dcrat | 94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
Size

1.7MB
MD5

2948e1b1cfd51feb20f6b458a1543fde
SHA1

37bd03c0a2c3b781770e4f9deccf685a4d1b01dc
SHA256

94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34
SHA512

de61333dfe517aba5560a71cf5e53aaf23dad6c7427fce27be02f3c12fcc6c16e59945aa4df91e60588cf475314ebe32df76c413ef210d5ad4fb51ae7af25641
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJs:NgwuuEpdDLNwVMeXDL0fdSzAG5

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2936	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2936	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2736-1-0x0000000000B00000-0x0000000000CB6000-memory.dmp	dcrat
behavioral1/files/0x0006000000019480-28.dat	dcrat
behavioral1/files/0x00060000000195a7-152.dat	dcrat
behavioral1/files/0x000b0000000195ab-214.dat	dcrat
behavioral1/memory/1664-216-0x0000000000AE0000-0x0000000000C96000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
3024	powershell.exe
988	powershell.exe
2952	powershell.exe
2696	powershell.exe
2392	powershell.exe
2676	powershell.exe
3020	powershell.exe
3028	powershell.exe
3008	powershell.exe
868	powershell.exe
884	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe

Executes dropped EXE 1 IoCs

pid	Process
1664	Idle.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\0C0A\RCX8CAC.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\SysWOW64\0C0A\RCX8CFB.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\SysWOW64\0C0A\dllhost.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\SysWOW64\0C0A\dllhost.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\SysWOW64\0C0A\5940a34987c991	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCX8A98.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\dllhost.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\wininit.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9A3F.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\RCX9D3D.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files\Windows Defender\de-DE\dllhost.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\56085415360792	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX9337.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX9348.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9ABD.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\RCX9D4E.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files\Windows Defender\de-DE\5940a34987c991	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\6cb0b6c459d5d3	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\wininit.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCX8A97.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\en-US\OSPPSVC.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\Setup\State\RCX955B.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\Setup\State\Idle.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\Media\Festival\RCX9FDF.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\TAPI\Idle.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\Media\Festival\dwm.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\TAPI\RCX8884.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\en-US\RCX9133.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\en-US\OSPPSVC.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\TAPI\RCX8883.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\Media\Festival\RCX9FCF.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\en-US\1610b97d3ab4a7	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\Setup\State\Idle.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\en-US\RCX9123.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\Setup\State\RCX957B.tmp	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File opened for modification	C:\Windows\Media\Festival\dwm.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\TAPI\Idle.exe	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\TAPI\6ccacd8608530f	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\Setup\State\6ccacd8608530f	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
File created	C:\Windows\Media\Festival\6cb0b6c459d5d3	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1748	schtasks.exe
1664	schtasks.exe
2168	schtasks.exe
1376	schtasks.exe
3032	schtasks.exe
2452	schtasks.exe
876	schtasks.exe
924	schtasks.exe
2820	schtasks.exe
756	schtasks.exe
2124	schtasks.exe
2564	schtasks.exe
2332	schtasks.exe
1096	schtasks.exe
2164	schtasks.exe
1620	schtasks.exe
2368	schtasks.exe
2720	schtasks.exe
2176	schtasks.exe
2668	schtasks.exe
1056	schtasks.exe
2712	schtasks.exe
2676	schtasks.exe
2592	schtasks.exe
2956	schtasks.exe
1320	schtasks.exe
2728	schtasks.exe
2972	schtasks.exe
2920	schtasks.exe
912	schtasks.exe
2408	schtasks.exe
2864	schtasks.exe
2488	schtasks.exe
2364	schtasks.exe
996	schtasks.exe
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2392	powershell.exe
3008	powershell.exe
3028	powershell.exe
3024	powershell.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2964	powershell.exe
3020	powershell.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2696	powershell.exe
868	powershell.exe
2952	powershell.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
2676	powershell.exe
988	powershell.exe
884	powershell.exe
2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1664	Idle.exe
Token: SeDebugPrivilege	884	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2392	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	67
PID 2736 wrote to memory of 2392	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	67
PID 2736 wrote to memory of 2392	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	67
PID 2736 wrote to memory of 2964	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	68
PID 2736 wrote to memory of 2964	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	68
PID 2736 wrote to memory of 2964	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	68
PID 2736 wrote to memory of 3024	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	69
PID 2736 wrote to memory of 3024	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	69
PID 2736 wrote to memory of 3024	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	69
PID 2736 wrote to memory of 2676	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	70
PID 2736 wrote to memory of 2676	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	70
PID 2736 wrote to memory of 2676	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	70
PID 2736 wrote to memory of 3020	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	71
PID 2736 wrote to memory of 3020	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	71
PID 2736 wrote to memory of 3020	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	71
PID 2736 wrote to memory of 3028	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	72
PID 2736 wrote to memory of 3028	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	72
PID 2736 wrote to memory of 3028	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	72
PID 2736 wrote to memory of 3008	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	73
PID 2736 wrote to memory of 3008	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	73
PID 2736 wrote to memory of 3008	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	73
PID 2736 wrote to memory of 988	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	74
PID 2736 wrote to memory of 988	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	74
PID 2736 wrote to memory of 988	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	74
PID 2736 wrote to memory of 2952	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	75
PID 2736 wrote to memory of 2952	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	75
PID 2736 wrote to memory of 2952	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	75
PID 2736 wrote to memory of 2696	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	76
PID 2736 wrote to memory of 2696	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	76
PID 2736 wrote to memory of 2696	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	76
PID 2736 wrote to memory of 868	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	77
PID 2736 wrote to memory of 868	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	77
PID 2736 wrote to memory of 868	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	77
PID 2736 wrote to memory of 884	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	78
PID 2736 wrote to memory of 884	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	78
PID 2736 wrote to memory of 884	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	78
PID 2736 wrote to memory of 1664	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	91
PID 2736 wrote to memory of 1664	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	91
PID 2736 wrote to memory of 1664	2736	94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe
"C:\Users\Admin\AppData\Local\Temp\94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\Setup\State\Idle.exe
  "C:\Windows\Setup\State\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\TAPI\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\0C0A\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\0C0A\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\0C0A\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Setup\State\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Festival\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Media\Festival\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Festival\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9ABD.tmp

Filesize
1.7MB

MD5
f44311702b655e4f51f57d3c1eda5f29

SHA1
dca02529b70723c8f0caf4115c596e208ef224cc

SHA256
6ff77f24015d27984077c7f06b15425f91d3ee6da513b0a33ef4a9955a720ea0

SHA512
e9d8e72f6069ee3b9f66a88aadbb9604816800bf3549ca1be19c3e70f3a1dcc2cc4c051bfa39284ede0a9add546a099d50798c356e0c700071da9207651e00d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec6ab5914daca04b39bee391811366e2

SHA1
ad72db617d13763752cb58647dee26efc45e28e8

SHA256
b5cb10d16d428b37cb90d50a42beb31f5ff1fd2af39a655a29180eeddc1acfd9

SHA512
ecb00ef2adb25ba85d0aff4f8a37a44a3c3e2c70b232e5b66d69aa208a411a9ea41b54ac828ea196f5829eefb04cc4509b31075898e22fe61e46c44f781849b8

Download Submit
C:\Windows\Setup\State\Idle.exe

Filesize
1.7MB

MD5
ef0eaa6480733054309ffbbd02f057d0

SHA1
43d3b54ecc3ad577e887b3ce30a94e7ed65d7281

SHA256
97a5e51d92d54fc68b2bd391d168738a1c20aa86a265e6bdecbd00c30f57366d

SHA512
7e8c601bfcd6f37989e7ff196c83d1657c6f63d5a4cdc788035955c7f2d0d4e21ce93305245d9ba9d852dd9b436cbe16b39c79ce7a2546914f961a12f54fdd9f

Download Submit
C:\Windows\en-US\OSPPSVC.exe

Filesize
1.7MB

MD5
2948e1b1cfd51feb20f6b458a1543fde

SHA1
37bd03c0a2c3b781770e4f9deccf685a4d1b01dc

SHA256
94cafccc6d310401af379e3467365f53a66cf97a487cfbc9ea97974123a72f34

SHA512
de61333dfe517aba5560a71cf5e53aaf23dad6c7427fce27be02f3c12fcc6c16e59945aa4df91e60588cf475314ebe32df76c413ef210d5ad4fb51ae7af25641

Download Submit
memory/1664-216-0x0000000000AE0000-0x0000000000C96000-memory.dmp

Filesize
1.7MB

Download
memory/2392-209-0x0000000001F20000-0x0000000001F28000-memory.dmp

Filesize
32KB

Download
memory/2736-7-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2736-6-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/2736-8-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2736-9-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2736-10-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2736-12-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2736-13-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/2736-14-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/2736-15-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2736-16-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/2736-17-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2736-20-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-21-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2736-135-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/2736-5-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2736-178-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-4-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2736-202-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2736-262-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-1-0x0000000000B00000-0x0000000000CB6000-memory.dmp

Filesize
1.7MB

Download
memory/2736-236-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-203-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download