dcrat | a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Size

2.6MB
MD5

6b0099a51ebff37e6be647f3fd42aa23
SHA1

6313a968fd05ae06f855c8a26dff26494a58970e
SHA256

a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9
SHA512

788448cca4432ec811c94c3c8d61630de030f22de2730acce9f787e3499556cae74899ee8d3e163863745155ba31c52e98d5b9c4bc7c53dcd097c89813ce4820
SSDEEP

49152:emi19AidDFahbHmYZuRJv0uEORfMDsSfFaMpDsrmcY4+:et9zFahbHmR5GOZQL1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2944	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2944	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2724-1-0x0000000000BA0000-0x0000000000E46000-memory.dmp	dcrat
behavioral1/files/0x000700000001932a-27.dat	dcrat
behavioral1/files/0x0007000000019fb8-102.dat	dcrat
behavioral1/files/0x000900000001925b-125.dat	dcrat
behavioral1/files/0x000700000001a071-136.dat	dcrat
behavioral1/files/0x000b00000001a495-194.dat	dcrat
behavioral1/files/0x000700000001a4a5-205.dat	dcrat
behavioral1/files/0x000700000001a4b1-217.dat	dcrat
behavioral1/files/0x000a00000001a4b9-251.dat	dcrat
behavioral1/memory/2860-263-0x0000000001190000-0x0000000001436000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2860	audiodg.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\es-ES\5940a34987c991	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXFA4E.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXCE6.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXF83B.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\audiodg.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\dllhost.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX5FD.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXFF53.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXF430.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\services.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXEEA.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\c5b4cb5e9653cc	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\f3b6ecef712a24	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\56085415360792	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\886983d96e3d3e	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXF431.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\dllhost.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\Google\Temp\audiodg.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\69ddcba757bf72	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXFEE4.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXC78.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXF58.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXF83A.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXFABD.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX5FC.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files (x86)\Google\Temp\42af1c969fbb7b	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\services.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File created	C:\Windows\TAPI\201f16c87fd405	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Windows\TAPI\RCX15D2.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Windows\TAPI\RCX15D3.tmp	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
File opened for modification	C:\Windows\TAPI\a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe
2856	schtasks.exe
1572	schtasks.exe
1296	schtasks.exe
2400	schtasks.exe
2336	schtasks.exe
832	schtasks.exe
2168	schtasks.exe
2688	schtasks.exe
2116	schtasks.exe
2248	schtasks.exe
2280	schtasks.exe
820	schtasks.exe
760	schtasks.exe
1324	schtasks.exe
1584	schtasks.exe
2352	schtasks.exe
2684	schtasks.exe
2228	schtasks.exe
3064	schtasks.exe
2548	schtasks.exe
2528	schtasks.exe
2636	schtasks.exe
2072	schtasks.exe
1972	schtasks.exe
2592	schtasks.exe
2456	schtasks.exe
2876	schtasks.exe
2700	schtasks.exe
1716	schtasks.exe
1104	schtasks.exe
2196	schtasks.exe
1672	schtasks.exe
1348	schtasks.exe
900	schtasks.exe
1956	schtasks.exe
1932	schtasks.exe
952	schtasks.exe
612	schtasks.exe
692	schtasks.exe
2860	schtasks.exe
1248	schtasks.exe
528	schtasks.exe
3048	schtasks.exe
2208	schtasks.exe
1056	schtasks.exe
2288	schtasks.exe
740	schtasks.exe
1360	schtasks.exe
1308	schtasks.exe
1028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2724	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
2724	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
2724	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
2860	audiodg.exe
2860	audiodg.exe
2860	audiodg.exe
2860	audiodg.exe
2860	audiodg.exe
2860	audiodg.exe
2860	audiodg.exe
2860	audiodg.exe
2860	audiodg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2860	audiodg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Token: SeDebugPrivilege	2860	audiodg.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2860	2724	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe	83
PID 2724 wrote to memory of 2860	2724	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe	83
PID 2724 wrote to memory of 2860	2724	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe	83

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe
"C:\Users\Admin\AppData\Local\Temp\a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2724
- C:\Program Files (x86)\Google\Temp\audiodg.exe
  "C:\Program Files (x86)\Google\Temp\audiodg.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9a" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9" /sc ONLOGON /tr "'C:\Windows\TAPI\a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9a" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\WMIADAP.exe

Filesize
2.6MB

MD5
619f94a0ee09f93ede64609ffe79396d

SHA1
a216e6ef161e4c28cb95642490e502b7fa99cf22

SHA256
90122ced5c0ef26813276c7af791fa92cf8ed7b73378fee37bea9da6ff97a0b4

SHA512
1e9a71f5598f7e768935b9a81de0f733c7d30198ed6c8a3de3977f5a1d780ccc15df006ba11c7c7868e68c7e176707860fdc45c0a26d2c1d653149d33451bfdc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe

Filesize
2.6MB

MD5
6b0099a51ebff37e6be647f3fd42aa23

SHA1
6313a968fd05ae06f855c8a26dff26494a58970e

SHA256
a10989f2c084900d5e2ec9586ae6e899abd9a5f0a3ac87cd3401d288a90341f9

SHA512
788448cca4432ec811c94c3c8d61630de030f22de2730acce9f787e3499556cae74899ee8d3e163863745155ba31c52e98d5b9c4bc7c53dcd097c89813ce4820

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\csrss.exe

Filesize
2.6MB

MD5
c8175fd4a0939e64f8fabe5bab5482e9

SHA1
b3c8c69c9c5446c9dce6d58e387d882d0c1b40f6

SHA256
6241d9cfab225f7a41e5cbade639a59edd6c26465c192f32051b4da6e959d2be

SHA512
37d956748c7f1448675cdefac744fd0cae7579088092738fad6aa2e6055ab8c6cf09a19d77dcc7a4745821a9d24bf2021f2675dd75611b499ef8c9f6675de1e2

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\wininit.exe

Filesize
2.6MB

MD5
8d8eadc8c4ca6a9d12f820879c4ebbed

SHA1
f1b667c77acdca679680a6ff3b0a2d25bf359f14

SHA256
20c734a3eb3a67e11e8faac50b8fd23e338320512f6353c60fb95a50c2b478c6

SHA512
ac07a2593217945426984543905bb291df141b39be61ffe3dd00b42004fc722ae4fa540c4f5362cc2bb9c5d5eb53c5e5624e51727dc6b849e2ed9ae075fb097c

Download Submit
C:\Program Files\Windows Media Player\Network Sharing\services.exe

Filesize
2.6MB

MD5
4171d563d286989b84903eac2f43e38c

SHA1
cb290c95688337fdb5b991592c810bbeb7c1339a

SHA256
cf9d6a1051d607f3ed7d84d47b39f10dc118cd6f10f7337b22f6081ee6c9ab0c

SHA512
a3e535c0315b1d876afeb8358c008cc1f00cd205008885866dd8f75ddc1a63b0305c4e5eb6b1a0b9c40e878d57725e987d800d6148e548d88fb311f646d19b1e

Download Submit
C:\Program Files\Windows NT\TableTextService\es-ES\dllhost.exe

Filesize
2.6MB

MD5
e67b397afed4ace517b9306d95f2f3e1

SHA1
bb7f4e5b32ef8bae2ad2e80fd4ace17fc7c3c0ef

SHA256
06f3683e0791de1ba9d025f48ba07812fff1c4582217bebf4b71e7c5dc78397e

SHA512
0f710565b909accc6cea75931e8d4199bbf7ef757ed1725bd4386aab1c786cd2246ec69bf040b1b5920c5f8eb21773dcc1c8e701700f68f8767a6f78edd753ea

Download Submit
C:\ProgramData\Microsoft Help\lsass.exe

Filesize
2.6MB

MD5
b289ba44e41010c267e3465e4dee7fad

SHA1
35966954c34f363f1ac160dab78360f588057ca2

SHA256
dbf2692ccf923db88238c6d7e9dae7bf784c39e3716d17d1408bccbe77da3114

SHA512
6e72ed2ceeeab986ac55ea8eace96df431dbb793445dfdae1ae3779013024e32cb5c45775363c0a810060c874932f7d143c5cf9361750d9e38da826aadd538e9

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe

Filesize
2.6MB

MD5
6c36a822231fc8b89b5bfa6f2ebe6a1f

SHA1
96518957cc90faf6235d4816eeb03a640855d862

SHA256
bf7e11b0e28cdcd4805a7d666b5d9d7e28cb7df1cc4932a848cfc798077b1af7

SHA512
5fe025646b45cf602ae7d735904f01d3c59e66c391c16d6a8a5ff67c794950e20f85b148a6fedced91a68c620f179cdd756655636a2c94f58bb24ed3b0cca3dd

Download Submit
memory/2724-7-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2724-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

Filesize
4KB

Download
memory/2724-10-0x0000000002250000-0x00000000022A6000-memory.dmp

Filesize
344KB

Download
memory/2724-11-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2724-12-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2724-14-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2724-13-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2724-15-0x0000000002370000-0x000000000237C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x0000000002380000-0x000000000238E000-memory.dmp

Filesize
56KB

Download
memory/2724-17-0x0000000002390000-0x000000000239C000-memory.dmp

Filesize
48KB

Download
memory/2724-18-0x0000000002420000-0x000000000242A000-memory.dmp

Filesize
40KB

Download
memory/2724-9-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/2724-8-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2724-6-0x0000000000700000-0x0000000000710000-memory.dmp

Filesize
64KB

Download
memory/2724-5-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2724-4-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2724-3-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2724-208-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

Filesize
4KB

Download
memory/2724-2-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-232-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-1-0x0000000000BA0000-0x0000000000E46000-memory.dmp

Filesize
2.6MB

Download
memory/2724-264-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-263-0x0000000001190000-0x0000000001436000-memory.dmp

Filesize
2.6MB

Download
memory/2860-265-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download