dcrat | 7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

Analysis

max time kernel
117s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Size

2.6MB
MD5

12dcc1cafbf752f84a12d3bed14cd6e2
SHA1

9ebf8e2fef206cefff0cb2474f284869827e6e45
SHA256

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
SHA512

e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2964	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2964	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3020-1-0x0000000000B90000-0x0000000000E38000-memory.dmp	dcrat
behavioral1/files/0x00050000000186ee-27.dat	dcrat
behavioral1/files/0x000500000001a4d4-69.dat	dcrat
behavioral1/files/0x00070000000186ea-89.dat	dcrat
behavioral1/files/0x0008000000016d42-115.dat	dcrat
behavioral1/files/0x000c0000000186ee-193.dat	dcrat
behavioral1/files/0x0007000000019282-202.dat	dcrat
behavioral1/memory/1408-266-0x00000000010E0000-0x0000000001388000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1408	dllhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\bg-BG\taskhost.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Windows\System32\bg-BG\b75386f1303e64	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\System32\bg-BG\RCXC1BF.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\System32\bg-BG\RCXC1C0.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\System32\bg-BG\taskhost.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\0a1fd5f707cd16	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Microsoft Office\dllhost.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\lsass.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\6203df4a6bafc7	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Common Files\RCXCB1A.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\winlogon.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXD580.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXC907.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXCD30.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\RCXD157.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXD5EE.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Windows Sidebar\it-IT\winlogon.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Microsoft Office\dllhost.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Common Files\886983d96e3d3e	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Common Files\RCXCB1B.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\lsass.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\42af1c969fbb7b	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Common Files\csrss.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\24dbde2999530e	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Windows Sidebar\it-IT\cc11b995f2a76d	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\audiodg.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\RCXD168.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\RCXDF58.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXBFBB.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXBFBC.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\RCXDF59.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\audiodg.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Program Files\Microsoft Office\5940a34987c991	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXC8F6.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXCD2F.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files\Common Files\csrss.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\System.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\IME\IMETC10\HELP\RCXBCCC.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\RCXD36C.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\RCXD36D.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\System.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Windows\winsxs\csrss.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\IME\IMETC10\HELP\WmiPrvSE.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Windows\IME\IMETC10\HELP\24dbde2999530e	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File opened for modification	C:\Windows\IME\IMETC10\HELP\RCXBDB7.tmp	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Windows\servicing\de-DE\sppsvc.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Windows\IME\IMETC10\HELP\WmiPrvSE.exe	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
File created	C:\Windows\SoftwareDistribution\SelfUpdate\Handler\27d1bcfc3c54e0	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1936	schtasks.exe
1948	schtasks.exe
1408	schtasks.exe
2256	schtasks.exe
2500	schtasks.exe
2856	schtasks.exe
2972	schtasks.exe
2640	schtasks.exe
1264	schtasks.exe
2148	schtasks.exe
2440	schtasks.exe
1088	schtasks.exe
2088	schtasks.exe
2096	schtasks.exe
1680	schtasks.exe
1824	schtasks.exe
1168	schtasks.exe
900	schtasks.exe
1652	schtasks.exe
2172	schtasks.exe
2592	schtasks.exe
1848	schtasks.exe
780	schtasks.exe
2808	schtasks.exe
2164	schtasks.exe
2448	schtasks.exe
352	schtasks.exe
1812	schtasks.exe
2708	schtasks.exe
3064	schtasks.exe
588	schtasks.exe
1796	schtasks.exe
2928	schtasks.exe
2268	schtasks.exe
2724	schtasks.exe
788	schtasks.exe
2176	schtasks.exe
1148	schtasks.exe
2092	schtasks.exe
2604	schtasks.exe
2860	schtasks.exe
2568	schtasks.exe
2620	schtasks.exe
492	schtasks.exe
1888	schtasks.exe
708	schtasks.exe
2976	schtasks.exe
2588	schtasks.exe
2556	schtasks.exe
2388	schtasks.exe
968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3020	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
3020	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
3020	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe
1408	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1408	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Token: SeDebugPrivilege	1408	dllhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 3044	3020	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe	83
PID 3020 wrote to memory of 3044	3020	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe	83
PID 3020 wrote to memory of 3044	3020	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe	83
PID 3044 wrote to memory of 1748	3044	cmd.exe	85
PID 3044 wrote to memory of 1748	3044	cmd.exe	85
PID 3044 wrote to memory of 1748	3044	cmd.exe	85
PID 3044 wrote to memory of 1408	3044	cmd.exe	86
PID 3044 wrote to memory of 1408	3044	cmd.exe	86
PID 3044 wrote to memory of 1408	3044	cmd.exe	86

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe
"C:\Users\Admin\AppData\Local\Temp\7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RUJOSyqox9.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1748
- - C:\Program Files\Microsoft Office\dllhost.exe
    "C:\Program Files\Microsoft Office\dllhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMETC10\HELP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\IME\IMETC10\HELP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\IMETC10\HELP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\System32\bg-BG\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\bg-BG\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\bg-BG\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SelfUpdate\Handler\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\dllhost.exe

Filesize
2.6MB

MD5
93b1150465f02f44e9a84880dc7690f0

SHA1
4bcb5d54a03076341d9c9887e697f110f6acb662

SHA256
d5ff678f3f18560cab1bc16a2b5ca8c989e1feb87cfacae65847eb0be14def42

SHA512
75a386b55515f33b6e47970f8096ccd51863372000b90fa4b094961ac36b1e4df223297704aebdae667e9a5f3fb70f7b585a09564eb1307afea990f9ecf804ac

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe

Filesize
2.6MB

MD5
12dcc1cafbf752f84a12d3bed14cd6e2

SHA1
9ebf8e2fef206cefff0cb2474f284869827e6e45

SHA256
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

SHA512
e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe

Filesize
2.6MB

MD5
e58704bc3c90bb1f8b49557ed52e8bef

SHA1
8ad11ab2f54b60cb34294bd93362158d8e6d3185

SHA256
e6fa2135f041b359ee749153bcb7b73dc83b7643ea80225c1f8d5ab61c8827d4

SHA512
43db6598af88d05107eddd3850869f86bd01523d8846e5056e35bd604d19b9c959113684ef6243d44efab8c0431068a35abcaeda349bf6f698f5bcb3562735f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUJOSyqox9.bat

Filesize
210B

MD5
77ee5f99b57af713d395dc421d06460d

SHA1
768da336825213b944c7ed70eb3dfb15f2cce8d1

SHA256
93e281fbb746e0c68bf047497afd4bde0f216785d4e0087a4fb05eb9af001388

SHA512
616c508a529bcfc560e2f1b2bd0df317e7df7c5a802744938ee570dd652050f27452b7ab91fccd85c57a90f3c61ef327da206d1bed9cb94771ad5aa884f965b7

Download Submit
C:\Users\Default\RCXD7F2.tmp

Filesize
2.6MB

MD5
aef3b0cea73cc8fbacb1e43ae22d6328

SHA1
5eab539869f6c178f825a1ad82e00c55c74f33af

SHA256
4162a90fa72d21acfef42e39ed90a774b2e92c5653126c33827093660b3b8352

SHA512
e8eee628a82103e0d22e30819a3ec58d79048e66b7515f1b046cdcf7553f7490933283add39f8dda3e0f395f5e69401b4a64ff18b5678c9958845d1d4998b9f3

Download Submit
C:\Windows\IME\IMETC10\HELP\WmiPrvSE.exe

Filesize
2.6MB

MD5
5ec8376897e3cbc88c09594edf78a38b

SHA1
e3dd0ae3f37a89ed6499b023954adc2c9b906c4e

SHA256
f4701a78172ddc617a3d71591e6961c5013c933e9592e67e2658545625682dea

SHA512
22c532fce33beb1057a824d548c0bc6665f4ae7018f02c108ce0bd1aea8d83062de3c8cc50c041da1b3a67ca7d661f708f26e53fbba759f86d84ba02b1297b97

Download Submit
C:\Windows\System32\bg-BG\RCXC1C0.tmp

Filesize
2.6MB

MD5
02911d19174feb724cd47570d4188a58

SHA1
9b5a3e306b44cf73cb6b6f02b7355843029dcb8f

SHA256
dce2e3db78a32c0826767f5cb2c40f909b91d0db2209215939b5d6fbacc1df2e

SHA512
1de27f7ed6118691cfe59543a0f00c692d58ca46991ad7ecae936435cd79da97c4e56bee97bb8e14a9d9c171ef34789a812c47cc9b2991eb896be88f48c2c9b0

Download Submit
memory/1408-266-0x00000000010E0000-0x0000000001388000-memory.dmp

Filesize
2.7MB

Download
memory/3020-7-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/3020-8-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/3020-10-0x0000000000A80000-0x0000000000AD6000-memory.dmp

Filesize
344KB

Download
memory/3020-11-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/3020-12-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

Filesize
72KB

Download
memory/3020-13-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/3020-14-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/3020-15-0x00000000022A0000-0x00000000022AC000-memory.dmp

Filesize
48KB

Download
memory/3020-16-0x00000000022B0000-0x00000000022BE000-memory.dmp

Filesize
56KB

Download
memory/3020-17-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/3020-18-0x0000000002350000-0x000000000235A000-memory.dmp

Filesize
40KB

Download
memory/3020-9-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/3020-0-0x000007FEF5463000-0x000007FEF5464000-memory.dmp

Filesize
4KB

Download
memory/3020-6-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/3020-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/3020-4-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/3020-198-0x000007FEF5463000-0x000007FEF5464000-memory.dmp

Filesize
4KB

Download
memory/3020-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/3020-210-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-262-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-2-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-1-0x0000000000B90000-0x0000000000E38000-memory.dmp

Filesize
2.7MB

Download