dcrat | 915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12-12-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
Size

2.0MB
MD5

8468c0223b7665174d19866d33ae9731
SHA1

b261b25063f61b7194310d62912596df732ebbb7
SHA256

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83
SHA512

77397cc18ba208256e9fc4ebd182a197f6fc2f71e17ae737b0ab3bfa8c09d3da6a3ae30076a1bfaea9bd4889402f5e897f3b751cf86e8e12fd59f85f48613eb6
SSDEEP

49152:ubA3j3+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvK:ubdTHUxUoh1IF9gl2x

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3904	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3904	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
behavioral1/memory/5000-281-0x0000000000260000-0x0000000000420000-memory.dmp	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe	dcrat
C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts SurrogateDll.exe
Executes dropped EXE 3 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exepowershell.exe

pid process

5000 SurrogateDll.exe
3812 SurrogateDll.exe
2200 powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SurrogateDll.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation	SurrogateDll.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 3 IoCs

Processes:

SurrogateDll.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\e978f868350d50	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe	SurrogateDll.exe

Drops file in Windows directory 13 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exe

description	ioc	process
File created	C:\Windows\LiveKernelReports\conhost.exe	SurrogateDll.exe
File opened for modification	C:\Windows\LiveKernelReports\conhost.exe	SurrogateDll.exe
File created	C:\Windows\LiveKernelReports\088424020bedd6	SurrogateDll.exe
File created	C:\Windows\es-ES\e6c9b481da804f	SurrogateDll.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX9B2E.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\es-ES\RCXA3CE.tmp	SurrogateDll.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\powershell.exe	SurrogateDll.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\powershell.exe	SurrogateDll.exe
File created	C:\Windows\es-ES\OfficeClickToRun.exe	SurrogateDll.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX9AA1.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\es-ES\RCXA44C.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\es-ES\OfficeClickToRun.exe	SurrogateDll.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\e978f868350d50	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4920	schtasks.exe
4440	schtasks.exe
4644	schtasks.exe
1276	schtasks.exe
4920	schtasks.exe
712	schtasks.exe
4812	schtasks.exe
3024	schtasks.exe
4668	schtasks.exe
4764	schtasks.exe
2200	schtasks.exe
4960	schtasks.exe
4196	schtasks.exe
4832	schtasks.exe
4032	schtasks.exe
4320	schtasks.exe
2148	schtasks.exe
4844	schtasks.exe
3996	schtasks.exe
4420	schtasks.exe
2172	schtasks.exe
3740	schtasks.exe
1780	schtasks.exe
3232	schtasks.exe
3916	schtasks.exe
4652	schtasks.exe
4660	schtasks.exe

Modifies registry class 4 IoCs

Processes:

SurrogateDll.exepowershell.exe915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exeSurrogateDll.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	SurrogateDll.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	SurrogateDll.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exeschtasks.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
4320	powershell.exe
4404	powershell.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
4320	powershell.exe
4320	powershell.exe
4404	powershell.exe
4404	powershell.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
5000	SurrogateDll.exe
4320	schtasks.exe
4404	powershell.exe
664	powershell.exe
664	powershell.exe
2916	powershell.exe
4412	powershell.exe
2916	powershell.exe
4412	powershell.exe
664	powershell.exe
868	powershell.exe
868	powershell.exe
60	powershell.exe
60	powershell.exe
4412	powershell.exe
3188	powershell.exe
3188	powershell.exe
760	powershell.exe
760	powershell.exe
3960	powershell.exe
3960	powershell.exe
220	powershell.exe
220	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

powershell.exe

pid process

2200 powershell.exe

pid	process
2200	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeschtasks.exe

description	pid	process
Token: SeDebugPrivilege	5000	SurrogateDll.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeIncreaseQuotaPrivilege	4320	schtasks.exe
Token: SeSecurityPrivilege	4320	schtasks.exe
Token: SeTakeOwnershipPrivilege	4320	schtasks.exe
Token: SeLoadDriverPrivilege	4320	schtasks.exe
Token: SeSystemProfilePrivilege	4320	schtasks.exe
Token: SeSystemtimePrivilege	4320	schtasks.exe
Token: SeProfSingleProcessPrivilege	4320	schtasks.exe
Token: SeIncBasePriorityPrivilege	4320	schtasks.exe
Token: SeCreatePagefilePrivilege	4320	schtasks.exe
Token: SeBackupPrivilege	4320	schtasks.exe
Token: SeRestorePrivilege	4320	schtasks.exe
Token: SeShutdownPrivilege	4320	schtasks.exe
Token: SeDebugPrivilege	4320	schtasks.exe
Token: SeSystemEnvironmentPrivilege	4320	schtasks.exe
Token: SeRemoteShutdownPrivilege	4320	schtasks.exe
Token: SeUndockPrivilege	4320	schtasks.exe
Token: SeManageVolumePrivilege	4320	schtasks.exe
Token: 33	4320	schtasks.exe
Token: 34	4320	schtasks.exe
Token: 35	4320	schtasks.exe
Token: 36	4320	schtasks.exe
Token: SeIncreaseQuotaPrivilege	4404	powershell.exe
Token: SeSecurityPrivilege	4404	powershell.exe
Token: SeTakeOwnershipPrivilege	4404	powershell.exe
Token: SeLoadDriverPrivilege	4404	powershell.exe
Token: SeSystemProfilePrivilege	4404	powershell.exe
Token: SeSystemtimePrivilege	4404	powershell.exe
Token: SeProfSingleProcessPrivilege	4404	powershell.exe
Token: SeIncBasePriorityPrivilege	4404	powershell.exe
Token: SeCreatePagefilePrivilege	4404	powershell.exe
Token: SeBackupPrivilege	4404	powershell.exe
Token: SeRestorePrivilege	4404	powershell.exe
Token: SeShutdownPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeSystemEnvironmentPrivilege	4404	powershell.exe
Token: SeRemoteShutdownPrivilege	4404	powershell.exe
Token: SeUndockPrivilege	4404	powershell.exe
Token: SeManageVolumePrivilege	4404	powershell.exe
Token: 33	4404	powershell.exe
Token: 34	4404	powershell.exe
Token: 35	4404	powershell.exe
Token: 36	4404	powershell.exe
Token: SeIncreaseQuotaPrivilege	4412	powershell.exe
Token: SeSecurityPrivilege	4412	powershell.exe
Token: SeTakeOwnershipPrivilege	4412	powershell.exe
Token: SeLoadDriverPrivilege	4412	powershell.exe
Token: SeSystemProfilePrivilege	4412	powershell.exe
Token: SeSystemtimePrivilege	4412	powershell.exe
Token: SeProfSingleProcessPrivilege	4412	powershell.exe
Token: SeIncBasePriorityPrivilege	4412	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

2200 powershell.exe

pid	process
2200	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exeWScript.execmd.exeSurrogateDll.execmd.exeSurrogateDll.exe

description	pid	process	target process
PID 2656 wrote to memory of 2180	2656	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	WScript.exe
PID 2656 wrote to memory of 2180	2656	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	WScript.exe
PID 2656 wrote to memory of 2180	2656	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	WScript.exe
PID 2180 wrote to memory of 68	2180	WScript.exe	cmd.exe
PID 2180 wrote to memory of 68	2180	WScript.exe	cmd.exe
PID 2180 wrote to memory of 68	2180	WScript.exe	cmd.exe
PID 68 wrote to memory of 5000	68	cmd.exe	SurrogateDll.exe
PID 68 wrote to memory of 5000	68	cmd.exe	SurrogateDll.exe
PID 5000 wrote to memory of 4320	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 4320	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 4404	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 4404	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 4412	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 4412	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 664	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 664	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 2916	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 2916	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 3188	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 3188	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 60	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 60	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 868	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 868	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 760	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 760	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 3960	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 3960	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 220	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 220	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 2216	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 2216	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 648	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 648	5000	SurrogateDll.exe	powershell.exe
PID 5000 wrote to memory of 3124	5000	SurrogateDll.exe	cmd.exe
PID 5000 wrote to memory of 3124	5000	SurrogateDll.exe	cmd.exe
PID 3124 wrote to memory of 5100	3124	cmd.exe	w32tm.exe
PID 3124 wrote to memory of 5100	3124	cmd.exe	w32tm.exe
PID 3124 wrote to memory of 3812	3124	cmd.exe	SurrogateDll.exe
PID 3124 wrote to memory of 3812	3124	cmd.exe	SurrogateDll.exe
PID 3812 wrote to memory of 4268	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4268	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4244	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4244	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 3304	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 3304	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4108	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4108	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 2388	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 2388	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 3340	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 3340	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4640	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4640	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 2172	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 2172	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 2668	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 2668	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 656	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 656	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4652	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 4652	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 3832	3812	SurrogateDll.exe	powershell.exe
PID 3812 wrote to memory of 3832	3812	SurrogateDll.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
"C:\Users\Admin\AppData\Local\Temp\915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:68
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\He7x4MHGT8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5100
      - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
        
        "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        
        PID:4268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        7⤵
        
        PID:3304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        
        PID:4244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        
        PID:4108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        
        PID:2172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        
        PID:656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        
        PID:3832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        
        PID:388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        
        PID:2668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        
        PID:3340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        7⤵
        
        PID:2388
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d2b2288-1e0c-480b-9d4f-8765cbd4bbaa.vbs"
        8⤵
        
        PID:4100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e7cf9a5-dafd-4e7d-b572-603685a6fdc1.vbs"
        8⤵
        
        PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\odt\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\Program Files\Mozilla Firefox\browser\VisualElements\powershell.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SurrogateDll.exe.log

Filesize
1KB

MD5
430a3e587f99c7640a58a042ce63bdd6

SHA1
5d11d6b74e56cf622796971b8f57f57ca37592db

SHA256
a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7

SHA512
0b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11c41d45f94cc219d37aea8aa043d7f9

SHA1
4fce83338fe8b3d6219579277957e471ba59a79f

SHA256
e8eb49c1fffe129e7b9ab26113353fbf2c588283014e49580a350e1ceb8be10d

SHA512
37a53fa2d162d94be247940420ce505eff2704d300c8225539ef370356f0f03f241c4a61dc6325e3ee68ca870bceaefebdc491fe529427b622ed46ac181b4e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ddb6aaf8bfc8ffd26eb163ccd97ab4d

SHA1
d395a66fd947a0dc5c09f35914d9fc8a1fee5105

SHA256
079446b723e3d262578a1c9befbb88a40cc1357f4dc288afce21e2b60277fe06

SHA512
62356c095d423b7e91680b2c5200f84b3d5daafa079c415cf13df54103a7db2127797fdfb00d1470a9da0952ed994109147f896989f699b644d8890963fc20a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fee79ba06e528e769ce2cfc4f2853854

SHA1
5d0559ec3914df887f39dee8db5288496aee1a99

SHA256
ff887f5001ddd51738d01536654cec252ad0a629073926542b6c64cc18be6216

SHA512
070f60646b093d9c28077dfda07ac2d218c065d9791d68b1e895cc2cda646f5c701c82e09f2c61bf859a0337abebb981a5e934dedd9ba213e98dd1a6edbc5020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
734ff46085c0ef9d05839f60737c4aaf

SHA1
a3e2b23f054c9b9ab05ff2e76ae74f8e4d397efe

SHA256
b7894a3aab8050afbbfcf6fdff08c44c37102cf114a51eccf2d2e8d2c659fefc

SHA512
2faf6f1793e0dbbd79f342323227ad96155a8f459d2fa5d5263be28c21702abdb0712d76ea3f24032adb812ae8bfb035c6545ba71d628d2b7f11484f80d699ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2cde1524240bbc40d32cc56bcc9a6c8

SHA1
5d3b8e3d7782c9a3aef694d6aee17aec009012fe

SHA256
b338e9e401a8ae6c23c7f9a7572db3c2186b6951cfeb6bb3290fd0ebf7da5638

SHA512
b796b7a0e51db749473b96334ba5fc83269550f57e85e8dd9d283a49a173add620e287579a894372c15fd881f43022e0f170a667146e6084c2e1ef4a2006460b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2cde1524240bbc40d32cc56bcc9a6c8

SHA1
5d3b8e3d7782c9a3aef694d6aee17aec009012fe

SHA256
b338e9e401a8ae6c23c7f9a7572db3c2186b6951cfeb6bb3290fd0ebf7da5638

SHA512
b796b7a0e51db749473b96334ba5fc83269550f57e85e8dd9d283a49a173add620e287579a894372c15fd881f43022e0f170a667146e6084c2e1ef4a2006460b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e09fbfabd14a397eab9239da472f1459

SHA1
bb4a68d465c16b73d86ab7c0fd4d5d8a24cd6994

SHA256
c81e5cbdb24e39dcb7e5ed435f69a5df3ad34c422e4203279f2dcf69f8cf87de

SHA512
8fd23e4d1e2958b2e370db809afac9c50ecdbdbd8db951229aa8b4fca101f09deb15b6c565aecde7163ad2bf6fdb3008ba1feeee6a314d93264fffd6b4909a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e09fbfabd14a397eab9239da472f1459

SHA1
bb4a68d465c16b73d86ab7c0fd4d5d8a24cd6994

SHA256
c81e5cbdb24e39dcb7e5ed435f69a5df3ad34c422e4203279f2dcf69f8cf87de

SHA512
8fd23e4d1e2958b2e370db809afac9c50ecdbdbd8db951229aa8b4fca101f09deb15b6c565aecde7163ad2bf6fdb3008ba1feeee6a314d93264fffd6b4909a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8928bc824a132292f2963a47c551296

SHA1
61cc7a8f3699ce722909df6a61ce247a97717144

SHA256
c3d1aee184790cf4b9d7f597ddb6ab16f3c2478aa3296ab44c9689798d1fd555

SHA512
589e44b8efe4a9febdae77742982b679bdc93d54fb346a3e88ee4e3942f182f1c34d66191bb0dd26efb52a4f00b5f351b7f1dd0de00db6c10c070b7991c10080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8928bc824a132292f2963a47c551296

SHA1
61cc7a8f3699ce722909df6a61ce247a97717144

SHA256
c3d1aee184790cf4b9d7f597ddb6ab16f3c2478aa3296ab44c9689798d1fd555

SHA512
589e44b8efe4a9febdae77742982b679bdc93d54fb346a3e88ee4e3942f182f1c34d66191bb0dd26efb52a4f00b5f351b7f1dd0de00db6c10c070b7991c10080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d54a329516ca45839030133798c9197e

SHA1
2a42f6372aaf157c69978ac4261974eaf76d2caf

SHA256
07c40b760ff40d7bcc0784c21293cfba27ce1308c9e2fe62a47d35bb429f6ab4

SHA512
21ca2a141a6e54395f6f4b4b010f2c9a201cc18e8e38d0b2f1e6b2e8dc60491b79e2149d24a06499862e562a299691ece93dea6a2173bb575b0c541fe14f4ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d55a67c1441d3f24eaff0e6419fa5780

SHA1
aa6f7ed60ea5dd0404bb011bcac71d6354935f9e

SHA256
0f6622dbae6b41b78077baf6a467a5c33aa3ca21d67093bffaf39d7c19d2ab05

SHA512
529fe9c1bfbb8276d175a6f18acd2b588d71c4d01753af6f00c856975ab57db11c1d0f6860231d3a15ff5647513f5447dc0fe1248a3a810559143c8f7761806a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d297a2901e136b8ff3c1029d24210984

SHA1
a64e0c18e5a5920d05b733b0f43b2eb924d3e97f

SHA256
3eb00eb584609dc47bf1860bab9c48e2bdfea4482b888c78dd7152f9334c5c32

SHA512
7791393eeef1435c232730371fe44a7ff31d4c4edcd1f0d9f1f8c8e16d17e77fa52ac80a51e361233ddc44a7a2f6293e28823696a0b79fe59c845ca09b6af4f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
65d6a90087bec4dd490ce890e8f22148

SHA1
16e2439696ab9ad9846f101d8d6c5f6548634ee2

SHA256
60e34c144722151ce1fd5562254f6659226d093a7c59ece203170c6c1a4197f2

SHA512
ccf43900f61155050c4b194d3e7aafcac1189f886d3cf690f76131541f10502ec89aad50c94adbea9d6a2451747e64a226d2ab5fa191d7730514cbcf1442efd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
625544ab4372923190b98f5a1eff7c58

SHA1
7dbbf8e35b33724ab25b925c6a1b5bb5207672ce

SHA256
02815b99dd4e595b0d6a7649afb9a7e80974769d52a930bd1661d16ea5b8309c

SHA512
2ddc839a9ee133352d53cf5ff917be12b4e6fc5b122fcb83754c09bf365962adc69c7bdd1f9f8a3bc2553276e3cdf091c34303f2236e7950195c83b35f9dac5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
91dc06ccbd067dfbc1dc6bc737ebf3d8

SHA1
bd3585c9f0cae9f97155b82b09759805472dd491

SHA256
f8b7eed97e8a7ba371db0a52b9f43b569e43fd6c43f1d9131f79f439991e9567

SHA512
2f6d7064ce7b397cc1f0bd7538a5c60284718b23614f25c409e62f722fa2e2b08376666ab00c6512d8dc16a55490c09d0acf59a714ee071003f83e9b1fbe354c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fd84f74f7517f2f144e032944e5b70f

SHA1
8fc70e124a85a3a8a30b9003ca81ff478fe1151d

SHA256
58cc5c4da5aa269a4ceebdc63235a01c57919b481f3e08286aad7f8d8d184839

SHA512
9eac6490271a50b7a8ff6a03afc726e82bfe03d14787aa666378a26ad43ca4e9f5fe3b3b96151b6e5fdb2beab131c7dfa1515c60fc1817d32955c0969d855a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0365c308c7a6be884c90062d095e5047

SHA1
1cbd4a8e4b7ce8f99e9d5414213b627a3f5dca70

SHA256
787b84612e35ad1be39b9b164609bd72f2cc6d4a5756a9d6676b64401bfaa1f9

SHA512
63e11b9d174ee8b488a9e0af7da95bb2dde078affe95b7ec790815e31a737dfaa8c8d733cbc6082e30848a8eb120437b8e4d5979ca4a9cfc28a268f406833ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38e0ba7444f76bdde54f83e32ee5c97b

SHA1
9574cd823b3c6c7ff38faf0e8dd5836b0e7ccb7a

SHA256
f0a4f7eba7058d83e082a4c594dc805f98eed05a2a4475fd7b4c371bd3614bfe

SHA512
cb49fe2fc505afde59ee23cd695e1dfea2a6b5b831571fd5ba5b0999bad6132f8934432ad0300e73a5f0d326a4b26c0208a48086902bb76f01421971e8560136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2cd03ac95f59659356daed511b29068

SHA1
2f50f5153603563986ce4613509d120a6f66a7a6

SHA256
ee4a566105f363fe795e107cd37c0ce96c8d82e62716b5eb23a701f158b5ccee

SHA512
698939c9930f6dec292131f80201626591c6d685976cf4edf4559b163c203f87b34936469ad5b42bea50c5374fc565b0fa89f12df4748ef58298762a18ad29da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4aa5ea7577c058b54c0f9359544f513f

SHA1
381f8195c12aca02c574545092d3228c4de6cab4

SHA256
7ac8723298a645388c32a8502944cfcd6ed61e6e4f8749b25cc77bccbe55d321

SHA512
f39868c81e53e94a0bb1daee72d3b027c333f655e4ac8d4deef4ba1fc51e42a0d27efb6605545091d6b5e718032c53ddd7ff347f29116bf92684842adfa15495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f79d00cc2e581ed8395f31c3897ba5de

SHA1
6594c4d93cadc72827a85ef277819fee478a2305

SHA256
e3bda9293f75dff7f94470c9962ed0fd303b068a76eb514ad37c5ae4af5f96a3

SHA512
74ae3cfb1ba39b185f60be0190d0d67f8e12e8a13f522e55d16ed7afc42793a4a145bb9601cfd168029104b9a2c938387435469dd5ebf453458c50c9c1fd626f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fd84f74f7517f2f144e032944e5b70f

SHA1
8fc70e124a85a3a8a30b9003ca81ff478fe1151d

SHA256
58cc5c4da5aa269a4ceebdc63235a01c57919b481f3e08286aad7f8d8d184839

SHA512
9eac6490271a50b7a8ff6a03afc726e82bfe03d14787aa666378a26ad43ca4e9f5fe3b3b96151b6e5fdb2beab131c7dfa1515c60fc1817d32955c0969d855a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ce9acca054de4eff2594cadf93f7d41c

SHA1
74b29faf69d0f96bd4f8cdf27395972d19ac435e

SHA256
1702ea94f84dde0dc139bd89782fa86eb16819fb81f9da43f98346958bf1b53f

SHA512
89e9a9e18c6d203da1961f56fd498f43697a67ce4dafb42a7cecbc211734b97f9487cc20778e02a22fa0ad255e97b1d718c00e7dd93bf1340de30a22a6cfdb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ce9acca054de4eff2594cadf93f7d41c

SHA1
74b29faf69d0f96bd4f8cdf27395972d19ac435e

SHA256
1702ea94f84dde0dc139bd89782fa86eb16819fb81f9da43f98346958bf1b53f

SHA512
89e9a9e18c6d203da1961f56fd498f43697a67ce4dafb42a7cecbc211734b97f9487cc20778e02a22fa0ad255e97b1d718c00e7dd93bf1340de30a22a6cfdb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e7cf9a5-dafd-4e7d-b572-603685a6fdc1.vbs

Filesize
522B

MD5
e1f653224fe5eebde4bb013a2a61e3be

SHA1
45bdee90febd49f27cd29e627ab2deceee228540

SHA256
7fb06b38665eeed0c1cc9cee04c3dfb97a5190da447be46eb429625694f97f12

SHA512
8f546476fa7031e899e27f9ba4ad1869a5e5c7275a82f839a8e59786249ac560e2614146de2b7eff1e9a27e1b4366b041628b9611365c8e1f3218165736dee07

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d2b2288-1e0c-480b-9d4f-8765cbd4bbaa.vbs

Filesize
746B

MD5
47bc9a500b4b643a97dacc03dddfdfe7

SHA1
564bb72863064c1df62dcc7fcbe66b178a8227a3

SHA256
b46e8b218805452e57b3bde91f20a8eeb27890d6c2736472a70878ca09df74b8

SHA512
4a082d34779f899e43d4373fbd3672680314930caec2409c2966f3fa3b1885f877e0426a62baf97190805a2162b53af0871901b1973b763cc3f8deb1b02886ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\He7x4MHGT8.bat

Filesize
211B

MD5
e042c11d53953ecfc0869286a7e760bf

SHA1
b50b07a8d38dff659056d29e66e9a53cb212282c

SHA256
d322e4893e04a023b3746fffabf2c1928f44171c36b04d474b9f8f81245d0d65

SHA512
8b0141ab545bb2d12c2481fbe23811c3a6bf510004ffc66417ed00e07d87913a616ce3d130391a6d0cbbe74fa4f74b58bfdffbcf8b4b86c1cb81292174787cba

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe

Filesize
223B

MD5
9403175bdfbadf333200b08d0f9a97e4

SHA1
c3383de367a292b0b2d12659468b7aa53985171d

SHA256
3185c369451bdae7ed017894d541c6957d5b583b4a31a8efd288cfe4ff457f87

SHA512
65ca9bdc7f0c2d9ddae0c2f6253386587f5e41fd0a1353a11c43c7352d6b218ad3b87160b536839f10bd2a6cd78d89053e77e3686284a5e66d7dd3ffd2176002

Download Submit
memory/60-305-0x0000000000000000-mapping.dmp

Download
memory/68-255-0x0000000000000000-mapping.dmp

Download
memory/220-314-0x0000000000000000-mapping.dmp

Download
memory/388-791-0x0000000000000000-mapping.dmp

Download
memory/648-320-0x0000000000000000-mapping.dmp

Download
memory/656-781-0x0000000000000000-mapping.dmp

Download
memory/664-302-0x0000000000000000-mapping.dmp

Download
memory/760-309-0x0000000000000000-mapping.dmp

Download
memory/868-308-0x0000000000000000-mapping.dmp

Download
memory/2172-775-0x0000000000000000-mapping.dmp

Download
memory/2180-179-0x0000000000000000-mapping.dmp

Download
memory/2180-181-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2180-180-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2200-1059-0x0000000002A49000-0x0000000002A4F000-memory.dmp

Filesize
24KB

Download
memory/2200-1241-0x000000001BA90000-0x000000001BD98000-memory.dmp

Filesize
3.0MB

Download
memory/2200-878-0x0000000000000000-mapping.dmp

Download
memory/2200-1113-0x000000001BA90000-0x000000001BD98000-memory.dmp

Filesize
3.0MB

Download
memory/2200-1236-0x000000001BA90000-0x000000001BD98000-memory.dmp

Filesize
3.0MB

Download
memory/2200-1237-0x0000000002A49000-0x0000000002A4F000-memory.dmp

Filesize
24KB

Download
memory/2200-1238-0x000000001BA90000-0x000000001BD98000-memory.dmp

Filesize
3.0MB

Download
memory/2200-1239-0x000000001BA90000-0x000000001BD98000-memory.dmp

Filesize
3.0MB

Download
memory/2200-1240-0x000000001BA90000-0x000000001BD98000-memory.dmp

Filesize
3.0MB

Download
memory/2216-317-0x0000000000000000-mapping.dmp

Download
memory/2388-772-0x0000000000000000-mapping.dmp

Download
memory/2656-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-162-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-161-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-176-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-173-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-159-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-154-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-152-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-116-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-148-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-117-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-115-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-171-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-170-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-169-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-777-0x0000000000000000-mapping.dmp

Download
memory/2916-303-0x0000000000000000-mapping.dmp

Download
memory/3124-367-0x0000000000000000-mapping.dmp

Download
memory/3188-304-0x0000000000000000-mapping.dmp

Download
memory/3304-770-0x0000000000000000-mapping.dmp

Download
memory/3340-773-0x0000000000000000-mapping.dmp

Download
memory/3812-890-0x000000001BA69000-0x000000001BA6F000-memory.dmp

Filesize
24KB

Download
memory/3812-897-0x000000001D544000-0x000000001D547000-memory.dmp

Filesize
12KB

Download
memory/3812-893-0x000000001D540000-0x000000001D544000-memory.dmp

Filesize
16KB

Download
memory/3812-691-0x0000000000000000-mapping.dmp

Download
memory/3812-852-0x000000001D540000-0x000000001D544000-memory.dmp

Filesize
16KB

Download
memory/3812-759-0x000000001BA69000-0x000000001BA6F000-memory.dmp

Filesize
24KB

Download
memory/3832-788-0x0000000000000000-mapping.dmp

Download
memory/3960-312-0x0000000000000000-mapping.dmp

Download
memory/4100-1214-0x0000000000000000-mapping.dmp

Download
memory/4108-771-0x0000000000000000-mapping.dmp

Download
memory/4244-769-0x0000000000000000-mapping.dmp

Download
memory/4268-768-0x0000000000000000-mapping.dmp

Download
memory/4320-365-0x000001A970AD0000-0x000001A970AF2000-memory.dmp

Filesize
136KB

Download
memory/4320-299-0x0000000000000000-mapping.dmp

Download
memory/4404-300-0x0000000000000000-mapping.dmp

Download
memory/4404-372-0x00000235A3E40000-0x00000235A3EB6000-memory.dmp

Filesize
472KB

Download
memory/4412-301-0x0000000000000000-mapping.dmp

Download
memory/4640-774-0x0000000000000000-mapping.dmp

Download
memory/4652-783-0x0000000000000000-mapping.dmp

Download
memory/5000-297-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

Filesize
48KB

Download
memory/5000-292-0x000000001AF70000-0x000000001AF7C000-memory.dmp

Filesize
48KB

Download
memory/5000-354-0x000000001C530000-0x000000001C534000-memory.dmp

Filesize
16KB

Download
memory/5000-278-0x0000000000000000-mapping.dmp

Download
memory/5000-379-0x000000001AF99000-0x000000001AF9F000-memory.dmp

Filesize
24KB

Download
memory/5000-381-0x000000001C530000-0x000000001C534000-memory.dmp

Filesize
16KB

Download
memory/5000-298-0x000000001AF99000-0x000000001AF9F000-memory.dmp

Filesize
24KB

Download
memory/5000-383-0x000000001C534000-0x000000001C537000-memory.dmp

Filesize
12KB

Download
memory/5000-281-0x0000000000260000-0x0000000000420000-memory.dmp

Filesize
1.8MB

Download
memory/5000-296-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

Filesize
48KB

Download
memory/5000-295-0x000000001B6C0000-0x000000001B6C8000-memory.dmp

Filesize
32KB

Download
memory/5000-294-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/5000-293-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

Filesize
40KB

Download
memory/5000-357-0x000000001C534000-0x000000001C537000-memory.dmp

Filesize
12KB

Download
memory/5000-291-0x000000001BBD0000-0x000000001C0F6000-memory.dmp

Filesize
5.1MB

Download
memory/5000-290-0x0000000002610000-0x0000000002622000-memory.dmp

Filesize
72KB

Download
memory/5000-289-0x0000000002600000-0x0000000002608000-memory.dmp

Filesize
32KB

Download
memory/5000-288-0x00000000025F0000-0x00000000025FC000-memory.dmp

Filesize
48KB

Download
memory/5000-287-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/5000-286-0x00000000025C0000-0x00000000025D6000-memory.dmp

Filesize
88KB

Download
memory/5000-285-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/5000-284-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/5000-283-0x000000001AF20000-0x000000001AF70000-memory.dmp

Filesize
320KB

Download
memory/5000-282-0x0000000000930000-0x000000000094C000-memory.dmp

Filesize
112KB

Download
memory/5016-1217-0x0000000000000000-mapping.dmp

Download
memory/5100-374-0x0000000000000000-mapping.dmp

Download