dcrat | 51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

devaltexe.exe
Size

2.0MB
MD5

fc9ea28a3c3659c4200e442d20198458
SHA1

79ede873cd08d5941e54524dd85b5add0a79bd7c
SHA256

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0
SHA512

c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17
SSDEEP

49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4248	schtasks.exe	34

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x0006000000023164-143.dat	dcrat
behavioral2/files/0x0006000000023164-144.dat	dcrat
behavioral2/memory/4392-145-0x0000000000D10000-0x0000000000ED0000-memory.dmp	dcrat
behavioral2/files/0x0006000000023169-154.dat	dcrat
behavioral2/files/0x00070000000231a2-211.dat	dcrat
behavioral2/files/0x0007000000023173-272.dat	dcrat
behavioral2/files/0x0009000000023177-296.dat	dcrat
behavioral2/files/0x0006000000023182-564.dat	dcrat
behavioral2/files/0x0006000000023182-565.dat	dcrat
behavioral2/files/0x0006000000023182-607.dat	dcrat
behavioral2/files/0x00060000000231ae-616.dat	dcrat
behavioral2/files/0x0006000000023182-645.dat	dcrat
behavioral2/files/0x00060000000231ae-653.dat	dcrat
behavioral2/files/0x0006000000023182-695.dat	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

devaltexe.exeWScript.exeSurrogateDll.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	devaltexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	SurrogateDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

SurrogateDll.exeexplorer.exeexplorer.exeexplorer.exe

pid	Process
4392	SurrogateDll.exe
5516	explorer.exe
3160	explorer.exe
656	explorer.exe

Drops file in Program Files directory 35 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	SurrogateDll.exe
File created	C:\Program Files\Windows Portable Devices\fontdrvhost.exe	SurrogateDll.exe
File created	C:\Program Files\Windows Media Player\it-IT\ebf1f9fa8afd6d	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX939E.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Internet Explorer\9e8d7a4ca61bd9	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX9602.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXAE8D.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\cmd.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5b884080fd4f94	SurrogateDll.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\69ddcba757bf72	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX916A.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX996F.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9BF2.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Portable Devices\fontdrvhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXB7DD.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Mail\eddb19405b7ce1	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe	SurrogateDll.exe
File created	C:\Program Files\Windows Portable Devices\5b884080fd4f94	SurrogateDll.exe
File created	C:\Program Files\Windows Media Player\it-IT\cmd.exe	SurrogateDll.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX915A.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX993F.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX9B93.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX95B3.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXAEAD.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX939F.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXB7BD.tmp	SurrogateDll.exe

Drops file in Windows directory 6 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXB0B2.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXB0D2.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe	SurrogateDll.exe
File created	C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\OfficeClickToRun.exe	SurrogateDll.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe	SurrogateDll.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6203df4a6bafc7	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2652	3160	WerFault.exe	184
2520	656	WerFault.exe	190

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	Process
2820	schtasks.exe
5032	schtasks.exe
4980	schtasks.exe
4700	schtasks.exe
2812	schtasks.exe
2620	schtasks.exe
2336	schtasks.exe
4724	schtasks.exe
4856	schtasks.exe
4928	schtasks.exe
3736	schtasks.exe
656	schtasks.exe
1004	schtasks.exe
2208	schtasks.exe
60	schtasks.exe
3456	schtasks.exe
3712	schtasks.exe
2176	schtasks.exe
3780	schtasks.exe
4968	schtasks.exe
5020	schtasks.exe
4560	schtasks.exe
8	schtasks.exe
4332	schtasks.exe
4788	schtasks.exe
2248	schtasks.exe
3336	schtasks.exe
1396	schtasks.exe
4192	schtasks.exe
3160	schtasks.exe
4732	schtasks.exe
1844	schtasks.exe
1720	schtasks.exe
3888	schtasks.exe
1060	schtasks.exe
4012	schtasks.exe
1936	schtasks.exe
1816	schtasks.exe
332	schtasks.exe
516	schtasks.exe
4948	schtasks.exe
5000	schtasks.exe
848	schtasks.exe
392	schtasks.exe
4484	schtasks.exe
4216	schtasks.exe
3252	schtasks.exe
1292	schtasks.exe

Modifies registry class 5 IoCs

Processes:

devaltexe.exeSurrogateDll.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	devaltexe.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	SurrogateDll.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exe

pid	Process
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe
4392	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exeexplorer.exeexplorer.exe

description	pid	Process
Token: SeDebugPrivilege	4392	SurrogateDll.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	5516	explorer.exe
Token: SeDebugPrivilege	3160	explorer.exe
Token: SeDebugPrivilege	656	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

devaltexe.exeWScript.execmd.exeSurrogateDll.execmd.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exe

description	pid	Process	procid_target
PID 4176 wrote to memory of 1436	4176	devaltexe.exe	86
PID 4176 wrote to memory of 1436	4176	devaltexe.exe	86
PID 4176 wrote to memory of 1436	4176	devaltexe.exe	86
PID 1436 wrote to memory of 1052	1436	WScript.exe	87
PID 1436 wrote to memory of 1052	1436	WScript.exe	87
PID 1436 wrote to memory of 1052	1436	WScript.exe	87
PID 1052 wrote to memory of 4392	1052	cmd.exe	89
PID 1052 wrote to memory of 4392	1052	cmd.exe	89
PID 4392 wrote to memory of 4980	4392	SurrogateDll.exe	142
PID 4392 wrote to memory of 4980	4392	SurrogateDll.exe	142
PID 4392 wrote to memory of 4960	4392	SurrogateDll.exe	143
PID 4392 wrote to memory of 4960	4392	SurrogateDll.exe	143
PID 4392 wrote to memory of 5020	4392	SurrogateDll.exe	144
PID 4392 wrote to memory of 5020	4392	SurrogateDll.exe	144
PID 4392 wrote to memory of 4992	4392	SurrogateDll.exe	167
PID 4392 wrote to memory of 4992	4392	SurrogateDll.exe	167
PID 4392 wrote to memory of 5032	4392	SurrogateDll.exe	166
PID 4392 wrote to memory of 5032	4392	SurrogateDll.exe	166
PID 4392 wrote to memory of 3812	4392	SurrogateDll.exe	165
PID 4392 wrote to memory of 3812	4392	SurrogateDll.exe	165
PID 4392 wrote to memory of 5000	4392	SurrogateDll.exe	164
PID 4392 wrote to memory of 5000	4392	SurrogateDll.exe	164
PID 4392 wrote to memory of 3628	4392	SurrogateDll.exe	163
PID 4392 wrote to memory of 3628	4392	SurrogateDll.exe	163
PID 4392 wrote to memory of 2096	4392	SurrogateDll.exe	161
PID 4392 wrote to memory of 2096	4392	SurrogateDll.exe	161
PID 4392 wrote to memory of 5104	4392	SurrogateDll.exe	160
PID 4392 wrote to memory of 5104	4392	SurrogateDll.exe	160
PID 4392 wrote to memory of 4368	4392	SurrogateDll.exe	158
PID 4392 wrote to memory of 4368	4392	SurrogateDll.exe	158
PID 4392 wrote to memory of 3664	4392	SurrogateDll.exe	157
PID 4392 wrote to memory of 3664	4392	SurrogateDll.exe	157
PID 4392 wrote to memory of 2128	4392	SurrogateDll.exe	155
PID 4392 wrote to memory of 2128	4392	SurrogateDll.exe	155
PID 4392 wrote to memory of 2520	4392	SurrogateDll.exe	168
PID 4392 wrote to memory of 2520	4392	SurrogateDll.exe	168
PID 2520 wrote to memory of 3340	2520	cmd.exe	170
PID 2520 wrote to memory of 3340	2520	cmd.exe	170
PID 2520 wrote to memory of 5516	2520	cmd.exe	173
PID 2520 wrote to memory of 5516	2520	cmd.exe	173
PID 5516 wrote to memory of 5792	5516	explorer.exe	175
PID 5516 wrote to memory of 5792	5516	explorer.exe	175
PID 5516 wrote to memory of 5836	5516	explorer.exe	176
PID 5516 wrote to memory of 5836	5516	explorer.exe	176
PID 5792 wrote to memory of 3160	5792	WScript.exe	184
PID 5792 wrote to memory of 3160	5792	WScript.exe	184
PID 3160 wrote to memory of 3228	3160	explorer.exe	185
PID 3160 wrote to memory of 3228	3160	explorer.exe	185
PID 3160 wrote to memory of 3144	3160	explorer.exe	186
PID 3160 wrote to memory of 3144	3160	explorer.exe	186
PID 3228 wrote to memory of 656	3228	WScript.exe	190
PID 3228 wrote to memory of 656	3228	WScript.exe	190
PID 656 wrote to memory of 1520	656	explorer.exe	191
PID 656 wrote to memory of 1520	656	explorer.exe	191
PID 656 wrote to memory of 2128	656	explorer.exe	192
PID 656 wrote to memory of 2128	656	explorer.exe	192

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\devaltexe.exe
"C:\Users\Admin\AppData\Local\Temp\devaltexe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\geIw2hseSY.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3340
      - C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7150f820-4145-4399-8f21-c431eee80916.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5792
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95b24448-2c9b-4d89-b0a6-0bdccbb0376e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a893b04c-b870-4efb-baf4-e729ec07aff3.vbs"
        11⤵
        
        PID:1520
        
        C:\Recovery\WindowsRE\explorer.exe
        
        C:\Recovery\WindowsRE\explorer.exe
        12⤵
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5677f52-7905-4015-8c5f-921346e0885f.vbs"
        11⤵
        
        PID:2128
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 656 -s 1572
        11⤵
        Program crash
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3614a45-81d5-41db-bdd1-a45a397c4b5f.vbs"
        9⤵
        
        PID:3144
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3160 -s 2204
        9⤵
        Program crash
        
        PID:2652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0719a07-9d35-453a-9923-3b7c585e4c17.vbs"
        7⤵
        
        PID:5836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 196 -p 3160 -ip 3160
1⤵
PID:4956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 372 -p 656 -ip 656
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\RCX939F.tmp

Filesize
1.7MB

MD5
7b4c52ffeb62388ae9e4174771f90bd4

SHA1
282d38d6a974055e24c27190d22331ebc9643b45

SHA256
4838b46a55389d775b77ec76898d4520cb420fa74a1a8a964a5375af51b53d8c

SHA512
8189bb7627909c9c2fc0ce79d6c0dca41777c50637e30e194dbe5699e514799877a3dd09bb0ceeb717401d2ecda3a93ba39d8d9d3c4ed15c1ef11c02b6f47ea1

Download Submit
C:\Program Files (x86)\Windows Mail\backgroundTaskHost.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
473KB

MD5
e5069885c654117471e9f122c6fccdd9

SHA1
da640f8ac7d17066defbe1d80d46494603640066

SHA256
e1b3adde44cf157840e2d076b430d2ad1d6e6033a3a07f987554665f4db91edd

SHA512
79262b26d9564ce6bef37fc39d8e109a0660ca9185a2ab440f1ba47205d02713f7d6ade875a5a3d6086a25bc5528a2c9623c1a54449a56717c7fcb1b725328d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2af5f96ce2b484abb3f8af88f6cdd118f45d2341.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2af5f96ce2b484abb3f8af88f6cdd118f45d2341.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7150f820-4145-4399-8f21-c431eee80916.vbs

Filesize
710B

MD5
f87997d54eee3c13d7427899252a042e

SHA1
23698ee5bbd95c5a8b5a132130fe65f409c04fd3

SHA256
de0c8815fde25cb9e45c8eecfa9415779fc3bf9b86b7d765cdabdb2aca713496

SHA512
14c0c6851e06f4af7dfaf84b8b73d48ef6c891222fbdaa68b972e5d2368a54e1328ae22ce40003c88ccb87a2fbbe40452e05619dacd0bdf3a1ffc00ce53d59da

Download Submit
C:\Users\Admin\AppData\Local\Temp\95b24448-2c9b-4d89-b0a6-0bdccbb0376e.vbs

Filesize
710B

MD5
054675458945c3cac0008f7e64795fbc

SHA1
5bb93d5ee44093e62bbc41bf9748888c92a02911

SHA256
323169ebc5fbfe56a72edd079ea02ffe97f5f33522e471b298baf2d1cb35b887

SHA512
54488b587eabd6efcd877b1eac1c1a1cdb6c61abab35de4ceaa48a124fd0a8ca08484f96948863a792bd230dcb593c36c4b0ea8bc78106ed11ff0a79ecc0cbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skcwu4nv.0yd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a893b04c-b870-4efb-baf4-e729ec07aff3.vbs

Filesize
709B

MD5
37f696652e27ca18186e00a7ba0b8570

SHA1
20d1c9f9faed7d2b0751042a1604931d7cf18ce8

SHA256
22e01dbdb0c7ae1ec738fcb2dde91a8d36faa3588d98eb6c0c53118866d34a16

SHA512
ed09d4ce3d4d5b283693abe235d1e64147e515fa3d8540783d52d9ff8d486efb0238d01a42ab72f1c42104ca09e86b4db8d0e7529295a7d570e2fb981ff51de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5677f52-7905-4015-8c5f-921346e0885f.vbs

Filesize
486B

MD5
04c94a1ace2ae3e02c0897ebe398bdf6

SHA1
833ecab3864ada7befa1e2dbd78d791bc1d77243

SHA256
6e2e44cb2f17ff8abc183f0108151c3dda9038dde0777c008784a339ffca7809

SHA512
cfc603afd599c2260f939fea07e07aae03738f00bbb4873276ea6f350626600811879b00bb20fc404524de5f3f2b40ef95b26cf3e7469ede133f96cc18eb1146

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0719a07-9d35-453a-9923-3b7c585e4c17.vbs

Filesize
486B

MD5
04c94a1ace2ae3e02c0897ebe398bdf6

SHA1
833ecab3864ada7befa1e2dbd78d791bc1d77243

SHA256
6e2e44cb2f17ff8abc183f0108151c3dda9038dde0777c008784a339ffca7809

SHA512
cfc603afd599c2260f939fea07e07aae03738f00bbb4873276ea6f350626600811879b00bb20fc404524de5f3f2b40ef95b26cf3e7469ede133f96cc18eb1146

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3614a45-81d5-41db-bdd1-a45a397c4b5f.vbs

Filesize
486B

MD5
04c94a1ace2ae3e02c0897ebe398bdf6

SHA1
833ecab3864ada7befa1e2dbd78d791bc1d77243

SHA256
6e2e44cb2f17ff8abc183f0108151c3dda9038dde0777c008784a339ffca7809

SHA512
cfc603afd599c2260f939fea07e07aae03738f00bbb4873276ea6f350626600811879b00bb20fc404524de5f3f2b40ef95b26cf3e7469ede133f96cc18eb1146

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3614a45-81d5-41db-bdd1-a45a397c4b5f.vbs

Filesize
486B

MD5
04c94a1ace2ae3e02c0897ebe398bdf6

SHA1
833ecab3864ada7befa1e2dbd78d791bc1d77243

SHA256
6e2e44cb2f17ff8abc183f0108151c3dda9038dde0777c008784a339ffca7809

SHA512
cfc603afd599c2260f939fea07e07aae03738f00bbb4873276ea6f350626600811879b00bb20fc404524de5f3f2b40ef95b26cf3e7469ede133f96cc18eb1146

Download Submit
C:\Users\Admin\AppData\Local\Temp\geIw2hseSY.bat

Filesize
199B

MD5
77bf3648716a27bcf0dd91decdf647bc

SHA1
a8e6faff9005c033f7caea5842d14786003dd8bd

SHA256
bc5045004f888fda4d94eb36741c60ddbb4ae62e8d6fe1c229ab3cb16ed39838

SHA512
f287a9291b0544222f844eb2cec098304e7a13e95f4b0d03670de4bafa1a978230f4820d16f9ef4795523de57517078eb682a41507b467fe085a9e6d68b48ec3

Download Submit
C:\Users\Default\dwm.exe

Filesize
1.7MB

MD5
453406e841cd00463a70080cbc663b33

SHA1
653e9123225b884597cbaf4950b02ebc9613cfcc

SHA256
06062d8494b3e0ec14da3dc58ce828b6094d78ade64e613d759765c34869a260

SHA512
6ef44669fb056d3b77f9f08f953891b273a9ec0325bd1f54b03c098fca2a0123755017cfcb5ddc435f01ac94d050148b41301d524ece0cf897e9efc6c20f9504

Download Submit
C:\Users\Public\SppExtComObj.exe

Filesize
1.7MB

MD5
a3482b784dbba180255fde262deda5d3

SHA1
5b90aaaf4095f5b96d354456b9bc225e63d49797

SHA256
6c3194ce4d1aadc94cac540ff3ffb9365c181debc2e880c6f91c5c9d84329779

SHA512
e23802ca045403e03774740c0aaf14e10b9764d53f2a1b99d0d78241ecafb303bc32e991c75e88bc10a4ae69d3b072bd4d8acd45c7b8bde9b590bce0950ca92c

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe

Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
memory/1520-669-0x000001C3D5500000-0x000001C3D553B000-memory.dmp

Filesize
236KB

Download
memory/2096-521-0x0000020A986F0000-0x0000020A98700000-memory.dmp

Filesize
64KB

Download
memory/2096-530-0x0000020A986F0000-0x0000020A98700000-memory.dmp

Filesize
64KB

Download
memory/2128-503-0x000001F44C650000-0x000001F44C660000-memory.dmp

Filesize
64KB

Download
memory/2128-524-0x000001F44C650000-0x000001F44C660000-memory.dmp

Filesize
64KB

Download
memory/2128-670-0x000001D692AA0000-0x000001D692ADB000-memory.dmp

Filesize
236KB

Download
memory/2128-534-0x000001F44C650000-0x000001F44C660000-memory.dmp

Filesize
64KB

Download
memory/3144-633-0x00000200ABB20000-0x00000200ABB5B000-memory.dmp

Filesize
236KB

Download
memory/3228-632-0x000001DC00BA0000-0x000001DC00BDB000-memory.dmp

Filesize
236KB

Download
memory/3628-531-0x000001CB31300000-0x000001CB31310000-memory.dmp

Filesize
64KB

Download
memory/3664-509-0x00000181325B0000-0x00000181325C0000-memory.dmp

Filesize
64KB

Download
memory/3664-527-0x00000181325B0000-0x00000181325C0000-memory.dmp

Filesize
64KB

Download
memory/3664-515-0x00000181325B0000-0x00000181325C0000-memory.dmp

Filesize
64KB

Download
memory/3664-536-0x00000181325B0000-0x00000181325C0000-memory.dmp

Filesize
64KB

Download
memory/3812-525-0x0000020F58490000-0x0000020F584A0000-memory.dmp

Filesize
64KB

Download
memory/4368-517-0x0000018DC5AD0000-0x0000018DC5AE0000-memory.dmp

Filesize
64KB

Download
memory/4392-295-0x000000001D340000-0x000000001D440000-memory.dmp

Filesize
1024KB

Download
memory/4392-152-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-145-0x0000000000D10000-0x0000000000ED0000-memory.dmp

Filesize
1.8MB

Download
memory/4392-226-0x000000001D340000-0x000000001D440000-memory.dmp

Filesize
1024KB

Download
memory/4392-294-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-346-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-345-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-321-0x000000001D340000-0x000000001D440000-memory.dmp

Filesize
1024KB

Download
memory/4392-320-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-319-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-146-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-147-0x000000001C150000-0x000000001C1A0000-memory.dmp

Filesize
320KB

Download
memory/4392-149-0x000000001C6D0000-0x000000001CBF8000-memory.dmp

Filesize
5.2MB

Download
memory/4392-167-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-166-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4392-153-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/4960-514-0x000001ED52540000-0x000001ED52550000-memory.dmp

Filesize
64KB

Download
memory/4960-516-0x000001ED52540000-0x000001ED52550000-memory.dmp

Filesize
64KB

Download
memory/4980-526-0x000001E2BC5D0000-0x000001E2BC5E0000-memory.dmp

Filesize
64KB

Download
memory/4980-399-0x000001E2BC520000-0x000001E2BC542000-memory.dmp

Filesize
136KB

Download
memory/4980-532-0x000001E2BC5D0000-0x000001E2BC5E0000-memory.dmp

Filesize
64KB

Download
memory/4992-468-0x000002307E5E0000-0x000002307E5F0000-memory.dmp

Filesize
64KB

Download
memory/4992-480-0x000002307E5E0000-0x000002307E5F0000-memory.dmp

Filesize
64KB

Download
memory/4992-533-0x000002307E5E0000-0x000002307E5F0000-memory.dmp

Filesize
64KB

Download
memory/4992-529-0x000002307E5E0000-0x000002307E5F0000-memory.dmp

Filesize
64KB

Download
memory/5000-519-0x00000184CA470000-0x00000184CA480000-memory.dmp

Filesize
64KB

Download
memory/5000-520-0x00000184CA470000-0x00000184CA480000-memory.dmp

Filesize
64KB

Download
memory/5000-537-0x00000184CA470000-0x00000184CA480000-memory.dmp

Filesize
64KB

Download
memory/5020-528-0x0000023A41890000-0x0000023A418A0000-memory.dmp

Filesize
64KB

Download
memory/5020-479-0x0000023A41890000-0x0000023A418A0000-memory.dmp

Filesize
64KB

Download
memory/5020-458-0x0000023A41890000-0x0000023A418A0000-memory.dmp

Filesize
64KB

Download
memory/5032-502-0x000001D617280000-0x000001D617290000-memory.dmp

Filesize
64KB

Download
memory/5032-523-0x000001D617280000-0x000001D617290000-memory.dmp

Filesize
64KB

Download
memory/5032-535-0x000001D617280000-0x000001D617290000-memory.dmp

Filesize
64KB

Download
memory/5104-538-0x000001E0569C0000-0x000001E0569D0000-memory.dmp

Filesize
64KB

Download
memory/5104-518-0x000001E0569C0000-0x000001E0569D0000-memory.dmp

Filesize
64KB

Download
memory/5516-584-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-581-0x000000001D240000-0x000000001D340000-memory.dmp

Filesize
1024KB

Download
memory/5516-592-0x000000001D240000-0x000000001D340000-memory.dmp

Filesize
1024KB

Download
memory/5516-566-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-590-0x000000001D240000-0x000000001D340000-memory.dmp

Filesize
1024KB

Download
memory/5516-570-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-568-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-587-0x000000001D240000-0x000000001D340000-memory.dmp

Filesize
1024KB

Download
memory/5516-586-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-585-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-569-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-583-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-582-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5516-591-0x000000001D240000-0x000000001D340000-memory.dmp

Filesize
1024KB

Download
memory/5516-580-0x000000001D240000-0x000000001D340000-memory.dmp

Filesize
1024KB

Download
memory/5516-567-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/5792-588-0x00000264D2610000-0x00000264D264B000-memory.dmp

Filesize
236KB

Download
memory/5836-589-0x000001C031700000-0x000001C03173B000-memory.dmp

Filesize
236KB

Download