Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02/11/2024, 00:01
General
-
Target
downloader.exe
-
Size
30.1MB
-
MD5
f492b89f4f36a71d994c7ce83f558579
-
SHA1
c8cdf059e7568e4430cebc265dba1d63938c2814
-
SHA256
a6a9fafb69e4b1e6c029d3662b1b2f4df6602971adf7b117829ad14eecfc88dc
-
SHA512
8b3dd729a99de147908e3091d736607f19d29bf1da2a1dd304db8bb561e5c2fd8df277737f52e61e238acc5a9c12de3626c459e5a8f3ad87161cc0bfa784b618
-
SSDEEP
393216:R8oimu7izBxR3QRzhzvQ99Sq8lu0q5tDJKoWSxJGBL7aQmo+AJCcLKAs:R9w9wD5xUeQbJCc0
Score
10/10
Malware Config
Extracted
Family
xworm
Version
3.1
C2
83.38.24.1:1603
Attributes
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 10 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 34 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 10 IoCs
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Runs regedit.exe 31 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\downloader.exe"C:\Users\Admin\AppData\Local\Temp\downloader.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\regedit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regedit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\regedit.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "regedit" /tr "C:\Users\Public\regedit.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Executes dropped EXE
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\regedit.exe"C:\Users\Admin\AppData\Local\Temp\regedit.exe"4⤵
- Runs regedit.exe
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv iMBYMemNpEezJFEGoeAeKw.0.21⤵
-
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe1⤵
-
C:\ProgramData\WmiPrvSE.exeC:\ProgramData\WmiPrvSE.exe1⤵
-
C:\Users\Admin\SearchFilterHost.exeC:\Users\Admin\SearchFilterHost.exe1⤵
-
C:\Users\Public\regedit.exeC:\Users\Public\regedit.exe1⤵
- Runs regedit.exe
-
C:\Users\Admin\OneDrive.exeC:\Users\Admin\OneDrive.exe1⤵
-
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe1⤵
-
C:\Users\Admin\SearchFilterHost.exeC:\Users\Admin\SearchFilterHost.exe1⤵
-
C:\Users\Public\regedit.exeC:\Users\Public\regedit.exe1⤵
- Runs regedit.exe
-
C:\ProgramData\WmiPrvSE.exeC:\ProgramData\WmiPrvSE.exe1⤵
-
C:\Users\Admin\OneDrive.exeC:\Users\Admin\OneDrive.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
163KB
MD5abd4141118794cd94979dc12bcded7b7
SHA127b11caedb23ea8dab4f36f5865a96e6e7f55806
SHA256be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904
SHA512d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809
-
Filesize
145KB
MD540324e8a46ec891bcb5300f51ddfc335
SHA1bc5c53d890371bd472c707da8e84c3925bf077d5
SHA256cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c
SHA5125b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de
-
Filesize
243KB
MD5f32ac010fcdbc8f8a5582c339ec9d9ea
SHA120c06c5a174504c4e28c9aa0b51a62ab8f5c70cb
SHA25688835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18
SHA5129798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4
-
Filesize
124KB
MD516caf66537fe87d8d9b6a4eb34d9dbff
SHA14a399f4229ea5b27963d467223fd4ceb89e545f5
SHA25664cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26
SHA512a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
909KB
MD574b16801ca2365d3b29e6194237c665a
SHA19d172c5a08c68e8134eaad60063071662afd5057
SHA2568716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f
SHA5128201c89ce2e7eab9b5bfe3f8da956c73604261e83a3bf5d267be6a9b44790ec714e22a0ddfbc9fd009395893ef68864e5fac54172aceb568aec2270de6700567
-
Filesize
121KB
MD5005b549e8fa8f966d1c0ce845cfaffce
SHA14dc69fa135bec170229863f4d7320b402698cef1
SHA2568befb7faacdffeb7dd84b629ec7066ed1baf3947a6ed8c1ac8432335e3b2828b
SHA5121169ec7a0628a03ecb8a924527fa03dd0d391f9d0bf2a537e9ee7022265bfeba57b85759507fbc4962f10a5f43f2ea86d8c18cbf00aa8f5b9a2323174a9663ec
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
192KB
-
Filesize
928KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
264KB
-
Filesize
168KB
-
Filesize
144KB