dcrat | a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Size

1.5MB
MD5

e663bacf67d867450934809cff3fd749
SHA1

14fed8278438f7d659341d4642b99667e154d33b
SHA256

a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4
SHA512

957da6b848aa325dd63bdb65f772daa30b83d3396bb633725765fd8aa2888153cb871b0037768876ad3082885260fb4a5c8a5984391f210ee32eb087d7ff2411
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\Installer\\upfc.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\Installer\\upfc.exe\", \"C:\\Windows\\System32\\ServicingUAPI\\dllhost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Signals\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\Installer\\upfc.exe\", \"C:\\Windows\\System32\\ServicingUAPI\\dllhost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Signals\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App\\6.0.27\\ko\\sysmon.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\Installer\\upfc.exe\", \"C:\\Windows\\System32\\ServicingUAPI\\dllhost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\", \"C:\\Windows\\System32\\fhcpl\\dwm.exe\", \"C:\\Documents and Settings\\TextInputHost.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\", \"C:\\Windows\\Installer\\upfc.exe\", \"C:\\Windows\\System32\\ServicingUAPI\\dllhost.exe\", \"C:\\Windows\\System32\\Windows.Internal.Signals\\lsass.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\makecab\\spoolsv.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1436	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1436	schtasks.exe	82

UAC bypass 3 TTPs 54 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4032	powershell.exe
3444	powershell.exe
3948	powershell.exe
1868	powershell.exe
4724	powershell.exe
2348	powershell.exe
3368	powershell.exe
2264	powershell.exe
3940	powershell.exe
632	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe

Executes dropped EXE 17 IoCs

pid	Process
336	TextInputHost.exe
2248	TextInputHost.exe
908	TextInputHost.exe
1836	TextInputHost.exe
4776	TextInputHost.exe
3144	TextInputHost.exe
2376	TextInputHost.exe
4704	TextInputHost.exe
2828	TextInputHost.exe
4620	TextInputHost.exe
4428	TextInputHost.exe
3380	TextInputHost.exe
3096	TextInputHost.exe
3972	TextInputHost.exe
2148	TextInputHost.exe
4228	TextInputHost.exe
2772	TextInputHost.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Installer\\upfc.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\Windows.Internal.Signals\\lsass.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\makecab\\spoolsv.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Documents and Settings\\TextInputHost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Documents and Settings\\TextInputHost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\SuggestionUI\\TextInputHost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App\\6.0.27\\ko\\sysmon.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\fhcpl\\dwm.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\ServicingUAPI\\dllhost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\Windows.Internal.Signals\\lsass.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App\\6.0.27\\ko\\sysmon.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\makecab\\spoolsv.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\fhcpl\\dwm.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\Installer\\upfc.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\ServicingUAPI\\dllhost.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe

Checks whether UAC is enabled 1 TTPs 36 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\fhcpl\dwm.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\System32\fhcpl\6cb0b6c459d5d3	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\fhcpl\RCXCE8D.tmp	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\ServicingUAPI\dllhost.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\makecab\spoolsv.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\System32\ServicingUAPI\dllhost.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\System32\Windows.Internal.Signals\lsass.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\System32\Windows.Internal.Signals\6203df4a6bafc7	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\fhcpl\dwm.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\Windows.Internal.Signals\RCXD9EC.tmp	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\System32\makecab\spoolsv.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\System32\makecab\f3b6ecef712a24	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\System32\ServicingUAPI\5940a34987c991	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\makecab\RCXCC0B.tmp	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\ServicingUAPI\RCXD7E7.tmp	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\System32\Windows.Internal.Signals\lsass.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\sysmon.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\121e5b5079f7c0	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\RCXDE63.tmp	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\sysmon.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\ea1d8f6d871115	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\RCXD303.tmp	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\Installer\RCXD575.tmp	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File opened for modification	C:\Windows\Installer\upfc.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\22eafd247d37c3	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
File created	C:\Windows\Installer\upfc.exe	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4080	schtasks.exe
2328	schtasks.exe
1776	schtasks.exe
4300	schtasks.exe
2456	schtasks.exe
2248	schtasks.exe
2140	schtasks.exe
4468	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
2264	powershell.exe
2264	powershell.exe
3940	powershell.exe
3940	powershell.exe
4724	powershell.exe
4724	powershell.exe
4032	powershell.exe
2348	powershell.exe
2348	powershell.exe
4032	powershell.exe
3368	powershell.exe
3368	powershell.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
3948	powershell.exe
3948	powershell.exe
632	powershell.exe
632	powershell.exe
1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
3444	powershell.exe
3444	powershell.exe
3940	powershell.exe
632	powershell.exe
2348	powershell.exe
4724	powershell.exe
4032	powershell.exe
2264	powershell.exe
3368	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	336	TextInputHost.exe
Token: SeDebugPrivilege	2248	TextInputHost.exe
Token: SeDebugPrivilege	908	TextInputHost.exe
Token: SeDebugPrivilege	1836	TextInputHost.exe
Token: SeDebugPrivilege	4776	TextInputHost.exe
Token: SeDebugPrivilege	3144	TextInputHost.exe
Token: SeDebugPrivilege	2376	TextInputHost.exe
Token: SeDebugPrivilege	4704	TextInputHost.exe
Token: SeDebugPrivilege	2828	TextInputHost.exe
Token: SeDebugPrivilege	4620	TextInputHost.exe
Token: SeDebugPrivilege	4428	TextInputHost.exe
Token: SeDebugPrivilege	3380	TextInputHost.exe
Token: SeDebugPrivilege	3096	TextInputHost.exe
Token: SeDebugPrivilege	3972	TextInputHost.exe
Token: SeDebugPrivilege	2148	TextInputHost.exe
Token: SeDebugPrivilege	4228	TextInputHost.exe
Token: SeDebugPrivilege	2772	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 3444	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	92
PID 1756 wrote to memory of 3444	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	92
PID 1756 wrote to memory of 3948	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	93
PID 1756 wrote to memory of 3948	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	93
PID 1756 wrote to memory of 1868	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	94
PID 1756 wrote to memory of 1868	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	94
PID 1756 wrote to memory of 4724	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	95
PID 1756 wrote to memory of 4724	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	95
PID 1756 wrote to memory of 3368	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	96
PID 1756 wrote to memory of 3368	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	96
PID 1756 wrote to memory of 2264	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	97
PID 1756 wrote to memory of 2264	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	97
PID 1756 wrote to memory of 3940	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	98
PID 1756 wrote to memory of 3940	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	98
PID 1756 wrote to memory of 632	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	99
PID 1756 wrote to memory of 632	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	99
PID 1756 wrote to memory of 2348	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	100
PID 1756 wrote to memory of 2348	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	100
PID 1756 wrote to memory of 4032	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	101
PID 1756 wrote to memory of 4032	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	101
PID 1756 wrote to memory of 336	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	112
PID 1756 wrote to memory of 336	1756	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe	112
PID 336 wrote to memory of 1312	336	TextInputHost.exe	113
PID 336 wrote to memory of 1312	336	TextInputHost.exe	113
PID 336 wrote to memory of 2600	336	TextInputHost.exe	114
PID 336 wrote to memory of 2600	336	TextInputHost.exe	114
PID 1312 wrote to memory of 2248	1312	WScript.exe	119
PID 1312 wrote to memory of 2248	1312	WScript.exe	119
PID 2248 wrote to memory of 3088	2248	TextInputHost.exe	120
PID 2248 wrote to memory of 3088	2248	TextInputHost.exe	120
PID 2248 wrote to memory of 2280	2248	TextInputHost.exe	121
PID 2248 wrote to memory of 2280	2248	TextInputHost.exe	121
PID 3088 wrote to memory of 908	3088	WScript.exe	124
PID 3088 wrote to memory of 908	3088	WScript.exe	124
PID 908 wrote to memory of 2576	908	TextInputHost.exe	125
PID 908 wrote to memory of 2576	908	TextInputHost.exe	125
PID 908 wrote to memory of 1916	908	TextInputHost.exe	126
PID 908 wrote to memory of 1916	908	TextInputHost.exe	126
PID 2576 wrote to memory of 1836	2576	WScript.exe	127
PID 2576 wrote to memory of 1836	2576	WScript.exe	127
PID 1836 wrote to memory of 3668	1836	TextInputHost.exe	128
PID 1836 wrote to memory of 3668	1836	TextInputHost.exe	128
PID 1836 wrote to memory of 3680	1836	TextInputHost.exe	129
PID 1836 wrote to memory of 3680	1836	TextInputHost.exe	129
PID 3668 wrote to memory of 4776	3668	WScript.exe	132
PID 3668 wrote to memory of 4776	3668	WScript.exe	132
PID 4776 wrote to memory of 456	4776	TextInputHost.exe	133
PID 4776 wrote to memory of 456	4776	TextInputHost.exe	133
PID 4776 wrote to memory of 4920	4776	TextInputHost.exe	134
PID 4776 wrote to memory of 4920	4776	TextInputHost.exe	134
PID 456 wrote to memory of 3144	456	WScript.exe	135
PID 456 wrote to memory of 3144	456	WScript.exe	135
PID 3144 wrote to memory of 5044	3144	TextInputHost.exe	136
PID 3144 wrote to memory of 5044	3144	TextInputHost.exe	136
PID 3144 wrote to memory of 1612	3144	TextInputHost.exe	137
PID 3144 wrote to memory of 1612	3144	TextInputHost.exe	137
PID 5044 wrote to memory of 2376	5044	WScript.exe	138
PID 5044 wrote to memory of 2376	5044	WScript.exe	138
PID 2376 wrote to memory of 3644	2376	TextInputHost.exe	139
PID 2376 wrote to memory of 3644	2376	TextInputHost.exe	139
PID 2376 wrote to memory of 1896	2376	TextInputHost.exe	140
PID 2376 wrote to memory of 1896	2376	TextInputHost.exe	140
PID 3644 wrote to memory of 4704	3644	WScript.exe	141
PID 3644 wrote to memory of 4704	3644	WScript.exe	141

System policy modification 1 TTPs 54 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	TextInputHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe
"C:\Users\Admin\AppData\Local\Temp\a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\makecab\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\fhcpl\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\ServicingUAPI\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Internal.Signals\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:336
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8c254c6-85c7-461e-a9b2-b66124074a75.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
      C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2248
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7345e695-5efc-4f87-af48-278256dd1039.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1de3748-7f37-4cd2-b3a4-eceb540ad4ca.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d12522e3-1268-4f49-9222-3b96c854e39e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\440fdc36-da5c-4285-9e92-f084fc46dfe5.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8520df77-8148-4eac-b75b-383f5236a552.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95c24f7b-b862-4ed3-9593-02e8c6b2fa8c.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e041737b-d2ec-4283-8a7a-a286adf8be37.vbs"
        17⤵
        
        PID:4404
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02d34e65-fdfa-4fa7-980b-a063d0da8acd.vbs"
        19⤵
        
        PID:2656
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6bfc4e6-7949-4171-ba71-52e0dcaaccfc.vbs"
        21⤵
        
        PID:2800
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7086be3-b6e7-4351-ae86-bc75d6d10a65.vbs"
        23⤵
        
        PID:2904
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be56e785-bcdf-4152-8f31-ad9b650690de.vbs"
        25⤵
        
        PID:4140
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2d84334-a48e-4519-96f7-017a35c7c425.vbs"
        27⤵
        
        PID:4392
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826072ac-dc73-482c-9e8d-33fc02ebcdb8.vbs"
        29⤵
        
        PID:860
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71b387d6-bb70-4c15-9201-8dedb68cf93b.vbs"
        31⤵
        
        PID:1396
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40981a85-4c8e-4a6e-93c4-57cca0cc143b.vbs"
        33⤵
        
        PID:4860
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        
        C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe
        34⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c77f261-5d41-48ad-b466-8df702bed3e9.vbs"
        35⤵
        
        PID:3156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7f798cd-e4e8-4488-a807-da5f901b3d3e.vbs"
        35⤵
        
        PID:4028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f86c7f-944a-4e57-847b-d6e07c239235.vbs"
        33⤵
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce2512d2-0e71-424b-b270-dc141009ae5f.vbs"
        31⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3152d30-3401-4186-8321-a0e30c47bb8b.vbs"
        29⤵
        
        PID:624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96e2c002-833e-48c6-b3c0-0947ee65a5f0.vbs"
        27⤵
        
        PID:3372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e192e54-1c57-46c8-8024-d41b83426f41.vbs"
        25⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c08090ea-0bf0-413c-9a35-1e24c00aea3f.vbs"
        23⤵
        
        PID:4264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82959c61-e0e7-4334-b373-809cb08c2044.vbs"
        21⤵
        
        PID:1076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18126187-280d-44da-b65c-2c5a5a863e92.vbs"
        19⤵
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f62896b-1395-437b-a328-96dc8bab19ad.vbs"
        17⤵
        
        PID:244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e28d9848-f530-4ef1-82c5-a89e20c621a9.vbs"
        15⤵
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad5f44f1-76be-4342-ba8a-4ea8d302c753.vbs"
        13⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0ed481b-c82b-4cdd-aa82-09b78595e4fd.vbs"
        11⤵
        
        PID:4920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fef3f65c-205f-445c-a008-c326756c4399.vbs"
        9⤵
        
        PID:3680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75029703-b400-4826-ae10-aff864cb8a72.vbs"
        7⤵
        
        PID:1916
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\115b6e62-f11f-4fe8-a44f-960decb6e0ee.vbs"
        5⤵
        
        PID:2280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1b6a876-9cf7-4059-9adf-eaeb11896acd.vbs"
    3⤵
    PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\makecab\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\fhcpl\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Documents and Settings\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Installer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\ServicingUAPI\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Internal.Signals\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXDC5E.tmp

Filesize
1.5MB

MD5
229689e55c432b804bd4d58955bc508a

SHA1
c98f50934bdcdf2591855dbc4176b1011a209cb8

SHA256
990163e024920067ce74263cdcdde11d27f827932540c2faa0c8802c1e1edde7

SHA512
3f51f780353ce6a20e851bb56785b8d6b02209c44fa14b043536d3340e80d92fcff16c07e93bec3017ac17d6fc403f7ecd281fedc60ecec2ab6301a8921971b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\02d34e65-fdfa-4fa7-980b-a063d0da8acd.vbs

Filesize
779B

MD5
ec8eeedcaa467a1ae1b6f752a8e3faf6

SHA1
0e1436531447df00a5f68f43775b29154b231bdc

SHA256
d551e687f4d55e3b1adba3013f5d63e2152fe184d702792d9247480120e93c93

SHA512
c226ca2a78fa8d41b986b89721e80de9a439eed54d014938594bfc34de4badd3a923186e1d0e38227ec7d4bdf4e75b05741658652869ff70d91bdf0f3811f1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\440fdc36-da5c-4285-9e92-f084fc46dfe5.vbs

Filesize
779B

MD5
4d4bd9bae99c0951f9dd53376b4fe775

SHA1
8ba60a4106f49b672f26f5b0cc5307aada483f3e

SHA256
c238a285afaa85fa32bf3ab76f2bda1f4a9cd0fe16ec1f8f778f0e07970ac498

SHA512
78a851d8d9fad7b879bc5845fd587d3048000a4f4c2e862626bef6f667968bf6ca5baef4078c093025900c86037acc489142b3ecb8152ee5ce206623955a9513

Download Submit
C:\Users\Admin\AppData\Local\Temp\7345e695-5efc-4f87-af48-278256dd1039.vbs

Filesize
779B

MD5
5896e142b6d0672b01ed95efab66a178

SHA1
ea8a79358cea7628783054a59d5ac3b583c6c7d4

SHA256
b4e5c848f5debf221b20d2cdd133823884f3ed816b84661649e693c3d11ce005

SHA512
918a568e92e8c601770e29ecddc730b43faed7f87174e2da0f148b4a0c4ee4a63b29cec2a1509b1e0ecd770bf3f77ef1d1c2e02f81bdcf9f6de4bbdc3a59a9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8520df77-8148-4eac-b75b-383f5236a552.vbs

Filesize
779B

MD5
41354958bd0a4b0113c3c73428f6a434

SHA1
4110f163231bd6877bb18cd600ef33fd0b100efa

SHA256
05b9d28ae9177f73ed06b8cd0be17ccc894bd7aa41648800da0ab797f00c611e

SHA512
0eb7af5711f171ccbb969fe210941f1fd11c98ded7a8242f69bd04b2c62fdceb6533bdf802075712890bc0962abd859454dae45374717dc6c6494b72fec912d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\95c24f7b-b862-4ed3-9593-02e8c6b2fa8c.vbs

Filesize
779B

MD5
e1dd4b84a5f60c4977fe70ea26cfbdeb

SHA1
b84fc20bea9f5e956746700965aa8555cb3e5754

SHA256
314f1cd20ef21f270c0882ceaefca77b0c129085e9910d01297bbfce39dddb9e

SHA512
b25fd293d4c7d475d170c9eb766e280f4343a79f5a6b3a272299c6b56c426ebfd8702e5761ac92c3d3187a52729c6c67ee2d0b5dcfeb960f210e3ad6f41bf634

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dl5nqz4c.urd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8c254c6-85c7-461e-a9b2-b66124074a75.vbs

Filesize
778B

MD5
55d1c5a7baf77879f78e7d8a01665d19

SHA1
e743bddd64ca2a8564872f3500c5d3bb36b0b635

SHA256
0dfbb8ddcef777fb513ef79b93e3f1d308e98fcefe7490274f235f407686af46

SHA512
30d3b15c058794c33ee40ec255c2e968f7b826ab063e7d1ac4930e7fdae4a3f71943b2cfd2901af7988ebf9df0781d67c9337f32ba965d9dcfc64eb23d489bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1b6a876-9cf7-4059-9adf-eaeb11896acd.vbs

Filesize
555B

MD5
db433758bfd6b535ee709c90a6ba1958

SHA1
f3a8a64462a6f451f7cdf90062bf3c71a2711fa6

SHA256
c4baed4314def371d64fab9d4810b41eaedd3242ee7b49fdd17c66126128f44a

SHA512
3c3916a3c96106295eceea600f4bb24f203cd3196448f9f96357d56cb137ce8f72b07516da955d53e78b02ae1e4a12a583cf338b2abd00c439a3fff4144290e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6bfc4e6-7949-4171-ba71-52e0dcaaccfc.vbs

Filesize
779B

MD5
e526850109519100cf37231203e77aff

SHA1
08fbaf30610385821903b53127694ba683c250c9

SHA256
2bf0bf318d97ea93879ac8d795807147418f6c14df0cf0ebe7bae24f4c6304a0

SHA512
a9f5f402f78c06db3c9005ac07343c3d74e3ba89a9b58a9991531c24257b21ec201d4875f4bcef086c15bcaa24297211cf89b46e5ca625066f795e72f893b2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7086be3-b6e7-4351-ae86-bc75d6d10a65.vbs

Filesize
779B

MD5
aaec58fa0dc387e44ca9cb840170fba6

SHA1
bbbc386b38533db8ef05e4a6cb9ff31a1b98b1b2

SHA256
a5c1808ca0c43e705fafd54a26199a60778669fe59dc4a8f2512bc92787c93d0

SHA512
a406644e9b0f7c849d68d7423e965d12da3cbe9dd548d2d42da629ebcfbf42354a8c82bf5bd80b1553e7fb8e692a4eae11579540380466202f736df2fe9a7331

Download Submit
C:\Users\Admin\AppData\Local\Temp\be56e785-bcdf-4152-8f31-ad9b650690de.vbs

Filesize
779B

MD5
ed1960b37712b65a376a155e295eb32b

SHA1
b6491a837f1eda48e8bd2c73a14781f8f15fc627

SHA256
ce1f8f1ae701f6409a6adcf2ffab69031e5ca2c27b5dc87bc478d56c9a265c58

SHA512
922b8780e864efc3785655177a9060416b1abbc35e7e2bb6b5605afec8962bfbfafe2f7b26f6ca8aa76650180378908fb9aa152d06de69141d90eb840ff08aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1de3748-7f37-4cd2-b3a4-eceb540ad4ca.vbs

Filesize
778B

MD5
0f8612847ebf07635403aa3788d24108

SHA1
bb0585a0cbe0287283a23c95bdfee68212c9b79d

SHA256
ab282034bfe7eb7645975b2e59905152c401909931e7d0139801567e12c04041

SHA512
2414bd925df3693b5857e1f19c25fd41bc99a2196219d9512f85e1d1beec94a3aa70fe1636b6293918f92c441fd82c1b8d16b71795261eef1e7f7056fe5a1511

Download Submit
C:\Users\Admin\AppData\Local\Temp\d12522e3-1268-4f49-9222-3b96c854e39e.vbs

Filesize
779B

MD5
ae06839c8a96fab5087b3f74c02b90aa

SHA1
0085a8ef546508c3066086cc34939edbec89703a

SHA256
3a0d532aac639709636958b701162ee73497d145b96694c7fe4832eddd5047c5

SHA512
cc7b22fbb10e38795ca18ca7c052f5677ffd46f4285207074689ea765b4364e466e2353213464dbb7096cc6220b170d8da81d30ead13c8a51641358eaaf17a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\e041737b-d2ec-4283-8a7a-a286adf8be37.vbs

Filesize
779B

MD5
78cd7e0dc2670daaa1321998bafce4cc

SHA1
75bb5ef9faa95fe77c7a3f28cf720f17332adb8f

SHA256
7ed2199e20bde9c52014c6174baa68f7ccb82650635b1c413dd31e6e2f73ddef

SHA512
75113ab491b2683669d0f040f66a9e4224be39e940d0641387d33b187e1b8b93c9f5654ad7b64ab3f45989d0d82aeeddf36bf2c79e0a945ddfeb479c3d32a71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2d84334-a48e-4519-96f7-017a35c7c425.vbs

Filesize
779B

MD5
cd7c42d3a0e82fa7350db65674c0fc72

SHA1
cd3ed8bb88d8f594c784953bccfc36becbd48b8e

SHA256
3094633010686673dc9d677c7f70558966e23fa08f21fd467107b6499864f56c

SHA512
2a9d317008e66869717af9d15a70741db451981be2f7fc9a46748f0cd48f7bec8bfa4377ac2efc9b05b6b7e610f8e0c9aa6015305574c69dea72e781633720f5

Download Submit
C:\Windows\Installer\upfc.exe

Filesize
1.5MB

MD5
e663bacf67d867450934809cff3fd749

SHA1
14fed8278438f7d659341d4642b99667e154d33b

SHA256
a7a6bc6eb9a42d31662bc3b20a5fcde5cbe63b64c48c4fb484ba249baf5b7da4

SHA512
957da6b848aa325dd63bdb65f772daa30b83d3396bb633725765fd8aa2888153cb871b0037768876ad3082885260fb4a5c8a5984391f210ee32eb087d7ff2411

Download Submit
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\SuggestionUI\TextInputHost.exe

Filesize
1.5MB

MD5
b1980a2b33738aa2daff78ebe6217cf1

SHA1
44b89a4f1095ab9114f662b9dacc0b8ce0ebb5ee

SHA256
8d88ac33ffc6290789861483d3db38d8566fde787f7237b767b80a32f5471d9b

SHA512
2faf03f37bbb84b18564461d473e063f1710dcd9e44fc57ed9ce6b672bbbc45244308f6b975c44ca9520480b0297112ebf202ed96cfe80f3cfbe85d4b30e9b21

Download Submit
memory/336-255-0x0000000000AF0000-0x0000000000C6E000-memory.dmp

Filesize
1.5MB

Download
memory/632-171-0x00000163E6490000-0x00000163E64B2000-memory.dmp

Filesize
136KB

Download
memory/1756-15-0x000000001BCD0000-0x000000001BCDA000-memory.dmp

Filesize
40KB

Download
memory/1756-3-0x000000001B4F0000-0x000000001B4F8000-memory.dmp

Filesize
32KB

Download
memory/1756-25-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-24-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-256-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-257-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-21-0x000000001BD20000-0x000000001BD28000-memory.dmp

Filesize
32KB

Download
memory/1756-20-0x000000001BD10000-0x000000001BD1C000-memory.dmp

Filesize
48KB

Download
memory/1756-18-0x000000001BD00000-0x000000001BD08000-memory.dmp

Filesize
32KB

Download
memory/1756-17-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download
memory/1756-16-0x000000001BCE0000-0x000000001BCE8000-memory.dmp

Filesize
32KB

Download
memory/1756-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/1756-14-0x000000001BCC0000-0x000000001BCCC000-memory.dmp

Filesize
48KB

Download
memory/1756-13-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

Filesize
40KB

Download
memory/1756-12-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

Filesize
32KB

Download
memory/1756-11-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/1756-10-0x000000001BC80000-0x000000001BC90000-memory.dmp

Filesize
64KB

Download
memory/1756-1-0x0000000000880000-0x00000000009FE000-memory.dmp

Filesize
1.5MB

Download
memory/1756-9-0x000000001BC70000-0x000000001BC7C000-memory.dmp

Filesize
48KB

Download
memory/1756-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-8-0x000000001BC60000-0x000000001BC68000-memory.dmp

Filesize
32KB

Download
memory/1756-4-0x000000001B500000-0x000000001B512000-memory.dmp

Filesize
72KB

Download
memory/1756-7-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download
memory/1756-6-0x000000001B510000-0x000000001B51A000-memory.dmp

Filesize
40KB

Download
memory/1756-5-0x000000001B630000-0x000000001B63C000-memory.dmp

Filesize
48KB

Download
memory/1756-152-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/2148-435-0x000000001B710000-0x000000001B722000-memory.dmp

Filesize
72KB

Download
memory/2376-348-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/2772-451-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/3096-414-0x0000000003100000-0x0000000003112000-memory.dmp

Filesize
72KB

Download
memory/3144-336-0x0000000002EE0000-0x0000000002EF2000-memory.dmp

Filesize
72KB

Download
memory/3972-426-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/4228-443-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/4776-324-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download