dcrat | 86194a8ed91334b0bbaa2ba6918b6962af890be554429c2d1b97a3eb009ea988

Analysis

max time kernel
135s
max time network
160s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12-12-2022 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
Size

2.0MB
MD5

8468c0223b7665174d19866d33ae9731
SHA1

b261b25063f61b7194310d62912596df732ebbb7
SHA256

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83
SHA512

77397cc18ba208256e9fc4ebd182a197f6fc2f71e17ae737b0ab3bfa8c09d3da6a3ae30076a1bfaea9bd4889402f5e897f3b751cf86e8e12fd59f85f48613eb6
SSDEEP

49152:ubA3j3+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvK:ubdTHUxUoh1IF9gl2x

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1068	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
behavioral1/memory/1348-65-0x0000000000960000-0x0000000000B20000-memory.dmp	dcrat
C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe	dcrat
behavioral1/memory/1488-141-0x0000000001130000-0x00000000012F0000-memory.dmp	dcrat
C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts SurrogateDll.exe
Executes dropped EXE 2 IoCs

Processes:

SurrogateDll.exespoolsv.exe

pid process

1348 SurrogateDll.exe
1488 spoolsv.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

376 cmd.exe
376 cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

pid	process
376	cmd.exe
376	cmd.exe

Drops file in Program Files directory 30 IoCs

Processes:

SurrogateDll.exe

description	ioc	process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Uninstall Information\winlogon.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC942.tmp	SurrogateDll.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXC25E.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX72B7.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\RCXAC4A.tmp	SurrogateDll.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	SurrogateDll.exe
File created	C:\Program Files\Uninstall Information\088424020bedd6	SurrogateDll.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\75a57c1bdf437c	SurrogateDll.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\f3b6ecef712a24	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Mail\lsass.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX6221.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXCBF1.tmp	SurrogateDll.exe
File created	C:\Program Files\Uninstall Information\conhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX7576.tmp	SurrogateDll.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX5F43.tmp	SurrogateDll.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Mail\6203df4a6bafc7	SurrogateDll.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6914.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Uninstall Information\conhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXBFAE.tmp	SurrogateDll.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	SurrogateDll.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6BC4.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\RCXAEF9.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsass.exe	SurrogateDll.exe

Drops file in Windows directory 6 IoCs

Processes:

SurrogateDll.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\101b941d020240	SurrogateDll.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXEFAE.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXF46F.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\lsm.exe	SurrogateDll.exe
File created	C:\Windows\schemas\EAPMethods\SurrogateDll.exe	SurrogateDll.exe
File created	C:\Windows\Prefetch\ReadyBoot\lsm.exe	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1980	schtasks.exe
2424	schtasks.exe
2448	schtasks.exe
1624	schtasks.exe
1632	schtasks.exe
2308	schtasks.exe
1924	schtasks.exe
1636	schtasks.exe
844	schtasks.exe
1624	schtasks.exe
2184	schtasks.exe
936	schtasks.exe
1736	schtasks.exe
1252	schtasks.exe
1104	schtasks.exe
908	schtasks.exe
2072	schtasks.exe
2140	schtasks.exe
840	schtasks.exe
1936	schtasks.exe
1412	schtasks.exe
912	schtasks.exe
1000	schtasks.exe
816	schtasks.exe
2112	schtasks.exe
2352	schtasks.exe
1868	schtasks.exe
1100	schtasks.exe
1020	schtasks.exe
2280	schtasks.exe
2328	schtasks.exe
2496	schtasks.exe
1792	schtasks.exe
1372	schtasks.exe
2372	schtasks.exe
2516	schtasks.exe
2540	schtasks.exe
784	schtasks.exe
2472	schtasks.exe
340	schtasks.exe
2160	schtasks.exe
2232	schtasks.exe
2404	schtasks.exe
1712	schtasks.exe
2024	schtasks.exe
2036	schtasks.exe
708	schtasks.exe
1876	schtasks.exe
2088	schtasks.exe
2256	schtasks.exe
1488	schtasks.exe
1540	schtasks.exe
1932	schtasks.exe
2208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exe

pid	process
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe
1348	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

SurrogateDll.exespoolsv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1348	SurrogateDll.exe
Token: SeDebugPrivilege	1488	spoolsv.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exeWScript.execmd.exeSurrogateDll.execmd.exespoolsv.exe

description	pid	process	target process
PID 1748 wrote to memory of 700	1748	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	WScript.exe
PID 1748 wrote to memory of 700	1748	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	WScript.exe
PID 1748 wrote to memory of 700	1748	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	WScript.exe
PID 1748 wrote to memory of 700	1748	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	WScript.exe
PID 700 wrote to memory of 376	700	WScript.exe	cmd.exe
PID 700 wrote to memory of 376	700	WScript.exe	cmd.exe
PID 700 wrote to memory of 376	700	WScript.exe	cmd.exe
PID 700 wrote to memory of 376	700	WScript.exe	cmd.exe
PID 376 wrote to memory of 1348	376	cmd.exe	SurrogateDll.exe
PID 376 wrote to memory of 1348	376	cmd.exe	SurrogateDll.exe
PID 376 wrote to memory of 1348	376	cmd.exe	SurrogateDll.exe
PID 376 wrote to memory of 1348	376	cmd.exe	SurrogateDll.exe
PID 1348 wrote to memory of 2588	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2588	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2588	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2600	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2600	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2600	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2612	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2612	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2612	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2640	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2640	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2640	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2668	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2668	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2668	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2692	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2692	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2692	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2712	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2712	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2712	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2732	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2732	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2732	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2752	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2752	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2752	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2772	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2772	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2772	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2784	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2784	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2784	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2812	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2812	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2812	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2824	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2824	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2824	1348	SurrogateDll.exe	powershell.exe
PID 1348 wrote to memory of 2936	1348	SurrogateDll.exe	cmd.exe
PID 1348 wrote to memory of 2936	1348	SurrogateDll.exe	cmd.exe
PID 1348 wrote to memory of 2936	1348	SurrogateDll.exe	cmd.exe
PID 2936 wrote to memory of 1928	2936	cmd.exe	w32tm.exe
PID 2936 wrote to memory of 1928	2936	cmd.exe	w32tm.exe
PID 2936 wrote to memory of 1928	2936	cmd.exe	w32tm.exe
PID 2936 wrote to memory of 1488	2936	cmd.exe	spoolsv.exe
PID 2936 wrote to memory of 1488	2936	cmd.exe	spoolsv.exe
PID 2936 wrote to memory of 1488	2936	cmd.exe	spoolsv.exe
PID 1488 wrote to memory of 2072	1488	spoolsv.exe	WScript.exe
PID 1488 wrote to memory of 2072	1488	spoolsv.exe	WScript.exe
PID 1488 wrote to memory of 2072	1488	spoolsv.exe	WScript.exe
PID 1488 wrote to memory of 1704	1488	spoolsv.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
"C:\Users\Admin\AppData\Local\Temp\915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lCmUOlcCK8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1928
      - C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac4ad1c6-afa3-42a3-ab65-ff9f7fd4a961.vbs"
        7⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38569b75-acc8-4368-b62b-5f4d38dc79de.vbs"
        7⤵
        
        PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 14 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\SurrogateDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDll" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 8 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\agentBrowsersavesRefBroker\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\agentBrowsersavesRefBroker\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\agentBrowsersavesRefBroker\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Favorites\Links for United States\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links for United States\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links for United States\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe

Filesize
1.7MB

MD5
7ec4c8274f0fd8998be1542215f0fda5

SHA1
13df27cbdfe34779c33a82881770983e63855154

SHA256
a08e5a817631655b812ea4cfff7a5277eaf990703f6e8bc427c81e91b84466ab

SHA512
fbd247a73f8ef31e64ea952f6357d62e2064beb2951cb6a71af9222feb6587396e343f177fbee0fc6278e0fce3c0ddb0588c89d3c0d96bfa549fe38d5621276b

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Updater6\spoolsv.exe

Filesize
1.7MB

MD5
7ec4c8274f0fd8998be1542215f0fda5

SHA1
13df27cbdfe34779c33a82881770983e63855154

SHA256
a08e5a817631655b812ea4cfff7a5277eaf990703f6e8bc427c81e91b84466ab

SHA512
fbd247a73f8ef31e64ea952f6357d62e2064beb2951cb6a71af9222feb6587396e343f177fbee0fc6278e0fce3c0ddb0588c89d3c0d96bfa549fe38d5621276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\38569b75-acc8-4368-b62b-5f4d38dc79de.vbs

Filesize
514B

MD5
7bd679d24b08a1114017ed0777f327c6

SHA1
cb72b2dbb6138424e91f0f7e07e3d841466da8fa

SHA256
8ca363a8b6e7a9ba8ac8851c5925ef6cd8493e807a7b7b56281225fbbbc45afd

SHA512
42e367b2f3a611b858cea74a9c998aeca3ebac54acad98d628718bf5300b1f5ff25622468850e10bcdc53c47ee0739d52179e495d3cdb5a8a2d6f234b55c8932

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac4ad1c6-afa3-42a3-ab65-ff9f7fd4a961.vbs

Filesize
738B

MD5
cf19d180bd7851c9f9fef3f7d69fceed

SHA1
485f2a9ffa10d7a6f5bd9bfdccb7ba2365e0cdda

SHA256
6ef7fdd48cc812fba5f54a9042c1078185f0eec44a194a6cbb56af74e62db247

SHA512
efa0d19c9c934945d3bf7de86ad4bab6b3ab31a76dc14caea94974a190cd122fe6dc8fb5e3114b4706af8e90431444aecc761753cf06d94008e843f53c0938a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCmUOlcCK8.bat

Filesize
227B

MD5
111c59daf2b06a1f619042029c6ea5b5

SHA1
03be61446ffaa8abb70cc840e72a6d5b86b4dde1

SHA256
836503679eb441761a18d07292e116971473b0c20383b017f2b043349fab4b90

SHA512
1cce1f49783322202d4221e13a58cca145734c58ca3b3ddf77e74029728f2609b3d2f1b14f85654dfc71ac10b143880546cd9e097a1024b401b783acc016bfea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae34f9f871d5484468ff858c8182d613

SHA1
9a3dc0d9062713bcd4b7f84da81c39d54ff0080b

SHA256
22729f53743ddf0d448b260f718295a4e8c987328d83a39d3be8fbcd8139a5f9

SHA512
cbf7bb7e21872e5bc85eea72bed13cc4f48d5f80822b919f9c7311e8f7ea4a80fb1e33122292117c08b9f27b24de00e33a24f100a4b538c1c4862e00f0fe0404

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe

Filesize
223B

MD5
9403175bdfbadf333200b08d0f9a97e4

SHA1
c3383de367a292b0b2d12659468b7aa53985171d

SHA256
3185c369451bdae7ed017894d541c6957d5b583b4a31a8efd288cfe4ff457f87

SHA512
65ca9bdc7f0c2d9ddae0c2f6253386587f5e41fd0a1353a11c43c7352d6b218ad3b87160b536839f10bd2a6cd78d89053e77e3686284a5e66d7dd3ffd2176002

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
memory/376-59-0x0000000000000000-mapping.dmp

Download
memory/700-55-0x0000000000000000-mapping.dmp

Download
memory/1348-121-0x00000000005C6000-0x00000000005E5000-memory.dmp

Filesize
124KB

Download
memory/1348-76-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/1348-70-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1348-69-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/1348-71-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/1348-72-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1348-81-0x00000000005C6000-0x00000000005E5000-memory.dmp

Filesize
124KB

Download
memory/1348-68-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1348-63-0x0000000000000000-mapping.dmp

Download
memory/1348-67-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/1348-73-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1348-65-0x0000000000960000-0x0000000000B20000-memory.dmp

Filesize
1.8MB

Download
memory/1348-66-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/1348-74-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1348-75-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1348-77-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1348-80-0x00000000005C6000-0x00000000005E5000-memory.dmp

Filesize
124KB

Download
memory/1348-78-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1348-79-0x00000000021C0000-0x00000000021CC000-memory.dmp

Filesize
48KB

Download
memory/1488-148-0x000000001B1A6000-0x000000001B1C5000-memory.dmp

Filesize
124KB

Download
memory/1488-141-0x0000000001130000-0x00000000012F0000-memory.dmp

Filesize
1.8MB

Download
memory/1488-138-0x0000000000000000-mapping.dmp

Download
memory/1488-142-0x000000001B1A6000-0x000000001B1C5000-memory.dmp

Filesize
124KB

Download
memory/1704-158-0x0000000000000000-mapping.dmp

Download
memory/1748-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1928-120-0x0000000000000000-mapping.dmp

Download
memory/2072-157-0x0000000000000000-mapping.dmp

Download
memory/2588-162-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/2588-126-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2588-82-0x0000000000000000-mapping.dmp

Download
memory/2588-113-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2588-161-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2588-127-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2588-149-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/2600-170-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2600-146-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2600-163-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/2600-83-0x0000000000000000-mapping.dmp

Download
memory/2600-129-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2600-95-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/2600-135-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2600-167-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/2612-144-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2612-164-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/2612-152-0x000000001B930000-0x000000001BC2F000-memory.dmp

Filesize
3.0MB

Download
memory/2612-134-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2612-130-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2612-84-0x0000000000000000-mapping.dmp

Download
memory/2612-165-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2640-143-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2640-128-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2640-181-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2640-187-0x000000000277B000-0x000000000279A000-memory.dmp

Filesize
124KB

Download
memory/2640-133-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2640-85-0x0000000000000000-mapping.dmp

Download
memory/2640-153-0x000000001BA30000-0x000000001BD2F000-memory.dmp

Filesize
3.0MB

Download
memory/2668-198-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2668-192-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2668-86-0x0000000000000000-mapping.dmp

Download
memory/2668-205-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/2668-193-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2668-211-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2668-212-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/2692-202-0x000000001B8F0000-0x000000001BBEF000-memory.dmp

Filesize
3.0MB

Download
memory/2692-208-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2692-209-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/2692-87-0x0000000000000000-mapping.dmp

Download
memory/2692-204-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/2692-189-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2692-176-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2692-184-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2712-190-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2712-207-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/2712-177-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2712-174-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2712-88-0x0000000000000000-mapping.dmp

Download
memory/2712-203-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/2712-206-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2732-132-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2732-139-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2732-179-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2732-185-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/2732-89-0x0000000000000000-mapping.dmp

Download
memory/2732-147-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2752-136-0x0000000001EE4000-0x0000000001EE7000-memory.dmp

Filesize
12KB

Download
memory/2752-154-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2752-145-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2752-180-0x0000000001EE4000-0x0000000001EE7000-memory.dmp

Filesize
12KB

Download
memory/2752-131-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2752-186-0x0000000001EEB000-0x0000000001F0A000-memory.dmp

Filesize
124KB

Download
memory/2752-90-0x0000000000000000-mapping.dmp

Download
memory/2772-210-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/2772-201-0x0000000002084000-0x0000000002087000-memory.dmp

Filesize
12KB

Download
memory/2772-213-0x000000000208B000-0x00000000020AA000-memory.dmp

Filesize
124KB

Download
memory/2772-91-0x0000000000000000-mapping.dmp

Download
memory/2772-214-0x0000000002084000-0x0000000002087000-memory.dmp

Filesize
12KB

Download
memory/2772-195-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2772-196-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2784-122-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2784-124-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/2784-169-0x00000000023CB000-0x00000000023EA000-memory.dmp

Filesize
124KB

Download
memory/2784-168-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/2784-115-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2784-151-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2784-92-0x0000000000000000-mapping.dmp

Download
memory/2812-93-0x0000000000000000-mapping.dmp

Download
memory/2812-175-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2812-200-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/2812-183-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/2812-171-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2812-199-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2812-197-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/2812-188-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2824-123-0x000007FEF5A30000-0x000007FEF658D000-memory.dmp

Filesize
11.4MB

Download
memory/2824-182-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2824-125-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2824-178-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2824-150-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2824-108-0x000007FEEAF70000-0x000007FEEB993000-memory.dmp

Filesize
10.1MB

Download
memory/2824-94-0x0000000000000000-mapping.dmp

Download
memory/2936-97-0x0000000000000000-mapping.dmp

Download