dcrat | b95be0f98df652640e019ce8bc06dc4999399305834f1b75e981dd7c5a1c0423

Analysis

max time kernel
114s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12-12-2022 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
Size

2.0MB
MD5

fc9ea28a3c3659c4200e442d20198458
SHA1

79ede873cd08d5941e54524dd85b5add0a79bd7c
SHA256

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0
SHA512

c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17
SSDEEP

49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1880	schtasks.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
behavioral1/memory/656-65-0x0000000000C70000-0x0000000000E30000-memory.dmp	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
behavioral1/memory/2284-126-0x00000000012C0000-0x0000000001480000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe	dcrat
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe	dcrat
behavioral1/memory/472-255-0x0000000000270000-0x0000000000430000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts SurrogateDll.exe
Executes dropped EXE 2 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exe

pid process

656 SurrogateDll.exe
2284 SurrogateDll.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

788 cmd.exe
788 cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

pid	process
788	cmd.exe
788	cmd.exe

Drops file in Program Files directory 22 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\conhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\conhost.exe	SurrogateDll.exe
File created	C:\Program Files\Windows Defender\es-ES\spoolsv.exe	SurrogateDll.exe
File created	C:\Program Files\Windows Defender\es-ES\f3b6ecef712a24	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\6203df4a6bafc7	SurrogateDll.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe	SurrogateDll.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\24dbde2999530e	SurrogateDll.exe
File created	C:\Program Files\VideoLAN\VLC\088424020bedd6	SurrogateDll.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe	SurrogateDll.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\69ddcba757bf72	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX3393.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCX3652.tmp	SurrogateDll.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX3D55.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\spoolsv.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\RCX4014.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe	SurrogateDll.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\24dbde2999530e	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
936	schtasks.exe
524	schtasks.exe
2448	schtasks.exe
2720	schtasks.exe
2296	schtasks.exe
3044	schtasks.exe
1064	schtasks.exe
1016	schtasks.exe
1012	schtasks.exe
940	schtasks.exe
3052	schtasks.exe
1120	schtasks.exe
2712	schtasks.exe
2932	schtasks.exe
2620	schtasks.exe
908	schtasks.exe
2372	schtasks.exe
2532	schtasks.exe
2768	schtasks.exe
2824	schtasks.exe
2888	schtasks.exe
2848	schtasks.exe
2932	schtasks.exe
3028	schtasks.exe
1920	schtasks.exe
2408	schtasks.exe
1676	schtasks.exe
2416	schtasks.exe
2984	schtasks.exe
2560	schtasks.exe
2892	schtasks.exe
816	schtasks.exe
2868	schtasks.exe
3008	schtasks.exe
2756	schtasks.exe
1660	schtasks.exe
2640	schtasks.exe
2912	schtasks.exe
1480	schtasks.exe
2440	schtasks.exe
2556	schtasks.exe
2804	schtasks.exe
2964	schtasks.exe
620	schtasks.exe
2476	schtasks.exe
3040	schtasks.exe
2776	schtasks.exe
2164	schtasks.exe
2300	schtasks.exe
428	schtasks.exe
1956	schtasks.exe
2496	schtasks.exe
2692	schtasks.exe
1540	schtasks.exe
1672	schtasks.exe
3000	schtasks.exe
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exe

pid	process
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
656	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe
2284	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	656	SurrogateDll.exe
Token: SeDebugPrivilege	2284	SurrogateDll.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exeWScript.execmd.exeSurrogateDll.exeschtasks.exeSurrogateDll.exe

description	pid	process	target process
PID 1640 wrote to memory of 1432	1640	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	WScript.exe
PID 1640 wrote to memory of 1432	1640	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	WScript.exe
PID 1640 wrote to memory of 1432	1640	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	WScript.exe
PID 1640 wrote to memory of 1432	1640	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	WScript.exe
PID 1432 wrote to memory of 788	1432	WScript.exe	cmd.exe
PID 1432 wrote to memory of 788	1432	WScript.exe	cmd.exe
PID 1432 wrote to memory of 788	1432	WScript.exe	cmd.exe
PID 1432 wrote to memory of 788	1432	WScript.exe	cmd.exe
PID 788 wrote to memory of 656	788	cmd.exe	SurrogateDll.exe
PID 788 wrote to memory of 656	788	cmd.exe	SurrogateDll.exe
PID 788 wrote to memory of 656	788	cmd.exe	SurrogateDll.exe
PID 788 wrote to memory of 656	788	cmd.exe	SurrogateDll.exe
PID 656 wrote to memory of 1604	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1604	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1604	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1608	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1608	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1608	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 2012	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 2012	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 2012	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 432	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 432	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 432	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1432	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1432	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1432	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 616	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 616	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 616	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1736	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1736	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1736	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 884	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 884	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 884	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 748	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 748	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 748	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1936	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1936	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1936	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1356	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1356	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1356	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1296	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1296	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1296	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1628	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1628	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 1628	656	SurrogateDll.exe	powershell.exe
PID 656 wrote to memory of 620	656	SurrogateDll.exe	cmd.exe
PID 656 wrote to memory of 620	656	SurrogateDll.exe	cmd.exe
PID 656 wrote to memory of 620	656	SurrogateDll.exe	cmd.exe
PID 620 wrote to memory of 2156	620	schtasks.exe	w32tm.exe
PID 620 wrote to memory of 2156	620	schtasks.exe	w32tm.exe
PID 620 wrote to memory of 2156	620	schtasks.exe	w32tm.exe
PID 620 wrote to memory of 2284	620	schtasks.exe	SurrogateDll.exe
PID 620 wrote to memory of 2284	620	schtasks.exe	SurrogateDll.exe
PID 620 wrote to memory of 2284	620	schtasks.exe	SurrogateDll.exe
PID 2284 wrote to memory of 3028	2284	SurrogateDll.exe	powershell.exe
PID 2284 wrote to memory of 3028	2284	SurrogateDll.exe	powershell.exe
PID 2284 wrote to memory of 3028	2284	SurrogateDll.exe	powershell.exe
PID 2284 wrote to memory of 280	2284	SurrogateDll.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
"C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O8ZRDzv39S.bat"
        5⤵
        
        PID:620
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2156
      - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
        
        "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        
        PID:280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        7⤵
        
        PID:1404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        
        PID:524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        
        PID:620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        
        PID:2520
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe"
        7⤵
        
        PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\agentBrowsersavesRefBroker\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Links\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\agentBrowsersavesRefBroker\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\Music\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Music\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\agentBrowsersavesRefBroker\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\agentBrowsersavesRefBroker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\All Users\Templates\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\O8ZRDzv39S.bat

Filesize
211B

MD5
dde00790e6f0af0d031c36ecacfef1eb

SHA1
3a1db0f0ae156fbbb9a4e61d41dfec9c5514d4c3

SHA256
bdeaa948bad745c8d2f795c973ada7d1497ce7d55797db2d1eb6263126e07334

SHA512
1195ab4f3de5d6cd4f1da9c0d2ad99638390fc387d4d08e889e18793ae603ab9bc4442546849c5ed3873c1b44b747263941e8a5700a69de488909a58b48fe78e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
426e2447ad4ab3c2dfc23560385d0ca3

SHA1
a7eaa919a39f6eb2b40d4e426e4c698317bf746b

SHA256
f9f5b47144595e36183732b7fd4e5605e4f358e83c8017c4e438a1b8de9b3fb0

SHA512
6a925449144a5502246441ff03171fc34fef145da7f9ba09e24a1f1c6b706c74ed5119c7b1410f1d2012037c1e812dc28baa1c9d54a79b2be3b54b5218c5cd9a

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe

Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
memory/280-205-0x0000000000000000-mapping.dmp

Download
memory/300-240-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/300-209-0x0000000000000000-mapping.dmp

Download
memory/300-226-0x000007FEEAE10000-0x000007FEEB833000-memory.dmp

Filesize
10.1MB

Download
memory/432-190-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/432-150-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/432-191-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/432-167-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/432-145-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/432-160-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/432-84-0x0000000000000000-mapping.dmp

Download
memory/472-246-0x0000000000000000-mapping.dmp

Download
memory/472-255-0x0000000000270000-0x0000000000430000-memory.dmp

Filesize
1.8MB

Download
memory/524-211-0x0000000000000000-mapping.dmp

Download
memory/616-148-0x0000000001FF4000-0x0000000001FF7000-memory.dmp

Filesize
12KB

Download
memory/616-157-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/616-164-0x000000001BA30000-0x000000001BD2F000-memory.dmp

Filesize
3.0MB

Download
memory/616-86-0x0000000000000000-mapping.dmp

Download
memory/616-168-0x0000000001FFB000-0x000000000201A000-memory.dmp

Filesize
124KB

Download
memory/616-173-0x0000000001FF4000-0x0000000001FF7000-memory.dmp

Filesize
12KB

Download
memory/616-175-0x0000000001FFB000-0x000000000201A000-memory.dmp

Filesize
124KB

Download
memory/616-142-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/620-99-0x0000000000000000-mapping.dmp

Download
memory/620-213-0x0000000000000000-mapping.dmp

Download
memory/656-79-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/656-75-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/656-114-0x000000001B1B6000-0x000000001B1D5000-memory.dmp

Filesize
124KB

Download
memory/656-71-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/656-77-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/656-73-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/656-72-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/656-78-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/656-67-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/656-76-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/656-74-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/656-70-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/656-63-0x0000000000000000-mapping.dmp

Download
memory/656-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/656-69-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/656-65-0x0000000000C70000-0x0000000000E30000-memory.dmp

Filesize
1.8MB

Download
memory/656-66-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/656-80-0x000000001B1B6000-0x000000001B1D5000-memory.dmp

Filesize
124KB

Download
memory/748-152-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/748-186-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/748-141-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/748-163-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/748-89-0x0000000000000000-mapping.dmp

Download
memory/748-169-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/748-188-0x00000000026CB000-0x00000000026EA000-memory.dmp

Filesize
124KB

Download
memory/788-59-0x0000000000000000-mapping.dmp

Download
memory/884-147-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/884-181-0x000000001B9A0000-0x000000001BC9F000-memory.dmp

Filesize
3.0MB

Download
memory/884-88-0x0000000000000000-mapping.dmp

Download
memory/884-193-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/884-195-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/908-207-0x0000000000000000-mapping.dmp

Download
memory/1296-92-0x0000000000000000-mapping.dmp

Download
memory/1296-171-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/1296-137-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1296-192-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1296-194-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1296-132-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1296-124-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1356-91-0x0000000000000000-mapping.dmp

Download
memory/1356-133-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1356-146-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1356-198-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1356-159-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1356-199-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/1404-206-0x0000000000000000-mapping.dmp

Download
memory/1404-252-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1432-139-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1432-170-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1432-128-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1432-55-0x0000000000000000-mapping.dmp

Download
memory/1432-85-0x0000000000000000-mapping.dmp

Download
memory/1432-182-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1432-183-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/1432-158-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-214-0x0000000000000000-mapping.dmp

Download
memory/1580-212-0x0000000000000000-mapping.dmp

Download
memory/1604-180-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1604-156-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1604-178-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/1604-107-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1604-140-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/1604-81-0x0000000000000000-mapping.dmp

Download
memory/1604-165-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1608-200-0x00000000025C4000-0x00000000025C7000-memory.dmp

Filesize
12KB

Download
memory/1608-202-0x00000000025CB000-0x00000000025EA000-memory.dmp

Filesize
124KB

Download
memory/1608-138-0x00000000025C4000-0x00000000025C7000-memory.dmp

Filesize
12KB

Download
memory/1608-94-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1608-106-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1608-82-0x0000000000000000-mapping.dmp

Download
memory/1608-155-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1628-129-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1628-93-0x0000000000000000-mapping.dmp

Download
memory/1628-174-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/1628-197-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/1628-196-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1628-134-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/1628-130-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1640-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1736-144-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1736-149-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1736-187-0x000000000237B000-0x000000000239A000-memory.dmp

Filesize
124KB

Download
memory/1736-189-0x0000000002374000-0x0000000002377000-memory.dmp

Filesize
12KB

Download
memory/1736-87-0x0000000000000000-mapping.dmp

Download
memory/1736-172-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/1736-162-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1936-151-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1936-179-0x000000001B900000-0x000000001BBFF000-memory.dmp

Filesize
3.0MB

Download
memory/1936-135-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/1936-154-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/1936-203-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/1936-90-0x0000000000000000-mapping.dmp

Download
memory/1936-201-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/1940-208-0x0000000000000000-mapping.dmp

Download
memory/2012-184-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/2012-185-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/2012-136-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/2012-108-0x000007FEEA7E0000-0x000007FEEB203000-memory.dmp

Filesize
10.1MB

Download
memory/2012-131-0x000007FEE8CB0000-0x000007FEE980D000-memory.dmp

Filesize
11.4MB

Download
memory/2012-83-0x0000000000000000-mapping.dmp

Download
memory/2012-166-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2152-210-0x0000000000000000-mapping.dmp

Download
memory/2156-117-0x0000000000000000-mapping.dmp

Download
memory/2284-127-0x000000001B0A6000-0x000000001B0C5000-memory.dmp

Filesize
124KB

Download
memory/2284-153-0x000000001B0A6000-0x000000001B0C5000-memory.dmp

Filesize
124KB

Download
memory/2284-126-0x00000000012C0000-0x0000000001480000-memory.dmp

Filesize
1.8MB

Download
memory/2284-123-0x0000000000000000-mapping.dmp

Download
memory/2432-217-0x0000000000000000-mapping.dmp

Download
memory/2520-227-0x0000000000000000-mapping.dmp

Download
memory/3028-204-0x0000000000000000-mapping.dmp

Download
memory/3028-256-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download