dcrat | 47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-08-2022 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DefenderSmartScreen.exe
Size

1.4MB
MD5

5d66bae46d9759662f2309dc9bb8d2cc
SHA1

bd553872c196f31bc879555ae9f68dca5a337ba7
SHA256

47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe
SHA512

18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1
SSDEEP

24576:9PV32MblP1ol19heoF6heWOeWlERO6XmN/DipYrkJDF:/324okobWyl3N/Di4k

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1480	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1480	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

DefenderSmartScreen.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DefenderSmartScreen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	DefenderSmartScreen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	DefenderSmartScreen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1492-54-0x00000000001B0000-0x0000000000312000-memory.dmp	dcrat
C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe	dcrat
C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe	dcrat
behavioral1/memory/2880-123-0x0000000000FD0000-0x0000000001132000-memory.dmp	dcrat

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Idle.exenew1.exeC4Updater.exeSysApp.exe

pid process

2880 Idle.exe
2508 new1.exe
2336 C4Updater.exe
1380 SysApp.exe
Loads dropped DLL 1 IoCs

Processes:

Idle.exe

pid process

2880 Idle.exe

pid	process
2880	Idle.exe
2508	new1.exe
2336	C4Updater.exe
1380	SysApp.exe

pid	process
2880	Idle.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Idle.exeDefenderSmartScreen.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DefenderSmartScreen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DefenderSmartScreen.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 10 IoCs

Processes:

DefenderSmartScreen.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\en-US\WMIADAP.exe	DefenderSmartScreen.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe	DefenderSmartScreen.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\services.exe	DefenderSmartScreen.exe
File created	C:\Program Files\Windows Sidebar\it-IT\System.exe	DefenderSmartScreen.exe
File created	C:\Program Files\Windows Sidebar\it-IT\27d1bcfc3c54e0	DefenderSmartScreen.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\c5b4cb5e9653cc	DefenderSmartScreen.exe
File created	C:\Program Files\Internet Explorer\en-US\75a57c1bdf437c	DefenderSmartScreen.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\7a0fd90576e088	DefenderSmartScreen.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	DefenderSmartScreen.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	DefenderSmartScreen.exe

Drops file in Windows directory 8 IoCs

Processes:

DefenderSmartScreen.exe

description	ioc	process
File created	C:\Windows\PolicyDefinitions\taskhost.exe	DefenderSmartScreen.exe
File created	C:\Windows\PolicyDefinitions\b75386f1303e64	DefenderSmartScreen.exe
File created	C:\Windows\tracing\sppsvc.exe	DefenderSmartScreen.exe
File created	C:\Windows\tracing\0a1fd5f707cd16	DefenderSmartScreen.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\spoolsv.exe	DefenderSmartScreen.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\f3b6ecef712a24	DefenderSmartScreen.exe
File created	C:\Windows\LiveKernelReports\Idle.exe	DefenderSmartScreen.exe
File created	C:\Windows\LiveKernelReports\6ccacd8608530f	DefenderSmartScreen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
916	schtasks.exe
1572	schtasks.exe
1280	schtasks.exe
2148	schtasks.exe
2384	schtasks.exe
1872	schtasks.exe
1828	schtasks.exe
1248	schtasks.exe
2224	schtasks.exe
2292	schtasks.exe
584	schtasks.exe
1188	schtasks.exe
1712	schtasks.exe
1552	schtasks.exe
1120	schtasks.exe
436	schtasks.exe
1652	schtasks.exe
1928	schtasks.exe
788	schtasks.exe
1636	schtasks.exe
112	schtasks.exe
1696	schtasks.exe
2088	schtasks.exe
1692	schtasks.exe
864	schtasks.exe
2108	schtasks.exe
2320	schtasks.exe
1664	schtasks.exe
1376	schtasks.exe
2344	schtasks.exe
896	schtasks.exe
2028	schtasks.exe
920	schtasks.exe
1632	schtasks.exe
1216	schtasks.exe
820	schtasks.exe
2200	schtasks.exe
2364	schtasks.exe
2068	schtasks.exe
1720	schtasks.exe
1504	schtasks.exe
2248	schtasks.exe
2272	schtasks.exe
556	schtasks.exe
1984	schtasks.exe
816	schtasks.exe
1156	schtasks.exe
696	schtasks.exe
520	schtasks.exe
1896	schtasks.exe
2128	schtasks.exe
1532	schtasks.exe
1248	schtasks.exe
972	schtasks.exe
1360	schtasks.exe
2176	schtasks.exe
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

DefenderSmartScreen.exeIdle.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenew1.exe

pid	process
1492	DefenderSmartScreen.exe
2880	Idle.exe
2404	powershell.exe
2424	powershell.exe
2440	powershell.exe
2556	powershell.exe
2520	powershell.exe
2116	powershell.exe
2236	powershell.exe
2672	powershell.exe
2620	powershell.exe
2756	powershell.exe
2980	powershell.exe
2868	powershell.exe
2956	powershell.exe
2488	powershell.exe
972	powershell.exe
2460	powershell.exe
2580	powershell.exe
2916	powershell.exe
3012	powershell.exe
2880	Idle.exe
2880	Idle.exe
2880	Idle.exe
2880	Idle.exe
2880	Idle.exe
2880	Idle.exe
2880	Idle.exe
2880	Idle.exe
1668	powershell.exe
2508	new1.exe
2508	new1.exe
2508	new1.exe
2508	new1.exe
2508	new1.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1492	DefenderSmartScreen.exe
Token: SeDebugPrivilege	2880	Idle.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DefenderSmartScreen.exeIdle.exe

description	pid	process	target process
PID 1492 wrote to memory of 2404	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2404	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2404	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2424	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2424	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2424	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2440	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2440	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2440	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2460	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2460	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2460	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2488	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2488	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2488	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2520	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2520	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2520	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2556	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2556	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2556	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2580	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2580	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2580	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2620	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2620	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2620	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2672	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2672	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2672	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2756	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2756	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2756	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2868	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2868	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2868	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2916	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2916	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2916	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2956	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2956	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2956	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2980	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2980	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2980	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 3012	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 3012	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 3012	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 1668	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 1668	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 1668	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2116	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2116	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2116	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2236	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2236	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2236	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 972	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 972	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 972	1492	DefenderSmartScreen.exe	powershell.exe
PID 1492 wrote to memory of 2880	1492	DefenderSmartScreen.exe	Idle.exe
PID 1492 wrote to memory of 2880	1492	DefenderSmartScreen.exe	Idle.exe
PID 1492 wrote to memory of 2880	1492	DefenderSmartScreen.exe	Idle.exe
PID 2880 wrote to memory of 588	2880	Idle.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

Idle.exeDefenderSmartScreen.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	DefenderSmartScreen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	DefenderSmartScreen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	DefenderSmartScreen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

C:\Users\Admin\AppData\Local\Temp\DefenderSmartScreen.exe
"C:\Users\Admin\AppData\Local\Temp\DefenderSmartScreen.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DefenderSmartScreen.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\taskhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\DefenderSmartScreen.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\sppsvc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\System.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DefenderSmartScreen.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\services.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe
"C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54a6842c-b7df-495e-aec6-547056ca5d25.vbs"
3⤵
PID:588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e7fd774-3e17-4298-a3e3-ddb10452a8a6.vbs"
3⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\new1.exe
"C:\Users\Admin\AppData\Local\Temp\new1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2508

C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
"C:\Users\Admin\AppData\Local\Temp\C4Updater.exe"
3⤵
- Executes dropped EXE
PID:2336

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
3⤵
- Executes dropped EXE
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderSmartScreenD" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\DefenderSmartScreen.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderSmartScreen" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\DefenderSmartScreen.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderSmartScreenD" /sc MINUTE /mo 6 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\DefenderSmartScreen.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\it-IT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderSmartScreenD" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\DefenderSmartScreen.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderSmartScreen" /sc ONLOGON /tr "'C:\Users\Default User\DefenderSmartScreen.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderSmartScreenD" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\DefenderSmartScreen.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe
Filesize
1.4MB

MD5
5d66bae46d9759662f2309dc9bb8d2cc

SHA1
bd553872c196f31bc879555ae9f68dca5a337ba7

SHA256
47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

SHA512
18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1

Download Submit
C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\Idle.exe
Filesize
1.4MB

MD5
5d66bae46d9759662f2309dc9bb8d2cc

SHA1
bd553872c196f31bc879555ae9f68dca5a337ba7

SHA256
47914fa6b0464f1a14c06792e85ce1ba4620b950a1dfb5168d097fda39b8a6fe

SHA512
18f49104b2de5cae32e90d43eab28ed37a5dcb5a661ce3fa57b52555009f3fd88683d711c631420acd01d1a24dafee94539c6143e185f7ecbb6d7646fbd5e3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e7fd774-3e17-4298-a3e3-ddb10452a8a6.vbs
Filesize
509B

MD5
9eebd238264b77f84c3730d89ce4c4d4

SHA1
365845eb0333fff9baa5de02bf98bce7df0d4cc7

SHA256
d156bf68d11a48dd88de84accfcda28f74ef016568630dcde8b7de2ad9c95ccc

SHA512
1f8104753d0fced7042a1670280d6dd2f78cc1e6347e295ecbf1bf92a9641172b55ff1a2c188d3c12a003c2765822417de936a67c89ed65345793faafaf22cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\54a6842c-b7df-495e-aec6-547056ca5d25.vbs
Filesize
733B

MD5
dd662a7c4347f965e03de8df1274c91f

SHA1
8a6d4120bef1eb90508fe8f54ac9730399482254

SHA256
e305680c906b0bf3f73d65418d511d919c24fa740a142bb4535b8e7700c4e093

SHA512
ff651d7337dbdf8b43f0e2f372adf0a6e91a8abdd46d22620aee44441e7706646405b7206485e96f5993c89133b8e82a9661ead155f2680d91df86f3be446bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Updater.exe
Filesize
7.4MB

MD5
9b43fcdf5d68242b0001fd57b5b11681

SHA1
169c73fd4a1fa01335afc67c6157162dbcb121c4

SHA256
71fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078

SHA512
440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.5MB

MD5
a82fcd32e99a85933e2ccdbfc5eaee43

SHA1
e8610f2eae73460a51304ef02f622dc063b2bff0

SHA256
0edf5fbcca983bcdbf3c981913c518fe5afa2fe39227d19d885fb650e9e90bc5

SHA512
8874c8914e6acee42a8b37e5a76ac6bcaa3e11313d48691c1d069f07940fed3726b9a86eeaf2261c5c305c16180e0508b40673c46ef21271dee6616be2214d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
1.4MB

MD5
ecda9264fc1d959ffe35dc9accdd435a

SHA1
72d7caf672d8b7ef901df21cee98b05a3290ac72

SHA256
43590720dd2ae12f9fd462c5b4ef008a7e4795d12262e7d8f39006315c785321

SHA512
4a6cb551db4d3f9f1ec334914d025f931a3b672e498bae72c18a7ed9aa83043e21bad7b0949f5fe8ad184b098be7fd5addcd5fb2fdbbfc535d5be2ac0164411e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b6fe5dab6eb0fb9b662efffd0e5570c1

SHA1
640b9a101a72ed902dac855c8204e7138795395d

SHA256
0f1ae8db1e8aaa3369faad200510006dc055a5f84241f5ddc46777cea84ecc54

SHA512
dec7bb5a580ec36661579e225f9d6364189cc4b1bafab8258ee647257393267fb18d859e9fc81a8a5731309d78e7d0e199d68061ef036ac4c1a4fa3a27c0fb59

Download Submit
\Users\Admin\AppData\Local\Temp\C4Updater.exe
Filesize
7.4MB

MD5
9b43fcdf5d68242b0001fd57b5b11681

SHA1
169c73fd4a1fa01335afc67c6157162dbcb121c4

SHA256
71fce5eafea9e42cd6ab57045ad397bfdb7dfb008277b87345bec8519d479078

SHA512
440a45dd43ef31bd6936888782589d184803c53859c41e5517bbf9531f696cb5da34c39560555ff6b29bbc1b8d057295e4f810267593fc4143f0ebe70d4a5f47

Download Submit
memory/588-138-0x0000000000000000-mapping.dmp

Download
memory/972-208-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/972-161-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/972-152-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/972-106-0x0000000000000000-mapping.dmp

Download
memory/972-172-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1380-277-0x0000000000000000-mapping.dmp

Download
memory/1492-54-0x00000000001B0000-0x0000000000312000-memory.dmp

Filesize
1.4MB

Download
memory/1492-61-0x0000000002040000-0x000000000204C000-memory.dmp

Filesize
48KB

Download
memory/1492-60-0x0000000002030000-0x000000000203E000-memory.dmp

Filesize
56KB

Download
memory/1492-59-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/1492-58-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/1492-57-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1492-56-0x0000000002010000-0x0000000002026000-memory.dmp

Filesize
88KB

Download
memory/1492-55-0x0000000001FF0000-0x000000000200C000-memory.dmp

Filesize
112KB

Download
memory/1668-100-0x0000000000000000-mapping.dmp

Download
memory/2100-154-0x0000000000000000-mapping.dmp

Download
memory/2116-157-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/2116-188-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/2116-204-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/2116-102-0x0000000000000000-mapping.dmp

Download
memory/2116-173-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2116-147-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2116-201-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/2116-184-0x000000001B970000-0x000000001BC6F000-memory.dmp

Filesize
3.0MB

Download
memory/2236-197-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/2236-105-0x0000000000000000-mapping.dmp

Download
memory/2236-202-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/2236-212-0x000000000280B000-0x000000000282A000-memory.dmp

Filesize
124KB

Download
memory/2236-232-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/2236-181-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2236-141-0x0000000002804000-0x0000000002807000-memory.dmp

Filesize
12KB

Download
memory/2236-136-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2336-269-0x0000000000000000-mapping.dmp

Download
memory/2404-66-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/2404-164-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2404-71-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2404-178-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/2404-129-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/2404-175-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/2404-62-0x0000000000000000-mapping.dmp

Download
memory/2404-130-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2404-183-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/2424-128-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/2424-180-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/2424-124-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2424-126-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2424-182-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/2424-63-0x0000000000000000-mapping.dmp

Download
memory/2424-174-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/2424-163-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/2440-198-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2440-199-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/2440-167-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/2440-64-0x0000000000000000-mapping.dmp

Download
memory/2440-125-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2440-176-0x00000000023FB000-0x000000000241A000-memory.dmp

Filesize
124KB

Download
memory/2440-127-0x00000000023F4000-0x00000000023F7000-memory.dmp

Filesize
12KB

Download
memory/2440-86-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2460-65-0x0000000000000000-mapping.dmp

Download
memory/2460-209-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2460-143-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2460-150-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2488-207-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2488-67-0x0000000000000000-mapping.dmp

Download
memory/2488-160-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/2488-151-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2508-256-0x0000000000000000-mapping.dmp

Download
memory/2520-177-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/2520-166-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2520-134-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2520-68-0x0000000000000000-mapping.dmp

Download
memory/2520-132-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2520-187-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2520-193-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/2556-69-0x0000000000000000-mapping.dmp

Download
memory/2556-133-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2556-168-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2556-189-0x000000000290B000-0x000000000292A000-memory.dmp

Filesize
124KB

Download
memory/2556-165-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2556-131-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2556-192-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2556-169-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/2580-200-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2580-70-0x0000000000000000-mapping.dmp

Download
memory/2580-211-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2580-203-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2620-185-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2620-137-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2620-142-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2620-224-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/2620-223-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2620-74-0x0000000000000000-mapping.dmp

Download
memory/2620-219-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/2672-206-0x0000000001EDB000-0x0000000001EFA000-memory.dmp

Filesize
124KB

Download
memory/2672-146-0x0000000001ED4000-0x0000000001ED7000-memory.dmp

Filesize
12KB

Download
memory/2672-194-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/2672-78-0x0000000000000000-mapping.dmp

Download
memory/2672-140-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2672-195-0x0000000001EDB000-0x0000000001EFA000-memory.dmp

Filesize
124KB

Download
memory/2672-179-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2756-153-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2756-81-0x0000000000000000-mapping.dmp

Download
memory/2756-220-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/2756-221-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/2756-218-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/2756-144-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2756-186-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2756-210-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/2868-135-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2868-87-0x0000000000000000-mapping.dmp

Download
memory/2868-139-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2868-191-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2880-118-0x0000000000000000-mapping.dmp

Download
memory/2880-123-0x0000000000FD0000-0x0000000001132000-memory.dmp

Filesize
1.4MB

Download
memory/2916-159-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2916-91-0x0000000000000000-mapping.dmp

Download
memory/2916-171-0x0000000002410000-0x0000000002490000-memory.dmp

Filesize
512KB

Download
memory/2916-149-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2956-205-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/2956-145-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2956-93-0x0000000000000000-mapping.dmp

Download
memory/2956-228-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2956-229-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2956-225-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/2956-156-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2980-226-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/2980-94-0x0000000000000000-mapping.dmp

Download
memory/2980-217-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/2980-148-0x000007FEEC2D0000-0x000007FEECCF3000-memory.dmp

Filesize
10.1MB

Download
memory/2980-227-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2980-158-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2980-190-0x000007FEEAEE0000-0x000007FEEBA3D000-memory.dmp

Filesize
11.4MB

Download
memory/3012-96-0x0000000000000000-mapping.dmp

Download