quasar | 0d38abd43b866126e6a2a8ee78aba24054efdb35c5246873e7a1b4ff8bf2b73f

Analysis

max time kernel
35s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

downloader.exe
Size

30.1MB
MD5

b4ac244eb3169d45369fda7755b57aaa
SHA1

a53bab23eb3cf42cc2fa7c6d5930fedd9256598d
SHA256

0d38abd43b866126e6a2a8ee78aba24054efdb35c5246873e7a1b4ff8bf2b73f
SHA512

fd959e643dba2cc352c5aad20f71cbd2cf6d01cfe6c4b88f5a960d983a1967a4a5c49650da99f28c44210d82c4b873755c486ffb93c373ea242c13b3bafb2184
SSDEEP

393216:R8oimu7izBxR3QRzhzvQ99Sq8lu0q5tDJKoWSxJGBL7almo+AJCcLKAz:R9w9wD5xUelbJCcr

Score

10^/10

quasar xworm office04 execution persistence rat spyware trojan

Malware Config

Extracted

Family

xworm

Version

3.1

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

arialHdgr-58896.portmap.host:58896

Mutex

2cecb63d-fdd8-4df2-9a01-6292b8e28a97

Attributes

encryption_key
54BC8ACC512CFAA23B60AF87FED03E51AE199A20
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Detect Xworm Payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023b7b-11.dat	family_xworm
behavioral2/files/0x000a000000023b7c-22.dat	family_xworm
behavioral2/files/0x000a000000023b7d-31.dat	family_xworm
behavioral2/memory/1152-43-0x0000000000AB0000-0x0000000000AE0000-memory.dmp	family_xworm
behavioral2/memory/4108-50-0x0000000000130000-0x0000000000172000-memory.dmp	family_xworm
behavioral2/memory/2316-62-0x0000000000AC0000-0x0000000000AE4000-memory.dmp	family_xworm
behavioral2/files/0x0031000000023b7f-66.dat	family_xworm
behavioral2/memory/5112-68-0x0000000000640000-0x0000000000664000-memory.dmp	family_xworm
behavioral2/files/0x000a000000023b7e-56.dat	family_xworm
behavioral2/memory/3316-44-0x0000000000F90000-0x0000000000FBA000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0031000000023b80-70.dat	family_quasar
behavioral2/memory/3704-72-0x0000000000950000-0x0000000000C74000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1164	powershell.exe
1724	powershell.exe
4448	powershell.exe
4668	powershell.exe
1312	powershell.exe
4176	powershell.exe
976	powershell.exe
3716	powershell.exe
2164	powershell.exe
1496	powershell.exe
1736	powershell.exe
2700	powershell.exe
5048	powershell.exe
4488	powershell.exe
2580	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

notepad.exenotepad.exeSearchFilterHost.exeSecurityHealthSystray.exeOneDrive.exeWmiPrvSE.exeregedit.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	notepad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	notepad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SearchFilterHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	SecurityHealthSystray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	regedit.exe

Drops startup file 10 IoCs

Processes:

WmiPrvSE.exeSecurityHealthSystray.exeSearchFilterHost.exeOneDrive.exeregedit.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe

Executes dropped EXE 13 IoCs

Processes:

notepad.exeOneDrive.exeSearchFilterHost.exeSecurityHealthSystray.exeWmiPrvSE.exeregedit.execlient-built.exenotepad.exeOneDrive.exeSearchFilterHost.exeSecurityHealthSystray.exeWmiPrvSE.exeregedit.exe

pid	Process
1084	notepad.exe
1152	OneDrive.exe
3316	SearchFilterHost.exe
4108	SecurityHealthSystray.exe
2316	WmiPrvSE.exe
5112	regedit.exe
3704	client-built.exe
4420	notepad.exe
3012	OneDrive.exe
5016	SearchFilterHost.exe
3248	SecurityHealthSystray.exe
5020	WmiPrvSE.exe
4872	regedit.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

OneDrive.exeWmiPrvSE.exeSecurityHealthSystray.exeregedit.exeSearchFilterHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\ProgramData\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit = "C:\\Users\\Public\\regedit.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
5	raw.githubusercontent.com
8	raw.githubusercontent.com
12	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Runs regedit.exe 2 IoCs

Processes:

regedit.exeregedit.exe

pid	Process
5112	regedit.exe
4872	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1224	schtasks.exe
3504	schtasks.exe
32	schtasks.exe
2040	schtasks.exe
2772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

pid	Process
4176	powershell.exe
1496	powershell.exe
1312	powershell.exe
4176	powershell.exe
5048	powershell.exe
976	powershell.exe
976	powershell.exe
1496	powershell.exe
1496	powershell.exe
1312	powershell.exe
1312	powershell.exe
5048	powershell.exe
5048	powershell.exe
976	powershell.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
1164	powershell.exe
4488	powershell.exe
2580	powershell.exe
2580	powershell.exe
1724	powershell.exe
1724	powershell.exe
1164	powershell.exe
4488	powershell.exe
2164	powershell.exe
1736	powershell.exe
2700	powershell.exe
2164	powershell.exe
2700	powershell.exe
4448	powershell.exe
4668	powershell.exe
4668	powershell.exe
1736	powershell.exe
4448	powershell.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

OneDrive.exeSearchFilterHost.exeSecurityHealthSystray.exeWmiPrvSE.exeregedit.execlient-built.exeOneDrive.exeSearchFilterHost.exeSecurityHealthSystray.exeWmiPrvSE.exeregedit.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exe

description	pid	Process
Token: SeDebugPrivilege	1152	OneDrive.exe
Token: SeDebugPrivilege	3316	SearchFilterHost.exe
Token: SeDebugPrivilege	4108	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2316	WmiPrvSE.exe
Token: SeDebugPrivilege	5112	regedit.exe
Token: SeDebugPrivilege	3704	client-built.exe
Token: SeDebugPrivilege	3012	OneDrive.exe
Token: SeDebugPrivilege	5016	SearchFilterHost.exe
Token: SeDebugPrivilege	3248	SecurityHealthSystray.exe
Token: SeDebugPrivilege	5020	WmiPrvSE.exe
Token: SeDebugPrivilege	4872	regedit.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1152	OneDrive.exe
Token: SeDebugPrivilege	5112	regedit.exe
Token: SeDebugPrivilege	2316	WmiPrvSE.exe
Token: SeDebugPrivilege	4108	SecurityHealthSystray.exe
Token: SeDebugPrivilege	3316	SearchFilterHost.exe
Token: SeDebugPrivilege	3636	taskmgr.exe
Token: SeSystemProfilePrivilege	3636	taskmgr.exe
Token: SeCreateGlobalPrivilege	3636	taskmgr.exe
Token: 33	3636	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3636	taskmgr.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

client-built.exetaskmgr.exe

pid	Process
3704	client-built.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe

Suspicious use of SendNotifyMessage 42 IoCs

Processes:

client-built.exetaskmgr.exe

pid	Process
3704	client-built.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe
3636	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

downloader.execmd.exenotepad.execmd.execmd.exenotepad.exeSearchFilterHost.exeSecurityHealthSystray.exeOneDrive.exeWmiPrvSE.exeregedit.exe

description	pid	Process	procid_target
PID 4504 wrote to memory of 1884	4504	downloader.exe	83
PID 4504 wrote to memory of 1884	4504	downloader.exe	83
PID 1884 wrote to memory of 1084	1884	cmd.exe	84
PID 1884 wrote to memory of 1084	1884	cmd.exe	84
PID 1084 wrote to memory of 1152	1084	notepad.exe	85
PID 1084 wrote to memory of 1152	1084	notepad.exe	85
PID 1084 wrote to memory of 3316	1084	notepad.exe	86
PID 1084 wrote to memory of 3316	1084	notepad.exe	86
PID 1084 wrote to memory of 4108	1084	notepad.exe	87
PID 1084 wrote to memory of 4108	1084	notepad.exe	87
PID 1084 wrote to memory of 2316	1084	notepad.exe	88
PID 1084 wrote to memory of 2316	1084	notepad.exe	88
PID 4504 wrote to memory of 32	4504	downloader.exe	89
PID 4504 wrote to memory of 32	4504	downloader.exe	89
PID 1084 wrote to memory of 5112	1084	notepad.exe	90
PID 1084 wrote to memory of 5112	1084	notepad.exe	90
PID 32 wrote to memory of 3704	32	cmd.exe	91
PID 32 wrote to memory of 3704	32	cmd.exe	91
PID 4504 wrote to memory of 4564	4504	downloader.exe	92
PID 4504 wrote to memory of 4564	4504	downloader.exe	92
PID 4564 wrote to memory of 4420	4564	cmd.exe	93
PID 4564 wrote to memory of 4420	4564	cmd.exe	93
PID 4420 wrote to memory of 3012	4420	notepad.exe	94
PID 4420 wrote to memory of 3012	4420	notepad.exe	94
PID 4420 wrote to memory of 5016	4420	notepad.exe	95
PID 4420 wrote to memory of 5016	4420	notepad.exe	95
PID 4420 wrote to memory of 3248	4420	notepad.exe	96
PID 4420 wrote to memory of 3248	4420	notepad.exe	96
PID 4420 wrote to memory of 5020	4420	notepad.exe	97
PID 4420 wrote to memory of 5020	4420	notepad.exe	97
PID 4420 wrote to memory of 4872	4420	notepad.exe	98
PID 4420 wrote to memory of 4872	4420	notepad.exe	98
PID 3316 wrote to memory of 1312	3316	SearchFilterHost.exe	99
PID 3316 wrote to memory of 1312	3316	SearchFilterHost.exe	99
PID 4108 wrote to memory of 1496	4108	SecurityHealthSystray.exe	100
PID 4108 wrote to memory of 1496	4108	SecurityHealthSystray.exe	100
PID 1152 wrote to memory of 4176	1152	OneDrive.exe	101
PID 1152 wrote to memory of 4176	1152	OneDrive.exe	101
PID 2316 wrote to memory of 5048	2316	WmiPrvSE.exe	105
PID 2316 wrote to memory of 5048	2316	WmiPrvSE.exe	105
PID 5112 wrote to memory of 976	5112	regedit.exe	107
PID 5112 wrote to memory of 976	5112	regedit.exe	107
PID 1152 wrote to memory of 3716	1152	OneDrive.exe	109
PID 1152 wrote to memory of 3716	1152	OneDrive.exe	109
PID 4108 wrote to memory of 4488	4108	SecurityHealthSystray.exe	111
PID 4108 wrote to memory of 4488	4108	SecurityHealthSystray.exe	111
PID 3316 wrote to memory of 1164	3316	SearchFilterHost.exe	113
PID 3316 wrote to memory of 1164	3316	SearchFilterHost.exe	113
PID 2316 wrote to memory of 2580	2316	WmiPrvSE.exe	115
PID 2316 wrote to memory of 2580	2316	WmiPrvSE.exe	115
PID 5112 wrote to memory of 1724	5112	regedit.exe	117
PID 5112 wrote to memory of 1724	5112	regedit.exe	117
PID 1152 wrote to memory of 2164	1152	OneDrive.exe	119
PID 1152 wrote to memory of 2164	1152	OneDrive.exe	119
PID 2316 wrote to memory of 1736	2316	WmiPrvSE.exe	120
PID 2316 wrote to memory of 1736	2316	WmiPrvSE.exe	120
PID 3316 wrote to memory of 2700	3316	SearchFilterHost.exe	123
PID 3316 wrote to memory of 2700	3316	SearchFilterHost.exe	123
PID 5112 wrote to memory of 4448	5112	regedit.exe	125
PID 5112 wrote to memory of 4448	5112	regedit.exe	125
PID 4108 wrote to memory of 4668	4108	SecurityHealthSystray.exe	126
PID 4108 wrote to memory of 4668	4108	SecurityHealthSystray.exe	126
PID 3316 wrote to memory of 2772	3316	SearchFilterHost.exe	129
PID 3316 wrote to memory of 2772	3316	SearchFilterHost.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\notepad.exe
    "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
      "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
      "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:32
  - - C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
      "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\regedit.exe
      "C:\Users\Admin\AppData\Local\Temp\regedit.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Runs regedit.exe
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\regedit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regedit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\regedit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "regedit" /tr "C:\Users\Public\regedit.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\client-built.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Users\Admin\AppData\Local\Temp\client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\notepad.exe
    "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
      "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
      "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
      "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
      "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\regedit.exe
      "C:\Users\Admin\AppData\Local\Temp\regedit.exe"
      4⤵
      Executes dropped EXE
      Runs regedit.exe
      Suspicious use of AdjustPrivilegeToken
      PID:4872

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19e1e2a79d89d1a806d9f998551c82a8

SHA1
3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd

SHA256
210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc

SHA512
da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67668db6b58b27a901b0f39b4ecc4860

SHA1
53d610904acc243780be1f91773475bfa7cfd6ee

SHA256
1c7238f064efd555bf174b09b470b5c4126da5681efc8a8889e139a74f472ed4

SHA512
9cdb241e1e66da3cc2fa7d749d888f30d4c88e9e7f705ebb5b346dc6e831eae96503d2269f560099f67a25c91a67d9b2cbf414d6c5d4aeed5fd2506e1f89af41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd80e8537a4308375e3e3f4dbb557900

SHA1
6bb856d22ffd6a3b0a75d40e3b07bc5609055639

SHA256
3280a6ec1f984e84bece6584b30a518762ebf661f5616ab2b9593ea9629811ae

SHA512
56a4ecb0af2723409335ba20b278677529ae8a02a73be6447f572e6acdc20d3ffec18999c4d014c3bad9090120944fe6bfa974ae4117e4f6d133e7727571f3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4e0e436119b0e4355763826d0f135ae3

SHA1
9ca623a30fd715241538fa729d7dd7f2e1986b7b

SHA256
1372d549ac7b4bdc53374653665b3def7b4028668ddc76dc80e54c1d64ee0973

SHA512
9e53527d71c46c1dc66bba032940a4263466057e5588b70ff3783c7bb9da0000add3b18f484090f1a4847925e57ece67a7b64f290e35f08e68aaa1ae18840dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
163KB

MD5
abd4141118794cd94979dc12bcded7b7

SHA1
27b11caedb23ea8dab4f36f5865a96e6e7f55806

SHA256
be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904

SHA512
d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe

Filesize
145KB

MD5
40324e8a46ec891bcb5300f51ddfc335

SHA1
bc5c53d890371bd472c707da8e84c3925bf077d5

SHA256
cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c

SHA512
5b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

Filesize
243KB

MD5
f32ac010fcdbc8f8a5582c339ec9d9ea

SHA1
20c06c5a174504c4e28c9aa0b51a62ab8f5c70cb

SHA256
88835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18

SHA512
9798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe

Filesize
124KB

MD5
16caf66537fe87d8d9b6a4eb34d9dbff

SHA1
4a399f4229ea5b27963d467223fd4ceb89e545f5

SHA256
64cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26

SHA512
a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uf1zzb5k.2i2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\client-built.exe

Filesize
3.1MB

MD5
6d55f6d36c905ba606bd6de3d8219abd

SHA1
b4d56ffc28e10b10d1c34a6f012246943403699c

SHA256
cb3d608f1ec09b6d3d4d93062037f2343767446a4b97cd65ed1bd32c0a9c22cc

SHA512
71b3a8c07b4a9cce9bbfeb15e3653742f9359dc5b64f6b5bcdac39ca3acbfa520e66717bed3d978f28532eb62234734b2aadde0d9d585287725f472b6868bb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
909KB

MD5
74b16801ca2365d3b29e6194237c665a

SHA1
9d172c5a08c68e8134eaad60063071662afd5057

SHA256
8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f

SHA512
8201c89ce2e7eab9b5bfe3f8da956c73604261e83a3bf5d267be6a9b44790ec714e22a0ddfbc9fd009395893ef68864e5fac54172aceb568aec2270de6700567

Download Submit
C:\Users\Admin\AppData\Local\Temp\regedit.exe

Filesize
121KB

MD5
005b549e8fa8f966d1c0ce845cfaffce

SHA1
4dc69fa135bec170229863f4d7320b402698cef1

SHA256
8befb7faacdffeb7dd84b629ec7066ed1baf3947a6ed8c1ac8432335e3b2828b

SHA512
1169ec7a0628a03ecb8a924527fa03dd0d391f9d0bf2a537e9ee7022265bfeba57b85759507fbc4962f10a5f43f2ea86d8c18cbf00aa8f5b9a2323174a9663ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk

Filesize
787B

MD5
142fe2514a88f6b84a0f4c843017fb41

SHA1
810cb5a03c52e99d25a76670bedb36e5b6748e4e

SHA256
88ebd13119bf7d32f642d913431d302a9377479fbf254ccf911ffcb7d9e21af4

SHA512
8c7b2e995a4510f7b8f2c7924b969dacbba62a48063429e04c9f453aa338a64839dc9ad334aff10a1ebb6fa6bb765d5e829488eaac496cf7ffb5b6fdc8341d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk

Filesize
827B

MD5
b7cb03db826d6f828d7e38e0ffeab36e

SHA1
0e6f9c7c8f2afe2b6a1ee04c45ce54c69a64900a

SHA256
95d1091b4de9e30a9e674d3b08e0711bf16911b33e9d5c40aa69b11b8c62d226

SHA512
83875e271fd96b855745aff3627861146da12e553c6026c7e57659e73ce6ab58ee943d2f7818a9e3904a95328d6897d3839bdaf29b71aee6c783ff0324141ace

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk

Filesize
742B

MD5
1f57a14bac0e6f65b9fed449aa55f71b

SHA1
4c76a62efb05b33bc986fc00b8fef3345ee9966f

SHA256
e24b2541fa4e024768921037ac3c69928a1d24e63443cb21ad2c3d83c102ac65

SHA512
9566c8f6272343cfb9c7f31a57882d937b0e3eb55ac2c47f3a6a7cabe00cf2f1895dfca978ede2e98e380fb111f3873766ac7f82bdacda2e926026041d09082a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk

Filesize
677B

MD5
0822460f182dc62ce2613f9cebf8381a

SHA1
86a50035ee3514a03d6e965878e59aa1ffc55187

SHA256
d74095a9234b1d7622ca5037cc352eaf2dbec00269b9da7ef404258a5e356faa

SHA512
d331736655184420597d192a7b683f9c1125241971dd7ac753743ead107a15fb97912ac8197e98c36c91c0621dcdd4798e5341f0764cda9e79d0679fb09f1725

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk

Filesize
988B

MD5
18b8b117d1864d0e47c9c5f23896568c

SHA1
16d3871daf39adf172aac34fb4a66df5460793bf

SHA256
4d3a66d4026fb0d36225c731e07f965a2ef068e6508b70dc1a59e1cb3f6dbb1b

SHA512
733d84fc140b6b13c28b56bdfa03bbd238e603f117174f592cbfc2ad5f59433834b14c36c4138bd66f3b67cc6a22034e535403416b749161f3fd6e15c8ae291a

Download Submit
memory/1084-5-0x00007FFCFCB63000-0x00007FFCFCB65000-memory.dmp

Filesize
8KB

Download
memory/1084-6-0x0000000000280000-0x0000000000368000-memory.dmp

Filesize
928KB

Download
memory/1152-43-0x0000000000AB0000-0x0000000000AE0000-memory.dmp

Filesize
192KB

Download
memory/2316-62-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/3316-44-0x0000000000F90000-0x0000000000FBA000-memory.dmp

Filesize
168KB

Download
memory/3636-308-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-307-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-298-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-299-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-303-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-309-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-304-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-297-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-306-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3636-305-0x0000017697180000-0x0000017697181000-memory.dmp

Filesize
4KB

Download
memory/3704-72-0x0000000000950000-0x0000000000C74000-memory.dmp

Filesize
3.1MB

Download
memory/3704-84-0x000000001C480000-0x000000001C532000-memory.dmp

Filesize
712KB

Download
memory/3704-83-0x000000001C370000-0x000000001C3C0000-memory.dmp

Filesize
320KB

Download
memory/4108-50-0x0000000000130000-0x0000000000172000-memory.dmp

Filesize
264KB

Download
memory/4176-85-0x00000151E2CD0000-0x00000151E2CF2000-memory.dmp

Filesize
136KB

Download
memory/5112-68-0x0000000000640000-0x0000000000664000-memory.dmp

Filesize
144KB

Download