dcrat | d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c

Analysis

max time kernel
1800s
max time network
1800s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-06-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Njrat.exe
Size

3.1MB
MD5

7bbb27a3b9ace5f7d403ba8d6ef58d28
SHA1

5effbe830a93770824ee60f65eac790dda1ee807
SHA256

d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
SHA512

32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
SSDEEP

49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat 59 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1668	schtasks.exe
		772	schtasks.exe
		3240	schtasks.exe
		812	schtasks.exe
		4280	schtasks.exe
		4160	schtasks.exe
		1108	schtasks.exe
		4480	schtasks.exe
		1500	schtasks.exe
		2800	schtasks.exe
		2096	schtasks.exe
		3900	schtasks.exe
		1012	schtasks.exe
		972	schtasks.exe
		2716	schtasks.exe
		4764	schtasks.exe
		3136	schtasks.exe
		4704	schtasks.exe
		4692	schtasks.exe
		4184	schtasks.exe
		820	schtasks.exe
		4264	schtasks.exe
		4404	schtasks.exe
		1508	schtasks.exe
		3400	schtasks.exe
		4368	schtasks.exe
		2020	schtasks.exe
		1496	schtasks.exe
		4720	schtasks.exe
		1488	schtasks.exe
		3064	schtasks.exe
		4376	schtasks.exe
		5104	schtasks.exe
		4472	schtasks.exe
		3084	schtasks.exe
		3852	schtasks.exe
		4512	schtasks.exe
		2540	schtasks.exe
		4112	schtasks.exe
		4676	schtasks.exe
		1112	schtasks.exe
		1912	schtasks.exe
		2056	schtasks.exe
		2956	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings		Njrat.exe
		4732	schtasks.exe
		4216	schtasks.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\121e5b5079f7c0		Hyperblockport.exe
		4836	schtasks.exe
		2700	schtasks.exe
		4492	schtasks.exe
		2884	schtasks.exe
		4256	schtasks.exe
		1504	schtasks.exe
		684	schtasks.exe
		4268	schtasks.exe
		4452	schtasks.exe
		740	schtasks.exe
		4572	schtasks.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4328	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4328	schtasks.exe	78

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001ac2a-11.dat	dcrat
behavioral2/memory/428-14-0x00000000002F0000-0x00000000005D2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
512	powershell.exe
2372	powershell.exe
392	powershell.exe
2820	powershell.exe
4824	powershell.exe
4544	powershell.exe
4252	powershell.exe
4516	powershell.exe
4020	powershell.exe
4464	powershell.exe
224	powershell.exe
212	powershell.exe

Executes dropped EXE 36 IoCs

pid	Process
428	Hyperblockport.exe
2792	spoolsv.exe
1184	conhost.exe
236	spoolsv.exe
2536	sihost.exe
2080	explorer.exe
1564	Hyperblockport.exe
5104	ApplicationFrameHost.exe
1184	conhost.exe
1972	OfficeClickToRun.exe
400	lsass.exe
3400	spoolsv.exe
3140	sihost.exe
4988	explorer.exe
3052	sysmon.exe
748	csrss.exe
264	dllhost.exe
2732	fontdrvhost.exe
4652	Hyperblockport.exe
1964	ApplicationFrameHost.exe
1940	conhost.exe
1924	spoolsv.exe
4100	sihost.exe
1624	explorer.exe
3548	Hyperblockport.exe
3628	conhost.exe
3224	OfficeClickToRun.exe
1992	lsass.exe
2988	ApplicationFrameHost.exe
4016	sysmon.exe
3272	spoolsv.exe
2532	csrss.exe
5028	sihost.exe
3568	explorer.exe
2736	fontdrvhost.exe
1336	dllhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
6	ipinfo.io

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\121e5b5079f7c0	Hyperblockport.exe
File created	C:\Program Files (x86)\WindowsPowerShell\dllhost.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	Hyperblockport.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe	Hyperblockport.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe	Hyperblockport.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\f3b6ecef712a24	Hyperblockport.exe
File created	C:\Program Files (x86)\WindowsPowerShell\5940a34987c991	Hyperblockport.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\088424020bedd6	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991	Hyperblockport.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\7a0fd90576e088	Hyperblockport.exe
File created	C:\Windows\Fonts\Hyperblockport.exe	Hyperblockport.exe
File created	C:\Windows\Fonts\135ba931e661b8	Hyperblockport.exe
File created	C:\Windows\CSC\cmd.exe	Hyperblockport.exe
File created	C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe	Hyperblockport.exe
File created	C:\Windows\Resources\fontdrvhost.exe	Hyperblockport.exe
File created	C:\Windows\Resources\5b884080fd4f94	Hyperblockport.exe
File created	C:\Windows\LiveKernelReports\sihost.exe	Hyperblockport.exe
File created	C:\Windows\LiveKernelReports\66fc9ff0ee96c2	Hyperblockport.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	Njrat.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
820	schtasks.exe
1112	schtasks.exe
4268	schtasks.exe
4280	schtasks.exe
2020	schtasks.exe
4572	schtasks.exe
684	schtasks.exe
4720	schtasks.exe
812	schtasks.exe
3064	schtasks.exe
4368	schtasks.exe
2540	schtasks.exe
3084	schtasks.exe
4512	schtasks.exe
1488	schtasks.exe
772	schtasks.exe
972	schtasks.exe
1668	schtasks.exe
4836	schtasks.exe
2096	schtasks.exe
4676	schtasks.exe
4256	schtasks.exe
4732	schtasks.exe
1500	schtasks.exe
3240	schtasks.exe
4404	schtasks.exe
4216	schtasks.exe
3900	schtasks.exe
4492	schtasks.exe
3852	schtasks.exe
3400	schtasks.exe
4160	schtasks.exe
4472	schtasks.exe
4764	schtasks.exe
5104	schtasks.exe
2700	schtasks.exe
2884	schtasks.exe
4264	schtasks.exe
4452	schtasks.exe
2056	schtasks.exe
4184	schtasks.exe
4376	schtasks.exe
1108	schtasks.exe
4704	schtasks.exe
2956	schtasks.exe
1504	schtasks.exe
1496	schtasks.exe
2716	schtasks.exe
1012	schtasks.exe
740	schtasks.exe
4692	schtasks.exe
1912	schtasks.exe
3136	schtasks.exe
2800	schtasks.exe
1508	schtasks.exe
4480	schtasks.exe
4112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
428	Hyperblockport.exe
4252	powershell.exe
4252	powershell.exe
4516	powershell.exe
4516	powershell.exe
4824	powershell.exe
4824	powershell.exe
4252	powershell.exe
2372	powershell.exe
2372	powershell.exe
392	powershell.exe
392	powershell.exe
224	powershell.exe
224	powershell.exe
4544	powershell.exe
4544	powershell.exe
4020	powershell.exe
4020	powershell.exe
4464	powershell.exe
4464	powershell.exe
4824	powershell.exe
392	powershell.exe
512	powershell.exe
512	powershell.exe
2820	powershell.exe
2820	powershell.exe
4252	powershell.exe
212	powershell.exe
212	powershell.exe
4464	powershell.exe
4824	powershell.exe
392	powershell.exe
4516	powershell.exe
2372	powershell.exe
224	powershell.exe
512	powershell.exe
4544	powershell.exe
2820	powershell.exe
4020	powershell.exe
212	powershell.exe
2372	powershell.exe
2792	spoolsv.exe
2792	spoolsv.exe
2792	spoolsv.exe
4464	powershell.exe
2792	spoolsv.exe
4516	powershell.exe
2792	spoolsv.exe
2792	spoolsv.exe
512	powershell.exe
224	powershell.exe
2820	powershell.exe
4020	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	Hyperblockport.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	2792	spoolsv.exe
Token: SeIncreaseQuotaPrivilege	4252	powershell.exe
Token: SeSecurityPrivilege	4252	powershell.exe
Token: SeTakeOwnershipPrivilege	4252	powershell.exe
Token: SeLoadDriverPrivilege	4252	powershell.exe
Token: SeSystemProfilePrivilege	4252	powershell.exe
Token: SeSystemtimePrivilege	4252	powershell.exe
Token: SeProfSingleProcessPrivilege	4252	powershell.exe
Token: SeIncBasePriorityPrivilege	4252	powershell.exe
Token: SeCreatePagefilePrivilege	4252	powershell.exe
Token: SeBackupPrivilege	4252	powershell.exe
Token: SeRestorePrivilege	4252	powershell.exe
Token: SeShutdownPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeSystemEnvironmentPrivilege	4252	powershell.exe
Token: SeRemoteShutdownPrivilege	4252	powershell.exe
Token: SeUndockPrivilege	4252	powershell.exe
Token: SeManageVolumePrivilege	4252	powershell.exe
Token: 33	4252	powershell.exe
Token: 34	4252	powershell.exe
Token: 35	4252	powershell.exe
Token: 36	4252	powershell.exe
Token: SeIncreaseQuotaPrivilege	392	powershell.exe
Token: SeSecurityPrivilege	392	powershell.exe
Token: SeTakeOwnershipPrivilege	392	powershell.exe
Token: SeLoadDriverPrivilege	392	powershell.exe
Token: SeSystemProfilePrivilege	392	powershell.exe
Token: SeSystemtimePrivilege	392	powershell.exe
Token: SeProfSingleProcessPrivilege	392	powershell.exe
Token: SeIncBasePriorityPrivilege	392	powershell.exe
Token: SeCreatePagefilePrivilege	392	powershell.exe
Token: SeBackupPrivilege	392	powershell.exe
Token: SeRestorePrivilege	392	powershell.exe
Token: SeShutdownPrivilege	392	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeSystemEnvironmentPrivilege	392	powershell.exe
Token: SeRemoteShutdownPrivilege	392	powershell.exe
Token: SeUndockPrivilege	392	powershell.exe
Token: SeManageVolumePrivilege	392	powershell.exe
Token: 33	392	powershell.exe
Token: 34	392	powershell.exe
Token: 35	392	powershell.exe
Token: 36	392	powershell.exe
Token: SeIncreaseQuotaPrivilege	4824	powershell.exe
Token: SeSecurityPrivilege	4824	powershell.exe
Token: SeTakeOwnershipPrivilege	4824	powershell.exe
Token: SeLoadDriverPrivilege	4824	powershell.exe
Token: SeSystemProfilePrivilege	4824	powershell.exe
Token: SeSystemtimePrivilege	4824	powershell.exe
Token: SeProfSingleProcessPrivilege	4824	powershell.exe
Token: SeIncBasePriorityPrivilege	4824	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	spoolsv.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 1916	204	Njrat.exe	74
PID 204 wrote to memory of 1916	204	Njrat.exe	74
PID 204 wrote to memory of 1916	204	Njrat.exe	74
PID 1916 wrote to memory of 1292	1916	WScript.exe	75
PID 1916 wrote to memory of 1292	1916	WScript.exe	75
PID 1916 wrote to memory of 1292	1916	WScript.exe	75
PID 1292 wrote to memory of 428	1292	cmd.exe	77
PID 1292 wrote to memory of 428	1292	cmd.exe	77
PID 428 wrote to memory of 4544	428	Hyperblockport.exe	136
PID 428 wrote to memory of 4544	428	Hyperblockport.exe	136
PID 428 wrote to memory of 4252	428	Hyperblockport.exe	137
PID 428 wrote to memory of 4252	428	Hyperblockport.exe	137
PID 428 wrote to memory of 4516	428	Hyperblockport.exe	138
PID 428 wrote to memory of 4516	428	Hyperblockport.exe	138
PID 428 wrote to memory of 4020	428	Hyperblockport.exe	139
PID 428 wrote to memory of 4020	428	Hyperblockport.exe	139
PID 428 wrote to memory of 512	428	Hyperblockport.exe	140
PID 428 wrote to memory of 512	428	Hyperblockport.exe	140
PID 428 wrote to memory of 4464	428	Hyperblockport.exe	141
PID 428 wrote to memory of 4464	428	Hyperblockport.exe	141
PID 428 wrote to memory of 2372	428	Hyperblockport.exe	142
PID 428 wrote to memory of 2372	428	Hyperblockport.exe	142
PID 428 wrote to memory of 224	428	Hyperblockport.exe	143
PID 428 wrote to memory of 224	428	Hyperblockport.exe	143
PID 428 wrote to memory of 392	428	Hyperblockport.exe	144
PID 428 wrote to memory of 392	428	Hyperblockport.exe	144
PID 428 wrote to memory of 2820	428	Hyperblockport.exe	145
PID 428 wrote to memory of 2820	428	Hyperblockport.exe	145
PID 428 wrote to memory of 212	428	Hyperblockport.exe	146
PID 428 wrote to memory of 212	428	Hyperblockport.exe	146
PID 428 wrote to memory of 4824	428	Hyperblockport.exe	147
PID 428 wrote to memory of 4824	428	Hyperblockport.exe	147
PID 428 wrote to memory of 2792	428	Hyperblockport.exe	160
PID 428 wrote to memory of 2792	428	Hyperblockport.exe	160
PID 2792 wrote to memory of 3860	2792	spoolsv.exe	162
PID 2792 wrote to memory of 3860	2792	spoolsv.exe	162
PID 2792 wrote to memory of 640	2792	spoolsv.exe	163
PID 2792 wrote to memory of 640	2792	spoolsv.exe	163

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Njrat.exe
"C:\Users\Admin\AppData\Local\Temp\Njrat.exe"
1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containerperf\9nepdzd6Yg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\containerperf\Hyperblockport.exe
      "C:\containerperf\Hyperblockport.exe"
      4⤵
      DcRat
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2792
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8525e66e-4c0c-40ce-92d4-5c2759a20bad.vbs"
        6⤵
        
        PID:3860
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a19c8261-ce6d-4944-ad13-c1f54fc2a012.vbs"
        6⤵
        
        PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Resources\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperblockportH" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\Hyperblockport.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Hyperblockport" /sc ONLOGON /tr "'C:\Windows\Fonts\Hyperblockport.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperblockportH" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\Hyperblockport.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\containerperf\ApplicationFrameHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\containerperf\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\containerperf\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\containerperf\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\containerperf\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\containerperf\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\containerperf\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\containerperf\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\containerperf\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\containerperf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\containerperf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2188

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
"C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe"
1⤵
- Executes dropped EXE
PID:1184

C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe
"C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe"
1⤵
- Executes dropped EXE
PID:236

C:\Users\Default\Favorites\sihost.exe
C:\Users\Default\Favorites\sihost.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\Fonts\Hyperblockport.exe
C:\Windows\Fonts\Hyperblockport.exe
1⤵
- Executes dropped EXE
PID:1564

C:\containerperf\ApplicationFrameHost.exe
C:\containerperf\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
"C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe"
1⤵
- Executes dropped EXE
PID:1184

C:\containerperf\OfficeClickToRun.exe
C:\containerperf\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Recovery\WindowsRE\lsass.exe
C:\Recovery\WindowsRE\lsass.exe
1⤵
- Executes dropped EXE
PID:400

C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe
"C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe"
1⤵
- Executes dropped EXE
PID:3400

C:\Users\Default\Favorites\sihost.exe
C:\Users\Default\Favorites\sihost.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe
"C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe"
1⤵
- Executes dropped EXE
PID:3052

C:\containerperf\csrss.exe
C:\containerperf\csrss.exe
1⤵
- Executes dropped EXE
PID:748

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe
"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe"
1⤵
- Executes dropped EXE
PID:264

C:\Windows\Fonts\Hyperblockport.exe
C:\Windows\Fonts\Hyperblockport.exe
1⤵
- Executes dropped EXE
PID:4652

C:\containerperf\ApplicationFrameHost.exe
C:\containerperf\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
PID:1964

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
"C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe"
1⤵
- Executes dropped EXE
PID:1940

C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe
"C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Users\Default\Favorites\sihost.exe
C:\Users\Default\Favorites\sihost.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\Fonts\Hyperblockport.exe
C:\Windows\Fonts\Hyperblockport.exe
1⤵
- Executes dropped EXE
PID:3548

C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe
"C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe"
1⤵
- Executes dropped EXE
PID:3628

C:\containerperf\OfficeClickToRun.exe
C:\containerperf\OfficeClickToRun.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Recovery\WindowsRE\lsass.exe
C:\Recovery\WindowsRE\lsass.exe
1⤵
- Executes dropped EXE
PID:1992

C:\containerperf\ApplicationFrameHost.exe
C:\containerperf\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe
"C:\Program Files (x86)\Windows Mail\en-US\sysmon.exe"
1⤵
- Executes dropped EXE
PID:4016

C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe
"C:\Program Files\VideoLAN\VLC\plugins\packetizer\spoolsv.exe"
1⤵
- Executes dropped EXE
PID:3272

C:\containerperf\csrss.exe
C:\containerperf\csrss.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Users\Default\Favorites\sihost.exe
C:\Users\Default\Favorites\sihost.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
C:\Windows\HoloShell\microsoft.system.package.metadata\Autogen\explorer.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe
"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe"
1⤵
- Executes dropped EXE
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ApplicationFrameHost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Hyperblockport.exe.log

Filesize
1KB

MD5
430a3e587f99c7640a58a042ce63bdd6

SHA1
5d11d6b74e56cf622796971b8f57f57ca37592db

SHA256
a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7

SHA512
0b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7d5a99cac0e94512fbc9ee4abeb6f1a

SHA1
f1188900ec1f87aaf5f030cd54b6c225144975ee

SHA256
402e47585c26896e3df28918be56288bc7a532ec18da177a0a8e51f7c9decb23

SHA512
46c5b7c8622c0a0f2fbdba2ab5ad16b5618f3784bb9b95b44b09e5f856002e7acfb9343650f980aca2c4f3f0c9b534c1026c25f23535c0b4187ce7b3bd6e6d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bb8b3645829310b0a9c2aa6f41e78983

SHA1
3349a8ed0a071cb60e327f7943719e743bbd0e75

SHA256
c313043c7b2f17040168a24e6035c93f97a74385fe854133d3de27479e149056

SHA512
27cb9a9490a3e433bd181f14b69ac89f0245da52f30893695d24f9a3a5d693a31d4cb840d3825af68efcb4e1a0216ed2c1fd26efa7ba47861756b52986a1c570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a90f4e1b0898b8b277dad6efb3b3b7f4

SHA1
4df6e08aae55e79856840bc56ea5923ef63471eb

SHA256
7c290e79580a7a932332753043ac7ae8b7de1478e4ec54e0b25793a6cb237b75

SHA512
2fd81ad1172853ffaff663fd3ff8d1881b4abf290e24cd4dc261fe1e22a0a85021236cc6f88750596a98e4f1e63e873452a3ea850de1a3d0d08a797e7270c6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
718fc3cf4e053d4c5e320ae26b045dbe

SHA1
bcddd39444663015b7d404674c2acfe8a36f143a

SHA256
1df051ec1d87d76f2dd955ea8b7b862c79d4d6c48d42ab9f2e4177d0cec0c1e4

SHA512
e0f542450ba1a56f9bc2e803faef6c0f93cbcfe9f8326f8f8208487ac82962d181fd547f81f02b6498952dc0995a06336dd7d6d2ffdbe6b5e19028f950ac3e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c94b3a6da9b4fce6316994b7ce6cb0ed

SHA1
41fbfd74ae13a306791b4ba5e8470f11013715b4

SHA256
6d78bde9da5f069048fa136f3ef9f506c6dd2475a21f2382ac64d4ea66fe05d9

SHA512
662e4639655f5373a59ba58f71112ed97afbb3996487482fb9bd66b67a8934512cf33492356dd6a242f7393befccb78c2d9702739a14af0970e64df75579f421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c46221fb82be9389382527e82e952b9e

SHA1
37bea0c7a5e5b00afc3db4f3d2ed5783dde1b306

SHA256
4d8689d77b56975a60f1f670dae62c471091c0c76669cc443a05ecd46679f1c7

SHA512
430873d539f8e674540fbc55565876759708bcc2d5e5aeed5b0c582c8d6e2daaf59c7ffab7dbf014b7cd1bfc1d7a39b021777856551045c40bbc5fed23e3d205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1ec1c93fae091dc43433a43da811f8e

SHA1
b96691bd37941d7b2b7742c46df976695581cf9a

SHA256
a16333109532fad03f85645a675e3b0f77421fddee13ba2ee36affe1a5dd68f8

SHA512
20556959d0177831d6944547dba2e39132d2e2e2d1f43964e53b08bf2ad8d9cf67d008f95c19b91bc8f1e154ce813802b165b44e691644db5d4a686bdacfc9e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de6b358d7415a12e4843110b5c5ee8aa

SHA1
9ccd0ba9af467c3a29cbc8aa256d2706e71cd084

SHA256
23ba32fbcdd61b9197ceddd4adfc10825f4fdfc7c75fdc87faa6925b488e776d

SHA512
d3352c0f3f84c7649c988e69a6a3a9124d8258b711c977129864cd7ea9ccda292ebaea1081819f6fe3aec5c3fed156b6a523b355f707edb2d822dd85dd7b43af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e04727b970a8530f6aa4f89e7f1a8d83

SHA1
9bd94030ce9e1cb2a72d5d9ec5f3edee0f996467

SHA256
914b8783b9a65a36aa0c2c0449ba2e666576cd0bf82d30bf88eb569791674dbd

SHA512
a0f84a4cecd5114cc076e7c66e8d7cd8989772b33a54993fc29d127ac22e211b5cf9bc8fee6917b2bd89bcdb8ab757346b9ae3291311c44ba7251f4f0d3a40ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8525e66e-4c0c-40ce-92d4-5c2759a20bad.vbs

Filesize
736B

MD5
1403bd6a39efe70279910433909455bc

SHA1
ad3477e77801343a7537e1ad84eba56414d0a678

SHA256
eecc8aa2447bb54882843d6b0085fb9e1e28ef0bb14402c7bf859ca141987999

SHA512
858fcbc44f3962acc96c7840b509c580d956e59332fcaa001b3b446c92396d7227920af0411898e2cb0acb6a08a600d53cc8e1d5dd7ad43e1e18913ab8b6cd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d2cdni34.g13.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a19c8261-ce6d-4944-ad13-c1f54fc2a012.vbs

Filesize
512B

MD5
e54de04acb65319180bf0e6d2bef1108

SHA1
ef62ec7bca78d059822165e043596177b1c60450

SHA256
3a2da5f511dc468a5cf2bafe6c60fdc7b6b75a1d47c492ff681cb0a7129d11b0

SHA512
1e9b4cdedab9e6127520c0c41ad7f946c06a863061472eef7bdcdd70c837a046b13e9d8103b67e8531c5a1e0565b514981d15c4c49475f894673e2a9d664273d

Download Submit
C:\containerperf\9nepdzd6Yg.vbe

Filesize
226B

MD5
fd73bba1ae261c1bde0a83ff425994c4

SHA1
7e9e51cef1374547c885b6e8bd62ed2a1dc6902b

SHA256
16f04c862e66dbdf8631baaa3c37e771281f59d68d60420d4dac89701c1fb732

SHA512
20644ded806f97cdd62b136fa4cd6bff7ed61d8c4f6d533dee3c71d3f12923243551e910f56d4504a0c67a89a3e50064fa8f53cb3b307150cf185c9016e004e4

Download Submit
C:\containerperf\Hyperblockport.exe

Filesize
2.9MB

MD5
a5eb91d9ffb09e43c86d3ac84354107f

SHA1
ab225fd443f3c209c4493e1dd823093c87364075

SHA256
13da0ed8f7f0cfbf7187ae5d3fe222a0aac5a0fad6e0c1f011f0ef3f8d126906

SHA512
3259e901d0347db552f658f89c11c711f328831a5da203b18e8383740a202b87aea4a2c84c33d3ca6d9a8200d1f933f8820379a7b77e094c005a004c9f3c59ee

Download Submit
C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat

Filesize
48B

MD5
7a122e2bf760c3ba657e5ba59337bce2

SHA1
e9ac1ad5c6b04628fdea1a0657f0e466a2a06261

SHA256
b9469f10268a8e4a44814d71f3eb6530f2a4970933b586f6dc5e3eebb2fe33f8

SHA512
89912e65857c9975e0c6ab2b3ea94f07547cba9e875b7db26dc87a6d2ec8ba79b9aa7421a78f8203587ffc70fe39df2c8fc95566c47d4681fa59f933129c6c64

Download Submit
memory/428-22-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/428-28-0x000000001B230000-0x000000001B23C000-memory.dmp

Filesize
48KB

Download
memory/428-34-0x000000001B9E0000-0x000000001B9EE000-memory.dmp

Filesize
56KB

Download
memory/428-33-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

Filesize
32KB

Download
memory/428-32-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

Filesize
56KB

Download
memory/428-31-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

Filesize
40KB

Download
memory/428-35-0x000000001B9F0000-0x000000001B9F8000-memory.dmp

Filesize
32KB

Download
memory/428-36-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/428-37-0x000000001BBB0000-0x000000001BBBC000-memory.dmp

Filesize
48KB

Download
memory/428-14-0x00000000002F0000-0x00000000005D2000-memory.dmp

Filesize
2.9MB

Download
memory/428-15-0x00000000026D0000-0x00000000026EC000-memory.dmp

Filesize
112KB

Download
memory/428-29-0x000000001B950000-0x000000001B95C000-memory.dmp

Filesize
48KB

Download
memory/428-16-0x000000001B180000-0x000000001B1D0000-memory.dmp

Filesize
320KB

Download
memory/428-30-0x000000001B960000-0x000000001B968000-memory.dmp

Filesize
32KB

Download
memory/428-27-0x000000001B220000-0x000000001B22C000-memory.dmp

Filesize
48KB

Download
memory/428-26-0x000000001BE80000-0x000000001C3A6000-memory.dmp

Filesize
5.1MB

Download
memory/428-25-0x000000001B1F0000-0x000000001B202000-memory.dmp

Filesize
72KB

Download
memory/428-24-0x000000001B1E0000-0x000000001B1E8000-memory.dmp

Filesize
32KB

Download
memory/428-23-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

Filesize
48KB

Download
memory/428-21-0x0000000002880000-0x000000000288C000-memory.dmp

Filesize
48KB

Download
memory/428-20-0x0000000002830000-0x0000000002886000-memory.dmp

Filesize
344KB

Download
memory/428-19-0x0000000002820000-0x000000000282A000-memory.dmp

Filesize
40KB

Download
memory/428-17-0x00000000026F0000-0x0000000002706000-memory.dmp

Filesize
88KB

Download
memory/428-18-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/2792-251-0x000000001BA40000-0x000000001BA52000-memory.dmp

Filesize
72KB

Download
memory/2792-610-0x000000001E0F0000-0x000000001E2B2000-memory.dmp

Filesize
1.8MB

Download
memory/4252-133-0x000001AD4A280000-0x000001AD4A2F6000-memory.dmp

Filesize
472KB

Download
memory/4252-129-0x000001AD4A060000-0x000001AD4A082000-memory.dmp

Filesize
136KB

Download