xworm | 7eb2dfba9b11c74bde2304ae669e92acdd75df672df7f12aa7de609fcc6bb8b4

Analysis

max time kernel
124s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

downloader.exe
Size

70.1MB
MD5

d30d0e33a9ea2f4bbdad9eeb6d24d995
SHA1

0a2fd43a5834fd742521a56d78c650fed9e6f62f
SHA256

7eb2dfba9b11c74bde2304ae669e92acdd75df672df7f12aa7de609fcc6bb8b4
SHA512

8ebb045789844ca8108b394f34f8c872b98ade89c11e36f0be0e1bbbc58a04fd82d0ea8639d451cf4d6641ce08c8738897416864da4d9a87124cc8ea21672170
SSDEEP

393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qnsGg4GUo3Nl:lWoI7zGV5ahWc3Im3

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

83.38.28.117:1603

Attributes

Install_directory
%ProgramData%
install_file
OneDrive.exe

Signatures

Detect Xworm Payload 12 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000233e0-13.dat	family_xworm
behavioral2/files/0x000b0000000233e2-41.dat	family_xworm
behavioral2/files/0x00070000000234a0-71.dat	family_xworm
behavioral2/files/0x00070000000234a1-101.dat	family_xworm
behavioral2/memory/2656-94-0x00000000005D0000-0x00000000005FC000-memory.dmp	family_xworm
behavioral2/memory/5032-124-0x0000000000E80000-0x0000000000EA8000-memory.dmp	family_xworm
behavioral2/files/0x00070000000234a2-181.dat	family_xworm
behavioral2/files/0x000900000002349d-184.dat	family_xworm
behavioral2/memory/2504-187-0x0000000000AA0000-0x0000000000AC2000-memory.dmp	family_xworm
behavioral2/memory/3828-188-0x00000000009D0000-0x00000000009E6000-memory.dmp	family_xworm
behavioral2/memory/4404-128-0x0000000000290000-0x00000000002A6000-memory.dmp	family_xworm
behavioral2/memory/1976-189-0x0000000000760000-0x00000000007A4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4776	powershell.exe
3552	powershell.exe
4464	powershell.exe
3764	powershell.exe
2428	powershell.exe
2864	powershell.exe
232	powershell.exe
2124	powershell.exe
1632	powershell.exe
4940	powershell.exe
5008	powershell.exe
4220	powershell.exe
3564	powershell.exe
1916	powershell.exe
3988	powershell.exe
3748	powershell.exe
3932	powershell.exe
4748	powershell.exe
3532	powershell.exe
1948	powershell.exe
1192	powershell.exe
452	powershell.exe
5004	powershell.exe
1136	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	SecurityHealthSystray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	notepad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	SearchFilterHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	svhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Drops startup file 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Runtime Broker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	Runtime Broker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	svhost.exe

Executes dropped EXE 17 IoCs

pid	Process
828	notepad.exe
2656	OneDrive.exe
4404	Runtime Broker.exe
5032	SearchFilterHost.exe
1976	SecurityHealthSystray.exe
3828	svhost.exe
2504	WmiPrvSE.exe
2128	SecurityHealthSystray.exe
2028	SearchFilterHost.exe
1496	OneDrive.exe
3372	WmiPrvSE.exe
2928	Runtime Broker.exe
3688	SearchFilterHost.exe
4852	SecurityHealthSystray.exe
748	OneDrive.exe
4076	WmiPrvSE.exe
4540	Runtime Broker.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe"	svhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Users\\Admin\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe"	Runtime Broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe
5052	schtasks.exe
3096	schtasks.exe
2780	schtasks.exe
828	schtasks.exe
376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3748	powershell.exe
3748	powershell.exe
2428	powershell.exe
2428	powershell.exe
452	powershell.exe
452	powershell.exe
3748	powershell.exe
5004	powershell.exe
5004	powershell.exe
3932	powershell.exe
3932	powershell.exe
4940	powershell.exe
4940	powershell.exe
452	powershell.exe
2428	powershell.exe
4940	powershell.exe
3932	powershell.exe
5004	powershell.exe
2864	powershell.exe
2864	powershell.exe
5008	powershell.exe
5008	powershell.exe
232	powershell.exe
232	powershell.exe
4748	powershell.exe
4748	powershell.exe
3564	powershell.exe
3564	powershell.exe
4776	powershell.exe
4776	powershell.exe
232	powershell.exe
2864	powershell.exe
4776	powershell.exe
5008	powershell.exe
4748	powershell.exe
3564	powershell.exe
4220	powershell.exe
4220	powershell.exe
1916	powershell.exe
1916	powershell.exe
2124	powershell.exe
2124	powershell.exe
4220	powershell.exe
3532	powershell.exe
3532	powershell.exe
3532	powershell.exe
1136	powershell.exe
1136	powershell.exe
1916	powershell.exe
1948	powershell.exe
1948	powershell.exe
2124	powershell.exe
1136	powershell.exe
1948	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
4464	powershell.exe
4464	powershell.exe
1192	powershell.exe
1192	powershell.exe
3988	powershell.exe
3988	powershell.exe
4464	powershell.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	OneDrive.exe
Token: SeDebugPrivilege	5032	SearchFilterHost.exe
Token: SeDebugPrivilege	4404	Runtime Broker.exe
Token: SeDebugPrivilege	2504	WmiPrvSE.exe
Token: SeDebugPrivilege	3828	svhost.exe
Token: SeDebugPrivilege	1976	SecurityHealthSystray.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1976	SecurityHealthSystray.exe
Token: SeDebugPrivilege	5032	SearchFilterHost.exe
Token: SeDebugPrivilege	2504	WmiPrvSE.exe
Token: SeDebugPrivilege	4404	Runtime Broker.exe
Token: SeDebugPrivilege	2656	OneDrive.exe
Token: SeDebugPrivilege	3828	svhost.exe
Token: SeDebugPrivilege	2028	SearchFilterHost.exe
Token: SeDebugPrivilege	2128	SecurityHealthSystray.exe
Token: SeDebugPrivilege	1496	OneDrive.exe
Token: SeDebugPrivilege	3372	WmiPrvSE.exe
Token: SeDebugPrivilege	2928	Runtime Broker.exe
Token: SeDebugPrivilege	4852	SecurityHealthSystray.exe
Token: SeDebugPrivilege	3688	SearchFilterHost.exe
Token: SeDebugPrivilege	748	OneDrive.exe
Token: SeDebugPrivilege	4076	WmiPrvSE.exe
Token: SeDebugPrivilege	4540	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4184	4508	downloader.exe	87
PID 4508 wrote to memory of 4184	4508	downloader.exe	87
PID 4508 wrote to memory of 4596	4508	downloader.exe	88
PID 4508 wrote to memory of 4596	4508	downloader.exe	88
PID 4184 wrote to memory of 828	4184	cmd.exe	89
PID 4184 wrote to memory of 828	4184	cmd.exe	89
PID 828 wrote to memory of 2656	828	notepad.exe	90
PID 828 wrote to memory of 2656	828	notepad.exe	90
PID 828 wrote to memory of 4404	828	notepad.exe	91
PID 828 wrote to memory of 4404	828	notepad.exe	91
PID 828 wrote to memory of 5032	828	notepad.exe	92
PID 828 wrote to memory of 5032	828	notepad.exe	92
PID 828 wrote to memory of 1976	828	notepad.exe	93
PID 828 wrote to memory of 1976	828	notepad.exe	93
PID 828 wrote to memory of 3828	828	notepad.exe	94
PID 828 wrote to memory of 3828	828	notepad.exe	94
PID 828 wrote to memory of 2504	828	notepad.exe	95
PID 828 wrote to memory of 2504	828	notepad.exe	95
PID 4508 wrote to memory of 4928	4508	downloader.exe	96
PID 4508 wrote to memory of 4928	4508	downloader.exe	96
PID 2656 wrote to memory of 452	2656	OneDrive.exe	101
PID 2656 wrote to memory of 452	2656	OneDrive.exe	101
PID 5032 wrote to memory of 3748	5032	SearchFilterHost.exe	102
PID 5032 wrote to memory of 3748	5032	SearchFilterHost.exe	102
PID 4404 wrote to memory of 2428	4404	Runtime Broker.exe	103
PID 4404 wrote to memory of 2428	4404	Runtime Broker.exe	103
PID 3828 wrote to memory of 5004	3828	svhost.exe	107
PID 3828 wrote to memory of 5004	3828	svhost.exe	107
PID 1976 wrote to memory of 4940	1976	SecurityHealthSystray.exe	109
PID 1976 wrote to memory of 4940	1976	SecurityHealthSystray.exe	109
PID 2504 wrote to memory of 3932	2504	WmiPrvSE.exe	108
PID 2504 wrote to memory of 3932	2504	WmiPrvSE.exe	108
PID 4404 wrote to memory of 2864	4404	Runtime Broker.exe	113
PID 4404 wrote to memory of 2864	4404	Runtime Broker.exe	113
PID 2656 wrote to memory of 232	2656	OneDrive.exe	114
PID 2656 wrote to memory of 232	2656	OneDrive.exe	114
PID 5032 wrote to memory of 5008	5032	SearchFilterHost.exe	116
PID 5032 wrote to memory of 5008	5032	SearchFilterHost.exe	116
PID 1976 wrote to memory of 4748	1976	SecurityHealthSystray.exe	119
PID 1976 wrote to memory of 4748	1976	SecurityHealthSystray.exe	119
PID 3828 wrote to memory of 3564	3828	svhost.exe	121
PID 3828 wrote to memory of 3564	3828	svhost.exe	121
PID 2504 wrote to memory of 4776	2504	WmiPrvSE.exe	122
PID 2504 wrote to memory of 4776	2504	WmiPrvSE.exe	122
PID 2656 wrote to memory of 2124	2656	OneDrive.exe	126
PID 2656 wrote to memory of 2124	2656	OneDrive.exe	126
PID 5032 wrote to memory of 4220	5032	SearchFilterHost.exe	127
PID 5032 wrote to memory of 4220	5032	SearchFilterHost.exe	127
PID 4404 wrote to memory of 1916	4404	Runtime Broker.exe	130
PID 4404 wrote to memory of 1916	4404	Runtime Broker.exe	130
PID 2504 wrote to memory of 1136	2504	WmiPrvSE.exe	132
PID 2504 wrote to memory of 1136	2504	WmiPrvSE.exe	132
PID 1976 wrote to memory of 3532	1976	SecurityHealthSystray.exe	134
PID 1976 wrote to memory of 3532	1976	SecurityHealthSystray.exe	134
PID 3828 wrote to memory of 1948	3828	svhost.exe	136
PID 3828 wrote to memory of 1948	3828	svhost.exe	136
PID 5032 wrote to memory of 3552	5032	SearchFilterHost.exe	138
PID 5032 wrote to memory of 3552	5032	SearchFilterHost.exe	138
PID 1976 wrote to memory of 4464	1976	SecurityHealthSystray.exe	139
PID 1976 wrote to memory of 4464	1976	SecurityHealthSystray.exe	139
PID 4404 wrote to memory of 1192	4404	Runtime Broker.exe	142
PID 4404 wrote to memory of 1192	4404	Runtime Broker.exe	142
PID 2656 wrote to memory of 3988	2656	OneDrive.exe	144
PID 2656 wrote to memory of 3988	2656	OneDrive.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\notepad.exe
    "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\OneDrive.exe
      "C:\Users\Admin\OneDrive.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:828
  - - C:\Users\Admin\Runtime Broker.exe
      "C:\Users\Admin\Runtime Broker.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
  - - C:\Users\Admin\SearchFilterHost.exe
      "C:\Users\Admin\SearchFilterHost.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5052
  - - C:\Users\Admin\SecurityHealthSystray.exe
      "C:\Users\Admin\SecurityHealthSystray.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\SecurityHealthSystray.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1672
  - - C:\Users\Admin\svhost.exe
      "C:\Users\Admin\svhost.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:376
  - - C:\Users\Admin\WmiPrvSE.exe
      "C:\Users\Admin\WmiPrvSE.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Admin\WmiPrvSE.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\clientquasar.exe""
  2⤵
  PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\clientquasar.exe""
  2⤵
  PID:4928

C:\Users\Admin\SearchFilterHost.exe
C:\Users\Admin\SearchFilterHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\SecurityHealthSystray.exe
C:\Users\Admin\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\WmiPrvSE.exe
C:\Users\Admin\WmiPrvSE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Users\Admin\SearchFilterHost.exe
C:\Users\Admin\SearchFilterHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Users\Admin\SecurityHealthSystray.exe
C:\Users\Admin\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\WmiPrvSE.exe
C:\Users\Admin\WmiPrvSE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b4b6d4cc52b5a3a71149b1f33d94d5de

SHA1
97d3dbdd24919eab70e3b14c68797cefc07e90dd

SHA256
da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

SHA512
fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3db1c0d23daacf01eb99125ccc2787d3

SHA1
0849528de1ba411279231d635d8f39d54cc829d2

SHA256
bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582

SHA512
3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b1a1d8b05525b7b0c5babfd80488c1f2

SHA1
c85bbd6b7d0143676916c20fd52720499c2bb5c6

SHA256
adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

SHA512
346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
180d625c642c77f5ecb22a931386d4f1

SHA1
40ece9809832a3e9b64a15f3a8e37103a623709e

SHA256
7912843fecd215a598f33b1d0bfbf5d157c4e2996441dfc1573d7079435f2da2

SHA512
22c2ac7a3597f39ac20613f8cd1a93070338d39c2df821e424339eeb1942a40540ceee0cc46a11cd1becaaf8a857ff11bc18361563c6b90e08d6aab5c6122ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2b42be3fd861097ca28774b3089f6f81

SHA1
8901edab1a05e6ed8692f0edfcd4c00de2c25a29

SHA256
6ee9d3e07550cf4aeda7209d4aff4c2351dfe592182e2b5cc516d74217ada872

SHA512
7ae3a63debb043ffeb75e68c7d78abda5b10d1a2a45b50306788c224124a4d627a63da6e76c50dc2de5fc6235735fd78c0a56a7564b7cd133e031bd98f3e3f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0093819c829dd30c13746f256efba97f

SHA1
f095cbb1d10a54a91d7d341c4098d44973d3ec50

SHA256
5f936c252c9ed7d08d4a73b86230d9877173b44c36544f0b24eae3eb38617401

SHA512
72aac852de41473494d2263aa44dbabfb1f318f8a21ebdfe080c4a98b9288db07e9641a935d9a640b5e879f28a0560cae53bd4191ac94d315b87746e57e69af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3oqvlkej.3ne.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\clientquasar.exe

Filesize
6KB

MD5
307dca9c775906b8de45869cabe98fcd

SHA1
2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1

SHA256
8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c

SHA512
80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
886KB

MD5
a523443bf25cca341b51bd8dc46950e1

SHA1
48f1fd847092aa7e4953d25900f2af4654a120d6

SHA256
8033de2d5e64df2df391ddebdc41c6c6041b552779550c2e5f10ceedfd63c7ec

SHA512
107d62c74351105d142eb8aabad237d72eb8d8257dc76843ffe1597fa00843d7e33249b2105eb443b96a2c72a3d46090f0dfe34815b6b4f3985a9942e82672d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

Filesize
707B

MD5
4221ff479bb632df1a5c77e33651c5ec

SHA1
19b720cd55bb0216d4712406a234e9e31504f3f2

SHA256
c1ba92dbd74b238e79aa35cb2dc4cfdd990c751f94b98b99aad4e26360073822

SHA512
e5275e305437658612dd3b1254506055ce183d8a7523e5e8b86e256706625371d58621459162ff70389a252c0600dbeb4d90a436249c16cbb2bd2a1eed1d8240

Download Submit
C:\Users\Admin\OneDrive.exe

Filesize
152KB

MD5
731a6b0a94253742accfb68745e1a8b3

SHA1
8009be2cee155287255858e4106b93a1f9081d77

SHA256
e0518344c2ebcccbf4dc06bc767b2e63841efaf20a30383305933bc44bdbf72f

SHA512
2db891f4925ce0417cf521b665401f6e9a8f0e8d504ed1738af6e6ebcd2bb474bdf48dc3490959a63e8bbf331b89b0891e24bef41192702a88c41be86391be4b

Download Submit
C:\Users\Admin\Runtime Broker.exe

Filesize
62KB

MD5
fe7aa05ec37a488d26740405131c657a

SHA1
ec98d63efbbfafbc92bfdca3f537444b8130e6d6

SHA256
dace5f67e19e6db548a3584ebfe8d8264e48e17f9ba03ead495d29bc5069f12e

SHA512
2bb17bf278c46ae25b8c8b41caf13eb5d17a326330aa42731546eb1c6e43d23dc801604e465526747173b765a441ff6b6ca6fcd1a913284e9c1b13d3af782165

Download Submit
C:\Users\Admin\SearchFilterHost.exe

Filesize
134KB

MD5
17e9194b574ff0563f30ea83e6e46b7e

SHA1
37021016d7dffbb0babf4d17dd3a5af871ecc8d7

SHA256
da2c9d51a6b9fc72d25aaf6f72502cb5742138cd6f9c7677230b1908153e881e

SHA512
9651fe896061fc1cc547256216caefcf0873b41fde952d4f01d4b9b03891589c663252b52c8160f5edd637c30ec6e5a9968776c4f4dec4aa414a3e0cbd5a611c

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
244KB

MD5
7a3c0396f400ed103a14596b9e252f86

SHA1
63f69aca6502efa9b41dc6803e78de907af4bd6d

SHA256
e56ce77197e3e990bd956a2bac029860331965fdcaf7be99aae6218020611900

SHA512
b8103a9f17e62f24ff56727e51bc0696077f51f37c0b82be9df231ec0a762f3612292f51c788e4405f2b210f15659973015b04370587adddb8cb27939e1b6e6b

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
117KB

MD5
304b0209272898a289730544e19a96dd

SHA1
01a2fecb493f778c28f88bc3aee898cb3b3ef47d

SHA256
6a84c51aa73136918570b0719d268935d532f92b3d95fe36825dd50230f72029

SHA512
b88ee6237dbab70c59c8f26fe9d407e8cf1c319874fdb3f88a368d80b90e371585dddfcda98d5a87b88857f35c2998275f32750ecd856d0908afa6c4599e03f5

Download Submit
C:\Users\Admin\svhost.exe

Filesize
64KB

MD5
244889298e56dbbd4910cb00e945910b

SHA1
d857ead75977166f7c14df9ab128cce21c6aff96

SHA256
2298d1bd8e34e2c331d339ced7a2dfabba8d8fcd0644479a31a3ee0c04e3ef9b

SHA512
adc336364fafa060e7795eb5b640b363a846f61b749de029ffeadc2dbcc57c86b73ca322560c377985fab7fa1426c63825aae202fa4b9e45f7175938a5e79627

Download Submit
memory/828-8-0x0000000000340000-0x0000000000422000-memory.dmp

Filesize
904KB

Download
memory/1976-189-0x0000000000760000-0x00000000007A4000-memory.dmp

Filesize
272KB

Download
memory/2504-187-0x0000000000AA0000-0x0000000000AC2000-memory.dmp

Filesize
136KB

Download
memory/2656-94-0x00000000005D0000-0x00000000005FC000-memory.dmp

Filesize
176KB

Download
memory/3748-193-0x000001F1CD5E0000-0x000001F1CD602000-memory.dmp

Filesize
136KB

Download
memory/3828-188-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download
memory/4404-128-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/5032-124-0x0000000000E80000-0x0000000000EA8000-memory.dmp

Filesize
160KB

Download