dcrat | e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
Size

1.7MB
MD5

f1aff26566885c339febd3614e9949ce
SHA1

efc83772d697c76241c6f16db92d2a948bd5f3eb
SHA256

e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb
SHA512

7b24d470fc7addba58c287acaecd8945100a202bc748164c7e73f0455eda6cf11c8915973a5d875632cf0756d7db8fae60e34745dabf7d3920be86bfb92d400a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2724	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2724	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/220-1-0x0000000000900000-0x0000000000AC0000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b90-30.dat	dcrat
behavioral2/files/0x0009000000023c00-63.dat	dcrat
behavioral2/files/0x000c000000023baa-192.dat	dcrat
behavioral2/files/0x000200000001e748-216.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3504	powershell.exe
5008	powershell.exe
4132	powershell.exe
2540	powershell.exe
464	powershell.exe
3052	powershell.exe
4664	powershell.exe
1392	powershell.exe
3188	powershell.exe
1340	powershell.exe
3940	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 9 IoCs

pid	Process
4024	TextInputHost.exe
1460	TextInputHost.exe
4564	TextInputHost.exe
4456	TextInputHost.exe
1292	TextInputHost.exe
4992	TextInputHost.exe
872	TextInputHost.exe
1696	TextInputHost.exe
4936	TextInputHost.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\dwm.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\cc11b995f2a76d	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCX6FDB.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\dwm.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX7AB2.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX761B.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX7830.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Security\BrowserCore\0a1fd5f707cd16	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\OfficeClickToRun.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\e6c9b481da804f	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\WindowsPowerShell\6203df4a6bafc7	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX7831.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX7AC3.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\lsass.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Security\BrowserCore\sppsvc.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Crashpad\reports\dwm.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX7D45.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX7D46.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\RCX84FC.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\WindowsPowerShell\lsass.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\22eafd247d37c3	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Crashpad\reports\6cb0b6c459d5d3	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\sppsvc.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX761C.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCX8269.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\winlogon.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files (x86)\Windows Mail\6cb0b6c459d5d3	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCX6FEB.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Crashpad\reports\dwm.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\winlogon.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\OfficeClickToRun.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCX826A.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\RCX847E.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System\29c1c3cc0f7685	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\es-ES\RCX6719.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\Help\mui\0C0A\OfficeClickToRun.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\es-ES\dllhost.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\debug\sppsvc.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\debug\RCX691E.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\debug\RCX691F.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\Help\mui\0C0A\RCX6D49.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\System\RCX71F0.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\System\unsecapp.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\debug\0a1fd5f707cd16	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\es-ES\RCX667C.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\debug\sppsvc.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\Help\mui\0C0A\RCX6DC7.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\es-ES\dllhost.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\System\unsecapp.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\Help\mui\0C0A\e6c9b481da804f	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\System\RCX71F1.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\es-ES\5940a34987c991	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\Help\mui\0C0A\OfficeClickToRun.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3856	schtasks.exe
2656	schtasks.exe
2836	schtasks.exe
3476	schtasks.exe
1096	schtasks.exe
4436	schtasks.exe
1784	schtasks.exe
3872	schtasks.exe
3164	schtasks.exe
4524	schtasks.exe
3092	schtasks.exe
4316	schtasks.exe
1128	schtasks.exe
4828	schtasks.exe
2196	schtasks.exe
396	schtasks.exe
4004	schtasks.exe
936	schtasks.exe
1104	schtasks.exe
3556	schtasks.exe
4540	schtasks.exe
1372	schtasks.exe
2304	schtasks.exe
928	schtasks.exe
1896	schtasks.exe
4328	schtasks.exe
64	schtasks.exe
384	schtasks.exe
2168	schtasks.exe
3464	schtasks.exe
4596	schtasks.exe
1924	schtasks.exe
1088	schtasks.exe
1816	schtasks.exe
1608	schtasks.exe
3000	schtasks.exe
4224	schtasks.exe
4576	schtasks.exe
1900	schtasks.exe
1020	schtasks.exe
4484	schtasks.exe
4684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
4132	powershell.exe
4132	powershell.exe
2540	powershell.exe
2540	powershell.exe
5008	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	4024	TextInputHost.exe
Token: SeDebugPrivilege	1460	TextInputHost.exe
Token: SeDebugPrivilege	4564	TextInputHost.exe
Token: SeDebugPrivilege	4456	TextInputHost.exe
Token: SeDebugPrivilege	1292	TextInputHost.exe
Token: SeDebugPrivilege	4992	TextInputHost.exe
Token: SeDebugPrivilege	872	TextInputHost.exe
Token: SeDebugPrivilege	1696	TextInputHost.exe
Token: SeDebugPrivilege	4936	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3940	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	127
PID 220 wrote to memory of 3940	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	127
PID 220 wrote to memory of 3504	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	128
PID 220 wrote to memory of 3504	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	128
PID 220 wrote to memory of 4664	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	129
PID 220 wrote to memory of 4664	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	129
PID 220 wrote to memory of 3052	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	130
PID 220 wrote to memory of 3052	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	130
PID 220 wrote to memory of 464	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	131
PID 220 wrote to memory of 464	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	131
PID 220 wrote to memory of 4132	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	132
PID 220 wrote to memory of 4132	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	132
PID 220 wrote to memory of 2540	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	133
PID 220 wrote to memory of 2540	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	133
PID 220 wrote to memory of 1340	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	134
PID 220 wrote to memory of 1340	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	134
PID 220 wrote to memory of 5008	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	135
PID 220 wrote to memory of 5008	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	135
PID 220 wrote to memory of 3188	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	136
PID 220 wrote to memory of 3188	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	136
PID 220 wrote to memory of 1392	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	137
PID 220 wrote to memory of 1392	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	137
PID 220 wrote to memory of 4024	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	149
PID 220 wrote to memory of 4024	220	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	149
PID 4024 wrote to memory of 3600	4024	TextInputHost.exe	153
PID 4024 wrote to memory of 3600	4024	TextInputHost.exe	153
PID 4024 wrote to memory of 1428	4024	TextInputHost.exe	154
PID 4024 wrote to memory of 1428	4024	TextInputHost.exe	154
PID 3600 wrote to memory of 1460	3600	WScript.exe	164
PID 3600 wrote to memory of 1460	3600	WScript.exe	164
PID 1460 wrote to memory of 4832	1460	TextInputHost.exe	166
PID 1460 wrote to memory of 4832	1460	TextInputHost.exe	166
PID 1460 wrote to memory of 5052	1460	TextInputHost.exe	167
PID 1460 wrote to memory of 5052	1460	TextInputHost.exe	167
PID 4832 wrote to memory of 4564	4832	WScript.exe	170
PID 4832 wrote to memory of 4564	4832	WScript.exe	170
PID 4564 wrote to memory of 2068	4564	TextInputHost.exe	172
PID 4564 wrote to memory of 2068	4564	TextInputHost.exe	172
PID 4564 wrote to memory of 1180	4564	TextInputHost.exe	173
PID 4564 wrote to memory of 1180	4564	TextInputHost.exe	173
PID 2068 wrote to memory of 4456	2068	WScript.exe	174
PID 2068 wrote to memory of 4456	2068	WScript.exe	174
PID 4456 wrote to memory of 4372	4456	TextInputHost.exe	176
PID 4456 wrote to memory of 4372	4456	TextInputHost.exe	176
PID 4456 wrote to memory of 3812	4456	TextInputHost.exe	177
PID 4456 wrote to memory of 3812	4456	TextInputHost.exe	177
PID 4372 wrote to memory of 1292	4372	WScript.exe	178
PID 4372 wrote to memory of 1292	4372	WScript.exe	178
PID 1292 wrote to memory of 1744	1292	TextInputHost.exe	180
PID 1292 wrote to memory of 1744	1292	TextInputHost.exe	180
PID 1292 wrote to memory of 2560	1292	TextInputHost.exe	181
PID 1292 wrote to memory of 2560	1292	TextInputHost.exe	181
PID 1744 wrote to memory of 4992	1744	WScript.exe	182
PID 1744 wrote to memory of 4992	1744	WScript.exe	182
PID 4992 wrote to memory of 936	4992	TextInputHost.exe	184
PID 4992 wrote to memory of 936	4992	TextInputHost.exe	184
PID 4992 wrote to memory of 368	4992	TextInputHost.exe	185
PID 4992 wrote to memory of 368	4992	TextInputHost.exe	185
PID 936 wrote to memory of 872	936	WScript.exe	186
PID 936 wrote to memory of 872	936	WScript.exe	186
PID 872 wrote to memory of 4004	872	TextInputHost.exe	188
PID 872 wrote to memory of 4004	872	TextInputHost.exe	188
PID 872 wrote to memory of 1424	872	TextInputHost.exe	189
PID 872 wrote to memory of 1424	872	TextInputHost.exe	189

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
"C:\Users\Admin\AppData\Local\Temp\e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
  "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6e55e9d-88c3-4ead-a872-48c28f49c722.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
      "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a510da-389b-47f7-96f9-7b4c6e24499c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87ac47cf-c0b4-463c-a2b7-fc0a455206c3.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5709e329-cf3a-43ac-9980-d9f2a4675a27.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbba1845-054d-4cdd-80e4-2264c02eb43a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7b5a098-685a-4601-b625-e6399d88962b.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb7f0be7-cab0-425c-8a94-3456736a6a5b.vbs"
        15⤵
        
        PID:4004
        
        C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd6e09b0-532a-48d2-b4fb-056fa341d397.vbs"
        17⤵
        
        PID:3396
        
        C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe
        
        "C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b501be7-35e8-4f59-b559-71a170c66c37.vbs"
        19⤵
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7870aca-e774-4169-a5e0-cc05dc0798fd.vbs"
        19⤵
        
        PID:4496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38eef70f-d045-423a-ab3c-8f1584bb24a9.vbs"
        17⤵
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb141e5b-73de-4758-99bb-bf7ec51efb32.vbs"
        15⤵
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3a71b14-2926-475c-8b9b-22007fa5403f.vbs"
        13⤵
        
        PID:368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5060719e-bd0d-48a8-80c1-725ae5f581d8.vbs"
        11⤵
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc682feb-3cdb-4f20-b3c8-dc35a0d472bd.vbs"
        9⤵
        
        PID:3812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70432829-0527-463e-9405-3d040415901a.vbs"
        7⤵
        
        PID:1180
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b01fcf5-f679-452a-aa85-a7e128b58274.vbs"
        5⤵
        
        PID:5052
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4913b6fa-ae80-4adb-bb02-61578f0ca983.vbs"
    3⤵
    PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\debug\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\0C0A\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Help\mui\0C0A\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\mui\0C0A\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\System\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\System\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\reports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\uk-UA\winlogon.exe

Filesize
1.7MB

MD5
cd71119d4f63f69913f221af5cee4a26

SHA1
3fa1080d44c5b283b10708532d3f3871cdd5ea83

SHA256
bee8d1e3655a334f59f6f9078b3f716b8749b2fa26c44f1bef2366a1b10cb5ba

SHA512
d0dc0704f2a1aef52329d34606fad9fa3e97106ed7fc0483be5bdd5de56a99dc212b162e72d471f205bcbe9f477975ae9e7f4f89996db7cee2cf7684a81efa22

Download Submit
C:\Program Files\Windows Security\BrowserCore\sppsvc.exe

Filesize
1.7MB

MD5
f1aff26566885c339febd3614e9949ce

SHA1
efc83772d697c76241c6f16db92d2a948bd5f3eb

SHA256
e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb

SHA512
7b24d470fc7addba58c287acaecd8945100a202bc748164c7e73f0455eda6cf11c8915973a5d875632cf0756d7db8fae60e34745dabf7d3920be86bfb92d400a

Download Submit
C:\Recovery\WindowsRE\RCX7FD8.tmp

Filesize
1.7MB

MD5
b58b55d04aed1f35572d8f3e56dad0e7

SHA1
43d00a7cdcdc75c74400793dc71bc4b207ed9b94

SHA256
76a9f59169a95c5789cf69f0b7a3f2bc1131cd6564426dcfddd795b3b51daa43

SHA512
b6a8ed4b0bbc3d9a7952dfa92fbf9a468eb83489872ff34b64e73b5c3a6caaef70aef7d4a6480dc553db88a17677e47e394a65e14dfa6afcd94cbbb7dd6b5a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\4913b6fa-ae80-4adb-bb02-61578f0ca983.vbs

Filesize
521B

MD5
f9ad0e1af908a7009984496090802e36

SHA1
89d6c4062a2771bcfafee73c2625f3807b8329a3

SHA256
7bf908071ad735adf942d8bf788d51805e9a2fcbad74291d8d5803351fcf78a6

SHA512
90b7d5d19d5c13e9215703c05e01436c9fcd1c1affa4e270f2e54414b513459b94fe466ef58b6824baed8d65991f08f40ccbdb30fd7f2dcc3ccb59e7466914a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5709e329-cf3a-43ac-9980-d9f2a4675a27.vbs

Filesize
745B

MD5
d21f27c0673ccbfcd1f706b8b27d6262

SHA1
c5caea5bbf5c914e7694990d0413f0db5d6ae56b

SHA256
0fe6db21a5efe08492f735ffb16f0ba9fc1be1531ceff2e67efa821948db63a9

SHA512
e78cc862ccabd84628f2bf8ec915167c6f74cf3ce3eaf631293f59c274f6fec51dda7c5fedba5737c9807736094377ddb50cd1f79d796694a0037caa2863bacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\87ac47cf-c0b4-463c-a2b7-fc0a455206c3.vbs

Filesize
745B

MD5
25da20f6fffa29f9fe5694206e60421e

SHA1
5ac932e5f0c7cf077ad42d09308233c87849b272

SHA256
3212af5ea1ef0e46f1f5ae6e62b1c7db894a2253f166c16de58638ba3b0b0a24

SHA512
e07f801ba747a5b9c152a10d9e24df7ddd7335a9a30dd1f46ab444ad72c26b29e5e1bb6b3e7c4caf187d87cd04aa5a58bd106b749199012485a6418fb476a913

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b501be7-35e8-4f59-b559-71a170c66c37.vbs

Filesize
745B

MD5
31f248a9e696192896b18f5b2b59bd3f

SHA1
cbb9ecab1ce7f32f191ef868b03b152655afe540

SHA256
57ef6d27d7b3b3c5bf7cb252ba45a7f4f8c49968ac1d8b356376533693a19f18

SHA512
f6dff7379eae3930ce31bdf52532248ad442a2ca1141dd43e21f23e7d1bdb1c67dbc1eaa2e0ba3a949662cdab25af8ff4efcf0814509e6fd6d2decc7bc224363

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1imfy2ne.1y5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6e55e9d-88c3-4ead-a872-48c28f49c722.vbs

Filesize
745B

MD5
32b22633139197459d5855a71bdb6f6e

SHA1
f43b1e88806da1aa1bf81abfd20dc4d432fa83d3

SHA256
bba5480813efa8c8f248ec588d35083f2288d1c7d6735b9bd3557cda22f2f471

SHA512
a48b2a1b9c77f61bfc1693a6ec9d446a8299c657bf14bbacfe25e4caba573db068380bbc5afa1018c2485622a3e329f4f33ba71b7306964ed809b370c5bc4cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7b5a098-685a-4601-b625-e6399d88962b.vbs

Filesize
745B

MD5
43be68d521014dfa12d9994c675f4f3f

SHA1
2ae4e3b4a6a02c89292c03dcacdca77ae58a5b8c

SHA256
ea916903a761314067a02a816e2c7f399ee8a4e25b8925c5726d71f0e1fa2e0d

SHA512
e007b19305d234d98ce0edc70a6e9ca5863293cd6eb8c9034f9e60c0463c83314f8dae499f93331e4a4d591fd2f10201e95dd87fd07071ad0e16666dc83a03a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb7f0be7-cab0-425c-8a94-3456736a6a5b.vbs

Filesize
744B

MD5
69cbdfba5d99541bdcd502cc54dc0a21

SHA1
d3829abb41defcb401de2271d6505aa0ce20b8b1

SHA256
8da06fa65c977256fbd5e88b2fed14071db5648591b9d6ee8b31de3f7e64eae9

SHA512
6e33384693a6ef6dc6c0a5e4e51b6d516fafa4a1f1fe626dc078c0ae1d57eed1210c0653dfe1fda7fff555e4c764f87980568e89618833eb58f941b4abffa1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbba1845-054d-4cdd-80e4-2264c02eb43a.vbs

Filesize
745B

MD5
72d902f69701ec9c321b0a47cd2700f1

SHA1
4a9b16983836210f9376a51471126e3b82f97b95

SHA256
80ecc41052a9f4ffbdf107e0be80b4757a5a868d10768f6d8242bece8795d55a

SHA512
9fc6cc2cbf4118eea86fc2e57456bdd113f68f6e5de7ef1c12f73b7b99c9bdba1888ab979f8c54933e76d7f8ab0e14527ebfe7741659d4496ddf5944221a4b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd6e09b0-532a-48d2-b4fb-056fa341d397.vbs

Filesize
745B

MD5
2616b3978b93fc3aa0430e3b0e50a346

SHA1
c70fab78701fc0e36b87673cfffc9b2e2b71d9d8

SHA256
4d4402cf375bf2b58f08198e6134841330c5692e9f67e0c5ef1103568b69b500

SHA512
d08082a939d98be1d05bc51367c4ad3e62fe30abe0558accacfa8ce46822698b5e5f8f7bef057aae2fad48a1d9d407dc6316c1c0f9ef316f810b74721c8cddce

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3a510da-389b-47f7-96f9-7b4c6e24499c.vbs

Filesize
745B

MD5
0562ba11ed370594f0eaf209efa0207f

SHA1
34717d2603ea980e1e0dfbbcfcd9188acbf6ba90

SHA256
3699cc39e51e2fa07b36df5b2f50a43b0db489acb44ea4b4c3362d8a6366b58b

SHA512
b83840e1fda8b5186bf472f5507efdf1ef27cc380d258ced2e4a07bd71961333f963d9b64e09dd88ed760118999436439cb45ba40c865ad203a4b39e3a15b9df

Download Submit
C:\Windows\es-ES\dllhost.exe

Filesize
1.7MB

MD5
640572d924550ee72c3ac9adf951c208

SHA1
0db982ff839aa0658cee981f5bcc055d0b2f9d50

SHA256
8cc8f31da9bc1b4381f4184aec3557f0bb9d6638eab1db87be95c6d412cafcde

SHA512
04530fc19181b46b347ebb1100f5764080d92b0ab014457482b7ae2191148f41c6240975c1a0c3c62d9d10e9687e04209f804b6a97a143b7bc3609932b941937

Download Submit
memory/220-13-0x000000001C320000-0x000000001C848000-memory.dmp

Filesize
5.2MB

Download
memory/220-18-0x000000001C020000-0x000000001C02C000-memory.dmp

Filesize
48KB

Download
memory/220-160-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

Filesize
8KB

Download
memory/220-195-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/220-23-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/220-219-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/220-1-0x0000000000900000-0x0000000000AC0000-memory.dmp

Filesize
1.8MB

Download
memory/220-22-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/220-380-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/220-2-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/220-19-0x000000001C030000-0x000000001C03C000-memory.dmp

Filesize
48KB

Download
memory/220-16-0x000000001BF00000-0x000000001BF0E000-memory.dmp

Filesize
56KB

Download
memory/220-17-0x000000001BF10000-0x000000001BF18000-memory.dmp

Filesize
32KB

Download
memory/220-172-0x00007FFDC4010000-0x00007FFDC4AD1000-memory.dmp

Filesize
10.8MB

Download
memory/220-15-0x000000001BEF0000-0x000000001BEFA000-memory.dmp

Filesize
40KB

Download
memory/220-14-0x000000001BD70000-0x000000001BD7C000-memory.dmp

Filesize
48KB

Download
memory/220-0-0x00007FFDC4013000-0x00007FFDC4015000-memory.dmp

Filesize
8KB

Download
memory/220-12-0x000000001BD60000-0x000000001BD72000-memory.dmp

Filesize
72KB

Download
memory/220-10-0x000000001BD50000-0x000000001BD58000-memory.dmp

Filesize
32KB

Download
memory/220-9-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/220-7-0x000000001BD30000-0x000000001BD46000-memory.dmp

Filesize
88KB

Download
memory/220-8-0x000000001B5F0000-0x000000001B600000-memory.dmp

Filesize
64KB

Download
memory/220-6-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

Filesize
64KB

Download
memory/220-5-0x0000000002D50000-0x0000000002D58000-memory.dmp

Filesize
32KB

Download
memory/220-4-0x000000001BD80000-0x000000001BDD0000-memory.dmp

Filesize
320KB

Download
memory/220-3-0x000000001B5C0000-0x000000001B5DC000-memory.dmp

Filesize
112KB

Download
memory/4024-381-0x000000001B370000-0x000000001B382000-memory.dmp

Filesize
72KB

Download
memory/4132-274-0x00000235E5190000-0x00000235E51B2000-memory.dmp

Filesize
136KB

Download