dcrat | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240

Analysis

max time kernel
137s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AstralprivateDLL.exe.bin.exe
Size

65.7MB
MD5

c9f4668c97eb480751e1bbf6173fc4e1
SHA1

528deade2bc88cafc26f78f7c73490b66abdf370
SHA256

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
SHA512

dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
SSDEEP

196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\ServerComponenthostMonitorDll.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\ServerComponenthostMonitorDll.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\Help\\mui\\0C0A\\ServerComponenthostMonitorDll.exe\", \"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2452	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2452	schtasks.exe	36

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 2904 created 1244	2904	twain_32.exe	20
PID 2904 created 1244	2904	twain_32.exe	20
PID 2904 created 1244	2904	twain_32.exe	20
PID 2904 created 1244	2904	twain_32.exe	20
PID 2904 created 1244	2904	twain_32.exe	20
PID 2904 created 1244	2904	twain_32.exe	20

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
896	powershell.exe
560	powershell.exe
2636	powershell.exe
1380	powershell.exe
2916	powershell.exe
1300	powershell.exe
2728	powershell.exe
1400	powershell.exe
552	powershell.exe
1812	powershell.exe
2564	powershell.exe
2316	powershell.exe
1728	powershell.exe
1736	powershell.exe
2616	powershell.exe
1016	powershell.exe
328	powershell.exe
1672	powershell.exe
1752	powershell.exe
1764	powershell.exe
1800	powershell.exe
1864	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2484	Astral private DLL.exe
2904	twain_32.exe
2828	ServerComponenthostMonitorDll.exe
3000	wininit.exe
2272	updater.exe

Loads dropped DLL 5 IoCs

pid	Process
796	AstralprivateDLL.exe.bin.exe
796	AstralprivateDLL.exe.bin.exe
2844	cmd.exe
2844	cmd.exe
1020	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Public\\Videos\\Sample Videos\\sppsvc.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\Windows\\Help\\mui\\0C0A\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\Windows\\Help\\mui\\0C0A\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\31f19e42-8726-11ef-be9a-dab21757c799\\wininit.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1188	cmd.exe
2128	powercfg.exe
2268	powercfg.exe
2460	cmd.exe
2468	powercfg.exe
2436	powercfg.exe
2376	powercfg.exe
2260	powercfg.exe
2700	powercfg.exe
2992	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	\??\c:\Windows\System32\CSC2287913196A4966A7C95330ECFAF2B.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 2776	2904	twain_32.exe	111

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	twain_32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\mui\0C0A\0d88ef3a63e6c4	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\Help\mui\0C0A\ServerComponenthostMonitorDll.exe	ServerComponenthostMonitorDll.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2512	sc.exe
2072	sc.exe
1620	sc.exe
2664	sc.exe
272	sc.exe
1864	sc.exe
1724	sc.exe
3056	sc.exe
2340	sc.exe
2488	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AstralprivateDLL.exe.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Astral private DLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2408	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2116	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2408	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2980	schtasks.exe
1488	schtasks.exe
2568	schtasks.exe
2352	schtasks.exe
2168	schtasks.exe
2220	schtasks.exe
1368	schtasks.exe
1356	schtasks.exe
640	schtasks.exe
1060	schtasks.exe
2388	schtasks.exe
1288	schtasks.exe
2148	schtasks.exe
1744	schtasks.exe
976	schtasks.exe
2840	schtasks.exe
2460	schtasks.exe
1872	schtasks.exe
2184	schtasks.exe
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe
2828	ServerComponenthostMonitorDll.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	3000	wininit.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2776	dialer.exe
Token: SeShutdownPrivilege	2260	powercfg.exe
Token: SeAuditPrivilege	832	svchost.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2468	powercfg.exe
Token: SeShutdownPrivilege	2436	powercfg.exe
Token: SeShutdownPrivilege	2700	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2484	796	AstralprivateDLL.exe.bin.exe	29
PID 796 wrote to memory of 2484	796	AstralprivateDLL.exe.bin.exe	29
PID 796 wrote to memory of 2484	796	AstralprivateDLL.exe.bin.exe	29
PID 796 wrote to memory of 2484	796	AstralprivateDLL.exe.bin.exe	29
PID 796 wrote to memory of 2904	796	AstralprivateDLL.exe.bin.exe	30
PID 796 wrote to memory of 2904	796	AstralprivateDLL.exe.bin.exe	30
PID 796 wrote to memory of 2904	796	AstralprivateDLL.exe.bin.exe	30
PID 796 wrote to memory of 2904	796	AstralprivateDLL.exe.bin.exe	30
PID 2484 wrote to memory of 2884	2484	Astral private DLL.exe	31
PID 2484 wrote to memory of 2884	2484	Astral private DLL.exe	31
PID 2484 wrote to memory of 2884	2484	Astral private DLL.exe	31
PID 2484 wrote to memory of 2884	2484	Astral private DLL.exe	31
PID 2884 wrote to memory of 2844	2884	WScript.exe	32
PID 2884 wrote to memory of 2844	2884	WScript.exe	32
PID 2884 wrote to memory of 2844	2884	WScript.exe	32
PID 2884 wrote to memory of 2844	2884	WScript.exe	32
PID 2844 wrote to memory of 2116	2844	cmd.exe	34
PID 2844 wrote to memory of 2116	2844	cmd.exe	34
PID 2844 wrote to memory of 2116	2844	cmd.exe	34
PID 2844 wrote to memory of 2116	2844	cmd.exe	34
PID 2844 wrote to memory of 2828	2844	cmd.exe	35
PID 2844 wrote to memory of 2828	2844	cmd.exe	35
PID 2844 wrote to memory of 2828	2844	cmd.exe	35
PID 2844 wrote to memory of 2828	2844	cmd.exe	35
PID 2828 wrote to memory of 2972	2828	ServerComponenthostMonitorDll.exe	40
PID 2828 wrote to memory of 2972	2828	ServerComponenthostMonitorDll.exe	40
PID 2828 wrote to memory of 2972	2828	ServerComponenthostMonitorDll.exe	40
PID 2972 wrote to memory of 2984	2972	csc.exe	42
PID 2972 wrote to memory of 2984	2972	csc.exe	42
PID 2972 wrote to memory of 2984	2972	csc.exe	42
PID 2828 wrote to memory of 1672	2828	ServerComponenthostMonitorDll.exe	58
PID 2828 wrote to memory of 1672	2828	ServerComponenthostMonitorDll.exe	58
PID 2828 wrote to memory of 1672	2828	ServerComponenthostMonitorDll.exe	58
PID 2828 wrote to memory of 2564	2828	ServerComponenthostMonitorDll.exe	59
PID 2828 wrote to memory of 2564	2828	ServerComponenthostMonitorDll.exe	59
PID 2828 wrote to memory of 2564	2828	ServerComponenthostMonitorDll.exe	59
PID 2828 wrote to memory of 1752	2828	ServerComponenthostMonitorDll.exe	60
PID 2828 wrote to memory of 1752	2828	ServerComponenthostMonitorDll.exe	60
PID 2828 wrote to memory of 1752	2828	ServerComponenthostMonitorDll.exe	60
PID 2828 wrote to memory of 560	2828	ServerComponenthostMonitorDll.exe	62
PID 2828 wrote to memory of 560	2828	ServerComponenthostMonitorDll.exe	62
PID 2828 wrote to memory of 560	2828	ServerComponenthostMonitorDll.exe	62
PID 2828 wrote to memory of 328	2828	ServerComponenthostMonitorDll.exe	65
PID 2828 wrote to memory of 328	2828	ServerComponenthostMonitorDll.exe	65
PID 2828 wrote to memory of 328	2828	ServerComponenthostMonitorDll.exe	65
PID 2828 wrote to memory of 1864	2828	ServerComponenthostMonitorDll.exe	66
PID 2828 wrote to memory of 1864	2828	ServerComponenthostMonitorDll.exe	66
PID 2828 wrote to memory of 1864	2828	ServerComponenthostMonitorDll.exe	66
PID 2828 wrote to memory of 1380	2828	ServerComponenthostMonitorDll.exe	67
PID 2828 wrote to memory of 1380	2828	ServerComponenthostMonitorDll.exe	67
PID 2828 wrote to memory of 1380	2828	ServerComponenthostMonitorDll.exe	67
PID 2828 wrote to memory of 1812	2828	ServerComponenthostMonitorDll.exe	68
PID 2828 wrote to memory of 1812	2828	ServerComponenthostMonitorDll.exe	68
PID 2828 wrote to memory of 1812	2828	ServerComponenthostMonitorDll.exe	68
PID 2828 wrote to memory of 1800	2828	ServerComponenthostMonitorDll.exe	69
PID 2828 wrote to memory of 1800	2828	ServerComponenthostMonitorDll.exe	69
PID 2828 wrote to memory of 1800	2828	ServerComponenthostMonitorDll.exe	69
PID 2828 wrote to memory of 2636	2828	ServerComponenthostMonitorDll.exe	70
PID 2828 wrote to memory of 2636	2828	ServerComponenthostMonitorDll.exe	70
PID 2828 wrote to memory of 2636	2828	ServerComponenthostMonitorDll.exe	70
PID 2828 wrote to memory of 552	2828	ServerComponenthostMonitorDll.exe	71
PID 2828 wrote to memory of 552	2828	ServerComponenthostMonitorDll.exe	71
PID 2828 wrote to memory of 552	2828	ServerComponenthostMonitorDll.exe	71
PID 2828 wrote to memory of 1400	2828	ServerComponenthostMonitorDll.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1556
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:740
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1180
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {E3743903-E66D-46AC-A059-17B0C7368A83} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:1020
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Executes dropped EXE
      PID:2272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:988
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1040
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1788
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1940
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1920

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:484

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:492

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe.bin.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe
    "C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2116
      - C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf/ServerComponenthostMonitorDll.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e3x4dvcz\e3x4dvcz.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA045.tmp" "c:\Windows\System32\CSC2287913196A4966A7C95330ECFAF2B.TMP"
        8⤵
        
        PID:2984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\0C0A\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ErrqmIt9sl.bat"
        7⤵
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
- - C:\Users\Admin\AppData\Local\Temp\twain_32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain_32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2060
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1864
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2512
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2072
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1724
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1620
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2460
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2568
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1016
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1212
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3056
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2664
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2340
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2488
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:272
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1188
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2992
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2128
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2268
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2376
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:896
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2148
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1836
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0C0A\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\Windows\Help\mui\0C0A\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0C0A\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 6 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 8 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1328494914-1935411769-6616470352015111290-2040964748-431093585-4715689421292221016"
1⤵
PID:1432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1519750978-1782537189-17654280179071549912505957108286043551026787476-1596976775"
1⤵
PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1856075933415406167-405130991187636892-5444032131405934801173084521-423306768"
1⤵
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ErrqmIt9sl.bat

Filesize
188B

MD5
d07a27183731fc806dcdc4624f53794f

SHA1
8c501e63a5b2eb5102285bec338bba3861040d7c

SHA256
c031823c601a961b5568e007a38ec3b99a4ad96d066586e95764094723c792c2

SHA512
8cd0c5f72f1188ece979430fbf6d89d5a693bb7eece8b755ee5bb56abd8296864dae2656110c75b1fc150450dd89c4b2d6d4e32d4899daaf5672eb34c50b43ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA045.tmp

Filesize
1KB

MD5
07610a3549b6fa15914e6f93e9e539c2

SHA1
f1ab29113dfe93ee920e4c9bcec92469778ad878

SHA256
f485eca754eb83687f20fc1f2021e8270d80a13952db5f4121c5e46657eafdb1

SHA512
de19e65615d3c5492c3db6f1716424400e8b580ecdd3e8e81f8c54aa0d8af15a746b14de7963333b790559f828b825b8d2509a9a9405add3f5044a11801dd73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\twain_32.exe

Filesize
5.7MB

MD5
1ff26b7d334cd22e726caf72a4208b96

SHA1
d2a1ad17e27c01072ac41d4d20426dd5ca7554ad

SHA256
56ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db

SHA512
787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9f65b25e93c7c7191d80d8da0c4e99ff

SHA1
6c0a83f4b94825e80cca85b2b7a3dd2286b5117b

SHA256
d4f935461feb50b13c4cff725772804a1c8c3138e146baae6227a381249e07c1

SHA512
4148207495d9b09931c72e684b097bd0166a558b1773eb92ad1f2042f5c63c9220e7b4988190fd45cf8cae45a0d99d942aef8bb9f0556061cde97a531b40a58e

Download Submit
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC

Filesize
3KB

MD5
04d26840e1d883924058395e34157086

SHA1
166b57230358b66086628840278113c3f31ba6ec

SHA256
f9be18f19a14f95fea05b6f6ccc4ec701b7c2840aa3925012bfd680f3fdeb733

SHA512
fac5cde1a4d29457da4c36ed6e6feb9a0b17025f0a608255d0c36cff03dece79071863ca92f126fb6c6097b9ef59da596bcd2144e945307a2bfc6cdecf628605

Download Submit
C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat

Filesize
200B

MD5
705bbadbf818277ddd38afa10533756b

SHA1
1d5fb39c2793854e8c7d848798e39c659aa3e22d

SHA256
871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3

SHA512
f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31

Download Submit
C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe

Filesize
230B

MD5
3ef9810ceb57153ab80dd204f33e7f91

SHA1
3fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f

SHA256
d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e

SHA512
e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3x4dvcz\e3x4dvcz.0.cs

Filesize
379B

MD5
d34c7eda1ae85efc593af9b675d77c1a

SHA1
6fca759ac2e570229d426a74b0e772879a938328

SHA256
08713440108e87b7ff0d5ea12f703ad54c69a8140cfd8eae5dd76fe84152f85f

SHA512
52737817b24a9cc25f849a5d43f30363fca26831ef7822a745070156c0e28d794665808d3aeb0daa49419b8fb077ad3e35b4175c48691679a451c5d9fcb592c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e3x4dvcz\e3x4dvcz.cmdline

Filesize
235B

MD5
71f7942a4cc509844a47501689f6ac73

SHA1
8ae0147802b4e5c3d8c47d399e169e60338feef2

SHA256
4099e63f654a58d9e8c43e8633516cdd82db363362bea49afd8941a064ae5679

SHA512
efee00ddefe5fb212c9840d600a340f3b8d91c2d9dcb2ecd0a7f93155daf67ee3fc068f7483e89c8d83810fd6fd63c3adcbc516a66bf377de635c8ed7f2a368d

Download Submit
\??\c:\Windows\System32\CSC2287913196A4966A7C95330ECFAF2B.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
memory/328-84-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/328-82-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/424-196-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/424-200-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/424-198-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download
memory/424-199-0x0000000000860000-0x0000000000887000-memory.dmp

Filesize
156KB

Download
memory/424-201-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/468-223-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/468-218-0x00000000000A0000-0x00000000000C7000-memory.dmp

Filesize
156KB

Download
memory/468-221-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/484-211-0x0000000037600000-0x0000000037610000-memory.dmp

Filesize
64KB

Download
memory/484-209-0x0000000000A20000-0x0000000000A47000-memory.dmp

Filesize
156KB

Download
memory/484-210-0x000007FEBE240000-0x000007FEBE250000-memory.dmp

Filesize
64KB

Download
memory/492-250-0x0000000000A50000-0x0000000000A77000-memory.dmp

Filesize
156KB

Download
memory/796-0-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/796-16-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/896-608-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1016-513-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2716-301-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2728-191-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2728-190-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2776-195-0x00000000773A0000-0x00000000774BF000-memory.dmp

Filesize
1.1MB

Download
memory/2776-194-0x00000000775C0000-0x0000000077769000-memory.dmp

Filesize
1.7MB

Download
memory/2828-42-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2828-44-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2828-40-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2828-38-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2828-36-0x0000000000360000-0x0000000000378000-memory.dmp

Filesize
96KB

Download
memory/2828-34-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2828-32-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2828-30-0x00000000003D0000-0x00000000005C8000-memory.dmp

Filesize
2.0MB

Download
memory/2904-192-0x000000013F140000-0x000000013F701000-memory.dmp

Filesize
5.8MB

Download
memory/2904-61-0x000000013F140000-0x000000013F701000-memory.dmp

Filesize
5.8MB

Download
memory/3000-173-0x0000000000C20000-0x0000000000E18000-memory.dmp

Filesize
2.0MB

Download