dcrat | f4e113eaba1238c566ce7eb0a0d8cc1a579d0044533a949098fc332dd25d2146

Analysis

max time kernel
899s
max time network
902s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-01-2025 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blue.cc.rar
Size

5.7MB
MD5

abb20aafcb03673f84be810610e73262
SHA1

08e131e5ef59e64d7713aeec34d336ee602e8187
SHA256

f4e113eaba1238c566ce7eb0a0d8cc1a579d0044533a949098fc332dd25d2146
SHA512

26f01b7a4192c27e685b6b84392cae04bd36ef876b518ee652cd81bd334b78ec612900231e3f828b991c8142eefe45206fcc3976570d6070fafe085e2751b7ad
SSDEEP

98304:nPzPxjBNchBLJX4jTq+Q0SBPOOx7G1NcL+X1pYjJT1xMetHxPP+NlU7qG7BnjuAl:nPdBNcRX9FBm4SciDY91KetRHIM9QRPY

Score

10^/10

dcrat xmrig discovery evasion execution infostealer miner persistence rat spyware stealer upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/memory/4812-333-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-337-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-339-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-338-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-336-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-335-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-332-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-358-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/4812-360-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3104-420-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3104-424-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3104-423-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3104-422-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3104-421-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3104-428-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1796	powershell.exe
2092	powershell.exe
4024	powershell.exe
4508	powershell.exe
3504	powershell.exe
5084	powershell.exe
2400	powershell.exe
840	powershell.exe
1344	powershell.exe
3856	powershell.exe
2628	powershell.exe
628	powershell.exe
6036	powershell.exe
1088	powershell.exe
2580	powershell.exe
4196	powershell.exe
3324	powershell.exe
3448	powershell.exe
760	powershell.exe
1392	powershell.exe
1076	powershell.exe
2660	powershell.exe
3324	powershell.exe
3828	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	blue.cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	blue.cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation	portRuntimedll.exe

Executes dropped EXE 12 IoCs

pid	Process
4936	blue.cc.exe
796	Cheat.exe
3668	Loader.exe
3620	portRuntimedll.exe
6028	StartMenuExperienceHost.exe
3656	sjtrewuvofcs.exe
2320	sjtrewuvofcs.exe
5920	blue.cc.exe
4840	Cheat.exe
4636	Loader.exe
5456	portRuntimedll.exe
1352	sjtrewuvofcs.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Power Settings 1 TTPs 20 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5232	powercfg.exe
5128	powercfg.exe
5248	powercfg.exe
980	powercfg.exe
1060	powercfg.exe
2616	powercfg.exe
4824	powercfg.exe
2880	powercfg.exe
3884	powercfg.exe
2260	powercfg.exe
916	powercfg.exe
4628	powercfg.exe
5756	powercfg.exe
4324	powercfg.exe
400	powercfg.exe
2492	powercfg.exe
5784	powercfg.exe
1872	powercfg.exe
868	powercfg.exe
4192	powercfg.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	sjtrewuvofcs.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Loader.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	sjtrewuvofcs.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Loader.exe
File opened for modification	C:\Windows\system32\MRT.exe	sjtrewuvofcs.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3656 set thread context of 5156	3656	sjtrewuvofcs.exe	165
PID 3656 set thread context of 4812	3656	sjtrewuvofcs.exe	171
PID 2320 set thread context of 3104	2320	sjtrewuvofcs.exe	189

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4812-327-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-331-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-329-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-333-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-337-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-339-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-338-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-336-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-335-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-332-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-330-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-358-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/4812-360-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3104-420-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3104-424-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3104-423-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3104-422-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3104-421-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3104-428-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\StartMenuExperienceHost.exe	portRuntimedll.exe
File created	C:\Program Files\Windows Photo Viewer\55b276f4edf653	portRuntimedll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\explorer.exe	portRuntimedll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\7a0fd90576e088	portRuntimedll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe	portRuntimedll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\56085415360792	portRuntimedll.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2716	sc.exe
1868	sc.exe
2972	sc.exe
3968	sc.exe
5352	sc.exe
5760	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings	Cheat.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings	portRuntimedll.exe
Key created	\REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings	Cheat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe
3620	portRuntimedll.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4560	7zFM.exe
6028	StartMenuExperienceHost.exe
4240	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4560	7zFM.exe
Token: 35	4560	7zFM.exe
Token: SeSecurityPrivilege	4560	7zFM.exe
Token: SeDebugPrivilege	3620	portRuntimedll.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeIncreaseQuotaPrivilege	3856	powershell.exe
Token: SeSecurityPrivilege	3856	powershell.exe
Token: SeTakeOwnershipPrivilege	3856	powershell.exe
Token: SeLoadDriverPrivilege	3856	powershell.exe
Token: SeSystemProfilePrivilege	3856	powershell.exe
Token: SeSystemtimePrivilege	3856	powershell.exe
Token: SeProfSingleProcessPrivilege	3856	powershell.exe
Token: SeIncBasePriorityPrivilege	3856	powershell.exe
Token: SeCreatePagefilePrivilege	3856	powershell.exe
Token: SeBackupPrivilege	3856	powershell.exe
Token: SeRestorePrivilege	3856	powershell.exe
Token: SeShutdownPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeSystemEnvironmentPrivilege	3856	powershell.exe
Token: SeRemoteShutdownPrivilege	3856	powershell.exe
Token: SeUndockPrivilege	3856	powershell.exe
Token: SeManageVolumePrivilege	3856	powershell.exe
Token: 33	3856	powershell.exe
Token: 34	3856	powershell.exe
Token: 35	3856	powershell.exe
Token: 36	3856	powershell.exe
Token: SeIncreaseQuotaPrivilege	4196	powershell.exe
Token: SeSecurityPrivilege	4196	powershell.exe
Token: SeTakeOwnershipPrivilege	4196	powershell.exe
Token: SeLoadDriverPrivilege	4196	powershell.exe
Token: SeSystemProfilePrivilege	4196	powershell.exe
Token: SeSystemtimePrivilege	4196	powershell.exe
Token: SeProfSingleProcessPrivilege	4196	powershell.exe
Token: SeIncBasePriorityPrivilege	4196	powershell.exe
Token: SeCreatePagefilePrivilege	4196	powershell.exe
Token: SeBackupPrivilege	4196	powershell.exe
Token: SeRestorePrivilege	4196	powershell.exe
Token: SeShutdownPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeSystemEnvironmentPrivilege	4196	powershell.exe
Token: SeRemoteShutdownPrivilege	4196	powershell.exe
Token: SeUndockPrivilege	4196	powershell.exe
Token: SeManageVolumePrivilege	4196	powershell.exe
Token: 33	4196	powershell.exe
Token: 34	4196	powershell.exe
Token: 35	4196	powershell.exe
Token: 36	4196	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4560	7zFM.exe
4560	7zFM.exe
4560	7zFM.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 796	4936	blue.cc.exe	88
PID 4936 wrote to memory of 796	4936	blue.cc.exe	88
PID 4936 wrote to memory of 796	4936	blue.cc.exe	88
PID 4936 wrote to memory of 3668	4936	blue.cc.exe	89
PID 4936 wrote to memory of 3668	4936	blue.cc.exe	89
PID 796 wrote to memory of 5040	796	Cheat.exe	90
PID 796 wrote to memory of 5040	796	Cheat.exe	90
PID 796 wrote to memory of 5040	796	Cheat.exe	90
PID 5040 wrote to memory of 4284	5040	WScript.exe	91
PID 5040 wrote to memory of 4284	5040	WScript.exe	91
PID 5040 wrote to memory of 4284	5040	WScript.exe	91
PID 4284 wrote to memory of 3620	4284	cmd.exe	93
PID 4284 wrote to memory of 3620	4284	cmd.exe	93
PID 3620 wrote to memory of 1088	3620	portRuntimedll.exe	94
PID 3620 wrote to memory of 1088	3620	portRuntimedll.exe	94
PID 3620 wrote to memory of 4024	3620	portRuntimedll.exe	95
PID 3620 wrote to memory of 4024	3620	portRuntimedll.exe	95
PID 3620 wrote to memory of 4508	3620	portRuntimedll.exe	96
PID 3620 wrote to memory of 4508	3620	portRuntimedll.exe	96
PID 3620 wrote to memory of 3504	3620	portRuntimedll.exe	97
PID 3620 wrote to memory of 3504	3620	portRuntimedll.exe	97
PID 3620 wrote to memory of 628	3620	portRuntimedll.exe	98
PID 3620 wrote to memory of 628	3620	portRuntimedll.exe	98
PID 3620 wrote to memory of 4196	3620	portRuntimedll.exe	99
PID 3620 wrote to memory of 4196	3620	portRuntimedll.exe	99
PID 3620 wrote to memory of 3324	3620	portRuntimedll.exe	101
PID 3620 wrote to memory of 3324	3620	portRuntimedll.exe	101
PID 3620 wrote to memory of 2092	3620	portRuntimedll.exe	102
PID 3620 wrote to memory of 2092	3620	portRuntimedll.exe	102
PID 3620 wrote to memory of 2660	3620	portRuntimedll.exe	103
PID 3620 wrote to memory of 2660	3620	portRuntimedll.exe	103
PID 3620 wrote to memory of 1076	3620	portRuntimedll.exe	104
PID 3620 wrote to memory of 1076	3620	portRuntimedll.exe	104
PID 3620 wrote to memory of 1392	3620	portRuntimedll.exe	105
PID 3620 wrote to memory of 1392	3620	portRuntimedll.exe	105
PID 3620 wrote to memory of 1796	3620	portRuntimedll.exe	107
PID 3620 wrote to memory of 1796	3620	portRuntimedll.exe	107
PID 3620 wrote to memory of 2580	3620	portRuntimedll.exe	108
PID 3620 wrote to memory of 2580	3620	portRuntimedll.exe	108
PID 3620 wrote to memory of 2628	3620	portRuntimedll.exe	109
PID 3620 wrote to memory of 2628	3620	portRuntimedll.exe	109
PID 3620 wrote to memory of 5084	3620	portRuntimedll.exe	111
PID 3620 wrote to memory of 5084	3620	portRuntimedll.exe	111
PID 3620 wrote to memory of 3856	3620	portRuntimedll.exe	112
PID 3620 wrote to memory of 3856	3620	portRuntimedll.exe	112
PID 3620 wrote to memory of 2400	3620	portRuntimedll.exe	113
PID 3620 wrote to memory of 2400	3620	portRuntimedll.exe	113
PID 3620 wrote to memory of 1344	3620	portRuntimedll.exe	114
PID 3620 wrote to memory of 1344	3620	portRuntimedll.exe	114
PID 3620 wrote to memory of 3640	3620	portRuntimedll.exe	130
PID 3620 wrote to memory of 3640	3620	portRuntimedll.exe	130
PID 3640 wrote to memory of 3136	3640	cmd.exe	132
PID 3640 wrote to memory of 3136	3640	cmd.exe	132
PID 3640 wrote to memory of 5376	3640	cmd.exe	134
PID 3640 wrote to memory of 5376	3640	cmd.exe	134
PID 3640 wrote to memory of 6028	3640	cmd.exe	135
PID 3640 wrote to memory of 6028	3640	cmd.exe	135
PID 3700 wrote to memory of 1184	3700	cmd.exe	152
PID 3700 wrote to memory of 1184	3700	cmd.exe	152
PID 3656 wrote to memory of 5156	3656	sjtrewuvofcs.exe	165
PID 3656 wrote to memory of 5156	3656	sjtrewuvofcs.exe	165
PID 3656 wrote to memory of 5156	3656	sjtrewuvofcs.exe	165
PID 3656 wrote to memory of 5156	3656	sjtrewuvofcs.exe	165
PID 3656 wrote to memory of 5156	3656	sjtrewuvofcs.exe	165

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Blue.cc.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4560

C:\Users\Admin\Desktop\blue.cc.exe
"C:\Users\Admin\Desktop\blue.cc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\surrogatewebDriverPerfdll\O2Mqb5EZIjFAAhUWjaVV4BgoTlxmSKSI5p5mmNTOQWmByl3e.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\surrogatewebDriverPerfdll\sBHMgLRm.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\surrogatewebDriverPerfdll\portRuntimedll.exe
        
        "C:\surrogatewebDriverPerfdll/portRuntimedll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/surrogatewebDriverPerfdll/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smartscreen.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\StartMenuExperienceHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\surrogatewebDriverPerfdll\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\surrogatewebDriverPerfdll\portRuntimedll.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ybMI5pl1w0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5376
        
        C:\Program Files\Windows Photo Viewer\StartMenuExperienceHost.exe
        
        "C:\Program Files\Windows Photo Viewer\StartMenuExperienceHost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:6028
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3668
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1184
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4324
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4192
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1060
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3884
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "BSJXEIWT"
    3⤵
    - Launches sc.exe
    PID:2716
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "BSJXEIWT" binpath= "C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1868
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3968
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "BSJXEIWT"
    3⤵
    - Launches sc.exe
    PID:2972

C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4832
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1276
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2492
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:400
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3324
- - C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
    "C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    PID:2320
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4872
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6024
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:1872
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:5128
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:5232
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5784
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3104
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4240

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4008

C:\Users\Admin\Desktop\blue.cc.exe
"C:\Users\Admin\Desktop\blue.cc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5920
- C:\Users\Admin\AppData\Local\Temp\Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4840
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\surrogatewebDriverPerfdll\O2Mqb5EZIjFAAhUWjaVV4BgoTlxmSKSI5p5mmNTOQWmByl3e.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\surrogatewebDriverPerfdll\sBHMgLRm.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1668
    - - C:\surrogatewebDriverPerfdll\portRuntimedll.exe
        
        "C:\surrogatewebDriverPerfdll/portRuntimedll.exe"
        5⤵
        Executes dropped EXE
        
        PID:5456
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4636
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5196
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1992
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5248
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:916
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4628
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4824
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5760
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "BSJXEIWT"
    3⤵
    - Launches sc.exe
    PID:5352

C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
C:\ProgramData\erxkvsklcucy\sjtrewuvofcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1352
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5240
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5984
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5756
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:868
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:980
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blue.cc.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portRuntimedll.exe.log

Filesize
1KB

MD5
1eb759ec8a0d982d63773eb343e2a833

SHA1
bd449e841a449dcbdc03fb8b06891ed8a57afa4e

SHA256
496b42cced0d481317c95e60846b3995e6319b209dc72412a20a4824e1448f80

SHA512
91d887b28ce755373890cde130b8dd27ad347b9f192a76b283db24205b2804627118c1f68807f0abd112fbda007bc68ecc8a59bf07598884846baf6917837371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90d696d6a8ab185c1546b111fa208281

SHA1
b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

SHA256
78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

SHA512
0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ba7ac90c0e466144b48a90919960b6

SHA1
fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

SHA256
43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

SHA512
92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
528B

MD5
e23726ab66eb49b8e14eb4d8964362d4

SHA1
426f4c9b131c0de86e16b5cd8b6b8bf623470c29

SHA256
24b19c9fba04260b9db8dea83cb441d8ab947ef324c98c68715fc5ed618f0f78

SHA512
42bc7056bad40dbe93d51abc5272b6e8a3f8a1d60bd0ed0585498bb3df749542db316392e99de88359e05883ab9112d185ee9ef2ddbbf808f1b96b50cc333b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df7e3c8bb62b4c4c6c7ce7fbd3980dd

SHA1
a6b72ed690bce24ed4bd088066bb0e54f993bb15

SHA256
19cc604754ea34f0ad6a3eed76f9bd15d20e5eff42b19200542dfa18bd49b83b

SHA512
9ab735b499b25b230e35a7b176c47b7d0bf479a17fe1384d9b905202516715dc20ff797c763c1a3c23427c7c410732dda01cede9dd41e157b727d6d6e67c1cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4e78029926f09dd649c9e22d3363a196

SHA1
a0fac93ccc3505d9e6857b88f407eab164e49c34

SHA256
139b33af77e785669116fa61214dc8d959944a478e718ad3e90cb4f52bf32b1c

SHA512
5335f3eaad27499d9ecb6f3ec42e3c84d2293eeb2f3d64a72ce42a3d4ebf54793b9c179e39119bd27656c366deae946e231070cb5a00f09e2e7101e908f93039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat.exe

Filesize
2.2MB

MD5
a54657ad972c7ed59bfec031e449c45a

SHA1
f26cc3e543842e3d59825d61add2852853078c5a

SHA256
56782c0bce98d22894af0d0354008a0793f7b24ed774c8451c2b367ebc8f2304

SHA512
1f1136608792ba227abe8988411a9127edf3d14c9f40dc9112b3205032fcd293ad7fc29ac322c7a88f005907822d1310e362ad8af32691b0fb8422a92a1060bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
5.0MB

MD5
9a4520febabd856344d00ff8867d278c

SHA1
0cbe2d841471f6d0386232951b16edcc5c19f645

SHA256
d5c5036bdeafcc68f74097fbe090d48be72d0504b446980e00276dfe6c70067a

SHA512
8223c4ed4e0b67c4363eb913206c70441325568816922b9f60b99f64551f2c28b9961f36a4133fc86fe832d2118a88674478f6b62fcd33265e2449f1f512223b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cntdfnmu.vpz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybMI5pl1w0.bat

Filesize
241B

MD5
a1387a573a6355ad25d7c55e664be33e

SHA1
87963edafd38a67101c9445051837f19a9ee99f4

SHA256
0c34053f5283606ffd302149b702ff31edc2ec928728928c289ca7ada6b125ae

SHA512
222e4d4d4a87bb3149cea83903364df94772c8c9ab318ae4923086fa3520bef681d56f2720b8760bc12b4092f24ee1d0220cdc7c1697758e4ecac68010425762

Download Submit
C:\Users\Admin\Desktop\blue.cc.exe

Filesize
5.7MB

MD5
f3edbc69d3579a04978e4a90825b2c86

SHA1
0a4c0b114f28c63c021756d7d9009652712566e8

SHA256
8afbd41db0f57e93abe9c3337571e9775eb15b96835252e3cfcdffe01d6fe0e4

SHA512
4829622b1fe7fe86ef9dc9a793bb805664717dd32fab380678e0aa2cbc2d6e14ef1e4d8da86d1a99cf0e607c50dd9bbb8227eecef06e731a7596d1e8703db639

Download Submit
C:\Windows\TEMP\syngtqixojtf.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
6db666b8eea8c87bb44fc342dbda5fcb

SHA1
2536fb957e13fd2144e482970707286ca2625816

SHA256
079b31aa6c5078c9a97ffc9cfd2778942fbb12359b05975eb18507b6a1f18438

SHA512
88fcd3e8aaefc443b3fac3ec5a55762424a9d2211b051a36daad0c6be63f7a3f6f51d4be4e89189be044c7df6bcbded7eab6d3cba07a7a1458c48604b365579e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4fe0be11fb007b21a2fafa6abe0bf6f

SHA1
d0f2c0a5c7ee3491272101c3aaf7998bbb2fd22a

SHA256
ec0577e1bf334d310a1a70fd57fd1e561a90bbdd34737daed674f01c36c0c8d2

SHA512
1c51108e19f5a97acb7bba7c996c26a2715e3a4bb04b79c9afd718f8b8822bf906123e42eb1e40c88206bbce86b43546644d88794cc0de26126a38d9e27e01c0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3344a6f37ac041e54e0e310948e89736

SHA1
6ce64b891083ac07516bdf1f2d529fafbbfe5323

SHA256
0e7e206d33736ab0bd69f3b685933cc2401949bd1d2714263f41b8ddfa99873a

SHA512
66403be7e5df5cb4de72635eddbb2c448e9137a08c9f334126c4931b6f60124ef0c8571f82d91c8bf51a77f57802e0255647e6114f8aad33800a6b62ed5075ed

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
035bbd012cba05458cbe4a8b9d7369cc

SHA1
de230b3210b28a384cd46ec3aca00da46d46fca7

SHA256
84940c62e4e7accec88d1351a324f3a9fe9efdaea69beb4f5531c95f5f09f5fd

SHA512
f39dee93dad46f542a24ec110603195ff883888bfef2c4faf391ed63ba75a765abf4e486160fb001c4abd8529f358c7d4d3bb43612936aed0053e2e379b89cce

Download Submit
C:\surrogatewebDriverPerfdll\O2Mqb5EZIjFAAhUWjaVV4BgoTlxmSKSI5p5mmNTOQWmByl3e.vbe

Filesize
208B

MD5
24baff33090912fda41dbd7ff59c0758

SHA1
07b467337330f0abf1d1c34ea3d7ad305b42ebd2

SHA256
cf363df03c9082c65d6bb5c914deea16353fbd3871599953c5e51eedfab7d85e

SHA512
337d1dc80884f59fdd5eaf77fcd3cf5353a422ebed3a9bcea53bad1f9363121a2c3e912be00fb3577af0ab0700156a76325fe3ce038a3c91fa416bb318a270bf

Download Submit
C:\surrogatewebDriverPerfdll\portRuntimedll.exe

Filesize
1.9MB

MD5
5d8b6304415990e22a07694f005ea272

SHA1
93e356cac768aad2bb3c614cc3a22825064a5e42

SHA256
ee7ed4e85816e7b6d1587065b4c3c4885082a67e7a1deee08928b903db253cbf

SHA512
f04caa5285b55dbbebee789fcec122d164a5ea541e5b57d05808cff7705508eb716f3e20248dc1659236af37b1f5d64d923d5333d6c0e956d71ebaf879eb04a4

Download Submit
C:\surrogatewebDriverPerfdll\sBHMgLRm.bat

Filesize
88B

MD5
64970882419ad8bc36002ab5bc472a7c

SHA1
10ca95dbb24607f3eafaf27d9233acccd3d929ff

SHA256
cede47cf582f74d4b064d589b94a832a6260a2dc71633ccadb55782ae17e193c

SHA512
09e5b6a4c5158c33eb84d13831eec7c4cd2670b5a810a083667557dc04bcd666e440988e2584ccafa7b8308c6d38c544483752b36cc3d4ea2abf24793ffcb2f3

Download Submit
memory/760-495-0x00000175778E0000-0x0000017577995000-memory.dmp

Filesize
724KB

Download
memory/3104-428-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3104-421-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3104-420-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3104-424-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3104-423-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3104-422-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3324-384-0x000001A9D6DA0000-0x000001A9D6E55000-memory.dmp

Filesize
724KB

Download
memory/3620-50-0x000000001B600000-0x000000001B650000-memory.dmp

Filesize
320KB

Download
memory/3620-52-0x0000000002B80000-0x0000000002B98000-memory.dmp

Filesize
96KB

Download
memory/3620-54-0x0000000001280000-0x000000000128E000-memory.dmp

Filesize
56KB

Download
memory/3620-58-0x0000000002B50000-0x0000000002B5C000-memory.dmp

Filesize
48KB

Download
memory/3620-49-0x0000000002B60000-0x0000000002B7C000-memory.dmp

Filesize
112KB

Download
memory/3620-56-0x0000000002B40000-0x0000000002B4E000-memory.dmp

Filesize
56KB

Download
memory/3620-47-0x0000000001270000-0x000000000127E000-memory.dmp

Filesize
56KB

Download
memory/3620-45-0x0000000000840000-0x0000000000A30000-memory.dmp

Filesize
1.9MB

Download
memory/3828-316-0x000001849A5D0000-0x000001849A5DA000-memory.dmp

Filesize
40KB

Download
memory/3828-315-0x000001849A510000-0x000001849A5C5000-memory.dmp

Filesize
724KB

Download
memory/3828-314-0x000001849A4F0000-0x000001849A50C000-memory.dmp

Filesize
112KB

Download
memory/4240-349-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-341-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-347-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-348-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-351-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-352-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-353-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-350-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-342-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4240-343-0x000001EE11E70000-0x000001EE11E71000-memory.dmp

Filesize
4KB

Download
memory/4508-78-0x000001E71A910000-0x000001E71A932000-memory.dmp

Filesize
136KB

Download
memory/4812-358-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-331-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-330-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-332-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-335-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-334-0x0000000000F10000-0x0000000000F30000-memory.dmp

Filesize
128KB

Download
memory/4812-336-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-338-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-337-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-360-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-333-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-329-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-339-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4812-327-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4936-274-0x00007FFDD18A0000-0x00007FFDD2362000-memory.dmp

Filesize
10.8MB

Download
memory/4936-7-0x00007FFDD18A0000-0x00007FFDD2362000-memory.dmp

Filesize
10.8MB

Download
memory/4936-5-0x0000000000190000-0x0000000000748000-memory.dmp

Filesize
5.7MB

Download
memory/4936-4-0x00007FFDD18A3000-0x00007FFDD18A5000-memory.dmp

Filesize
8KB

Download
memory/5156-326-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5156-319-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5156-320-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5156-321-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5156-322-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5156-323-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/6028-340-0x000000001C250000-0x000000001C364000-memory.dmp

Filesize
1.1MB

Download