dc21587da49979df1bfe9312557751290b52e040850
SHA512

f0512e6b08c377eefa87b8c1e6de8060c50258d87ed25e7034b1c70738fc5e81794450f4b04e390e36a5e52adbff526f1c499cae29d34561fa7eb5e19269d313
SSDEEP

6144:qr8emLf5K/nSiKWiB3XjdOwkL1xO7Yd+U9dLgHf6TUIa1bq/KMw:PeAxKPPiB3zEjLP+Yd6f6J

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7093178471:AAF2vSzsv_7VHw_mw-hRkrEjGXZZ0VRp1-c/sendDocument

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0005000000004ed7-19.dat	family_xworm
behavioral1/memory/2816-21-0x00000000002D0000-0x00000000002E6000-memory.dmp	family_xworm
behavioral1/memory/2236-232-0x0000000000DA0000-0x0000000000DB6000-memory.dmp	family_xworm
behavioral1/memory/1360-382-0x00000000010D0000-0x00000000010E6000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
2908	powershell.exe
2148	powershell.exe
2192	powershell.exe
2752	powershell.exe
2900	powershell.exe
2148	powershell.exe
316	powershell.exe
2668	powershell.exe
2272	powershell.exe
1992	powershell.exe
2528	powershell.exe
564	powershell.exe
1148	powershell.exe
1092	powershell.exe
1232	powershell.exe
1808	powershell.exe
1984	powershell.exe
2064	powershell.exe
2500	powershell.exe
1356	powershell.exe
2692	powershell.exe
476	powershell.exe
2476	powershell.exe
852	powershell.exe
3000	powershell.exe
1824	powershell.exe
2212	powershell.exe
2692	powershell.exe
580	powershell.exe
916	powershell.exe
1008	powershell.exe
3008	powershell.exe
2820	powershell.exe
288	powershell.exe
2948	powershell.exe
2156	powershell.exe
2184	powershell.exe
320	powershell.exe
580	powershell.exe
2300	powershell.exe
2700	powershell.exe
1580	powershell.exe
1932	powershell.exe
1028	powershell.exe
2832	powershell.exe
2632	powershell.exe
952	powershell.exe
1476	powershell.exe
2376	powershell.exe
2168	powershell.exe
2576	powershell.exe
2536	powershell.exe
2416	powershell.exe
1732	powershell.exe
2456	powershell.exe
596	powershell.exe
2236	powershell.exe
2632	powershell.exe
2960	powershell.exe
1956	powershell.exe
2860	powershell.exe
2500	powershell.exe
2100	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 64 IoCs

pid	Process
2816	msedge.exe
2008	Otupevi.exe
1948	msedge.exe
2520	Otupevi.exe
2908	msedge.exe
2964	Otupevi.exe
2584	msedge.exe
2064	Otupevi.exe
1756	msedge.exe
2268	Otupevi.exe
2516	msedge.exe
3008	Otupevi.exe
1920	msedge.exe
1340	Otupevi.exe
1600	msedge.exe
2240	Otupevi.exe
1900	msedge.exe
824	Otupevi.exe
380	msedge.exe
2172	Otupevi.exe
2760	msedge.exe
2144	Otupevi.exe
2412	msedge.exe
2236	msedge.exe
2452	Otupevi.exe
2336	msedge.exe
2784	Otupevi.exe
2968	msedge.exe
852	Otupevi.exe
868	msedge.exe
2536	Otupevi.exe
2828	msedge.exe
2068	Otupevi.exe
1908	msedge.exe
2920	Otupevi.exe
1216	msedge.exe
1688	Otupevi.exe
1808	msedge.exe
1636	Otupevi.exe
2656	msedge.exe
2332	Otupevi.exe
2796	msedge.exe
2560	Otupevi.exe
2716	msedge.exe
1600	Otupevi.exe
2344	msedge.exe
2368	Otupevi.exe
2412	msedge.exe
1504	Otupevi.exe
1360	msedge.exe
2712	msedge.exe
2876	Otupevi.exe
2932	msedge.exe
2284	Otupevi.exe
1312	msedge.exe
2684	Otupevi.exe
1432	msedge.exe
1764	Otupevi.exe
1128	msedge.exe
2556	Otupevi.exe
2144	msedge.exe
1232	Otupevi.exe
1876	msedge.exe
1312	Otupevi.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msedge.exe"	launcher.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
30	ip-api.com
53	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	powershell.exe
2240	powershell.exe
2536	powershell.exe
2008	Otupevi.exe
2280	powershell.exe
2416	powershell.exe
1808	powershell.exe
2520	Otupevi.exe
740	powershell.exe
1540	powershell.exe
2268	powershell.exe
3000	powershell.exe
2820	powershell.exe
580	powershell.exe
2064	Otupevi.exe
2900	powershell.exe
2004	powershell.exe
2884	powershell.exe
1476	powershell.exe
1220	powershell.exe
340	powershell.exe
1540	powershell.exe
2268	Otupevi.exe
2668	powershell.exe
2552	powershell.exe
2272	powershell.exe
3008	Otupevi.exe
1984	powershell.exe
2236	powershell.exe
1932	powershell.exe
1340	Otupevi.exe
2300	powershell.exe
1092	powershell.exe
2784	powershell.exe
2240	Otupevi.exe
1732	powershell.exe
2272	powershell.exe
288	powershell.exe
824	Otupevi.exe
2156	powershell.exe
2148	powershell.exe
2456	powershell.exe
2172	Otupevi.exe
2400	powershell.exe
2724	powershell.exe
1028	powershell.exe
2144	Otupevi.exe
2832	powershell.exe
2064	powershell.exe
916	powershell.exe
2452	Otupevi.exe
1992	powershell.exe
1480	powershell.exe
1008	powershell.exe
2784	Otupevi.exe
2500	powershell.exe
2948	powershell.exe
476	powershell.exe
852	Otupevi.exe
2632	powershell.exe
296	powershell.exe
2692	powershell.exe
2536	Otupevi.exe
1824	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	launcher.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2816	msedge.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	2008	Otupevi.exe
Token: SeDebugPrivilege	2660	launcher.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1948	msedge.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2520	Otupevi.exe
Token: SeDebugPrivilege	2400	launcher.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2908	msedge.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1384	launcher.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2584	msedge.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2064	Otupevi.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1824	launcher.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1756	msedge.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2268	Otupevi.exe
Token: SeDebugPrivilege	2816	msedge.exe
Token: SeDebugPrivilege	1812	launcher.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2516	msedge.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	3008	Otupevi.exe
Token: SeDebugPrivilege	2820	launcher.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1920	msedge.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1340	Otupevi.exe
Token: SeDebugPrivilege	2876	launcher.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1600	msedge.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2240	Otupevi.exe
Token: SeDebugPrivilege	2604	launcher.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1900	msedge.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	824	Otupevi.exe
Token: SeDebugPrivilege	2364	launcher.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	380	msedge.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2172	Otupevi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2692	2072	launcher.exe	32
PID 2072 wrote to memory of 2692	2072	launcher.exe	32
PID 2072 wrote to memory of 2692	2072	launcher.exe	32
PID 2072 wrote to memory of 2660	2072	launcher.exe	34
PID 2072 wrote to memory of 2660	2072	launcher.exe	34
PID 2072 wrote to memory of 2660	2072	launcher.exe	34
PID 2072 wrote to memory of 2240	2072	launcher.exe	35
PID 2072 wrote to memory of 2240	2072	launcher.exe	35
PID 2072 wrote to memory of 2240	2072	launcher.exe	35
PID 2072 wrote to memory of 2816	2072	launcher.exe	37
PID 2072 wrote to memory of 2816	2072	launcher.exe	37
PID 2072 wrote to memory of 2816	2072	launcher.exe	37
PID 2072 wrote to memory of 2536	2072	launcher.exe	38
PID 2072 wrote to memory of 2536	2072	launcher.exe	38
PID 2072 wrote to memory of 2536	2072	launcher.exe	38
PID 2072 wrote to memory of 2008	2072	launcher.exe	40
PID 2072 wrote to memory of 2008	2072	launcher.exe	40
PID 2072 wrote to memory of 2008	2072	launcher.exe	40
PID 2660 wrote to memory of 2280	2660	launcher.exe	41
PID 2660 wrote to memory of 2280	2660	launcher.exe	41
PID 2660 wrote to memory of 2280	2660	launcher.exe	41
PID 2660 wrote to memory of 2400	2660	launcher.exe	43
PID 2660 wrote to memory of 2400	2660	launcher.exe	43
PID 2660 wrote to memory of 2400	2660	launcher.exe	43
PID 2660 wrote to memory of 2416	2660	launcher.exe	44
PID 2660 wrote to memory of 2416	2660	launcher.exe	44
PID 2660 wrote to memory of 2416	2660	launcher.exe	44
PID 2660 wrote to memory of 1948	2660	launcher.exe	46
PID 2660 wrote to memory of 1948	2660	launcher.exe	46
PID 2660 wrote to memory of 1948	2660	launcher.exe	46
PID 2660 wrote to memory of 1808	2660	launcher.exe	47
PID 2660 wrote to memory of 1808	2660	launcher.exe	47
PID 2660 wrote to memory of 1808	2660	launcher.exe	47
PID 2660 wrote to memory of 2520	2660	launcher.exe	49
PID 2660 wrote to memory of 2520	2660	launcher.exe	49
PID 2660 wrote to memory of 2520	2660	launcher.exe	49
PID 2008 wrote to memory of 1820	2008	Otupevi.exe	50
PID 2008 wrote to memory of 1820	2008	Otupevi.exe	50
PID 2008 wrote to memory of 1820	2008	Otupevi.exe	50
PID 2400 wrote to memory of 740	2400	launcher.exe	51
PID 2400 wrote to memory of 740	2400	launcher.exe	51
PID 2400 wrote to memory of 740	2400	launcher.exe	51
PID 2400 wrote to memory of 1384	2400	launcher.exe	53
PID 2400 wrote to memory of 1384	2400	launcher.exe	53
PID 2400 wrote to memory of 1384	2400	launcher.exe	53
PID 2400 wrote to memory of 1540	2400	launcher.exe	54
PID 2400 wrote to memory of 1540	2400	launcher.exe	54
PID 2400 wrote to memory of 1540	2400	launcher.exe	54
PID 2400 wrote to memory of 2908	2400	launcher.exe	56
PID 2400 wrote to memory of 2908	2400	launcher.exe	56
PID 2400 wrote to memory of 2908	2400	launcher.exe	56
PID 2400 wrote to memory of 2268	2400	launcher.exe	57
PID 2400 wrote to memory of 2268	2400	launcher.exe	57
PID 2400 wrote to memory of 2268	2400	launcher.exe	57
PID 2400 wrote to memory of 2964	2400	launcher.exe	59
PID 2400 wrote to memory of 2964	2400	launcher.exe	59
PID 2400 wrote to memory of 2964	2400	launcher.exe	59
PID 1384 wrote to memory of 3000	1384	launcher.exe	60
PID 1384 wrote to memory of 3000	1384	launcher.exe	60
PID 1384 wrote to memory of 3000	1384	launcher.exe	60
PID 1384 wrote to memory of 1824	1384	launcher.exe	62
PID 1384 wrote to memory of 1824	1384	launcher.exe	62
PID 1384 wrote to memory of 1824	1384	launcher.exe	62
PID 1384 wrote to memory of 2820	1384	launcher.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:740
  - - C:\Users\Admin\AppData\Local\Temp\launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        5⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
      - C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        7⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        8⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        9⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        10⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        11⤵
        Adds Run key to start application
        
        PID:2408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        12⤵
        Adds Run key to start application
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        13⤵
        Adds Run key to start application
        
        PID:304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        14⤵
        Adds Run key to start application
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        15⤵
        Adds Run key to start application
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        16⤵
        Adds Run key to start application
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        17⤵
        Adds Run key to start application
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        18⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        18⤵
        Adds Run key to start application
        
        PID:296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        19⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        19⤵
        Adds Run key to start application
        
        PID:752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        20⤵
        Adds Run key to start application
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        21⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        21⤵
        Adds Run key to start application
        
        PID:1288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        22⤵
        Adds Run key to start application
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        23⤵
        Adds Run key to start application
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        24⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        25⤵
        Adds Run key to start application
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        26⤵
        Adds Run key to start application
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        27⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        27⤵
        Adds Run key to start application
        
        PID:2268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        28⤵
        Adds Run key to start application
        
        PID:1416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        29⤵
        Adds Run key to start application
        
        PID:1988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        30⤵
        Adds Run key to start application
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        31⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        31⤵
        Adds Run key to start application
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        32⤵
        Adds Run key to start application
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        33⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        33⤵
        Adds Run key to start application
        
        PID:640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        34⤵
        Adds Run key to start application
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        35⤵
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
        36⤵
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        36⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        36⤵
        
        PID:1392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        36⤵
        
        PID:1552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        35⤵
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        35⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        35⤵
        
        PID:1712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        34⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        34⤵
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        34⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        34⤵
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        33⤵
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        33⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        33⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        32⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        32⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        32⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        31⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        31⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        31⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        30⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        30⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        30⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        29⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        29⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        28⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        28⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        28⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        28⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        27⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        27⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        27⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        26⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        26⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        25⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        25⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        25⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        25⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        24⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        24⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        24⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        23⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        23⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        22⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        22⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        22⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        22⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        21⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        21⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        21⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        21⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        20⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        20⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        20⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        19⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        19⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        18⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        18⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        18⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        17⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        17⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        17⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        16⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        15⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        14⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        13⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        12⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
      - C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
      - C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
      "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
      4⤵
      Executes dropped EXE
      PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
    "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Otupevi.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Otupevi.exe
  "C:\Users\Admin\AppData\Local\Temp\Otupevi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2008 -s 768
    3⤵
    PID:1820

C:\Windows\system32\taskeng.exe
taskeng.exe {BBE6AEB1-95AC-4B72-BCF0-51990E0F237D} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
PID:1520
- C:\Users\Admin\AppData\Roaming\msedge.exe
  C:\Users\Admin\AppData\Roaming\msedge.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Users\Admin\AppData\Roaming\msedge.exe
  C:\Users\Admin\AppData\Roaming\msedge.exe
  2⤵
  - Executes dropped EXE
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Otupevi.exe

Filesize
121KB

MD5
8ec6238ed8d4909bdde76b64fb9d1e7f

SHA1
5b8fcf12943eb425e47ba2e09a760a465fde9085

SHA256
cecbc104cfe47d1488d61b4e23b518476f194122539965c20309aa01067712b5

SHA512
75281075f3732c1ba70fc0a372facd8714d14bf4a7c7fbce16d3fb51fdcaf2fc5207a769ef109e836e2d4946b42a444f571cbc4349a6444b0f2387d028accebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
62KB

MD5
f1189afc4cd432fb5f8725b72ed03ff5

SHA1
ab953a4f598e15a185473b364a39996491f1b4b8

SHA256
7091e399cf8e6a69d5fca8f007d8588cef7529aecf1e74c7d39b885edd448fff

SHA512
d74662b5d786dde5617332821f30c9e472fac0cde0cc3c314ad52ac87bcced2c154823d879a2f581da064348562e4f880dc3df88240ce7ecb1da64be8e2687e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6bdfaf2be21e40bfc5819f9a55a9e570

SHA1
4907368d9e63b7327d5ea9c20a6707490a35f26d

SHA256
635d101e13860fc4853da6b289e89a77aeff47e58e3f49dc2570d20fe0ed9a74

SHA512
3ed06bd167747615461c1aa39b7f2b6b00793c1e63443fd72637ccae01b724d8b2d71f0d13fcc3379ff52ebf2884b0db67ac04a8ee0b3438e007d1bb6f59131d

Download Submit
memory/1360-382-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/2008-32-0x0000000000B40000-0x0000000000B64000-memory.dmp

Filesize
144KB

Download
memory/2072-33-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/2072-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-1-0x0000000000C90000-0x0000000000CDE000-memory.dmp

Filesize
312KB

Download
memory/2236-232-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/2240-15-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2240-14-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2692-8-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2692-7-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2816-21-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2820-82-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download