dcrat | 0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Size

984KB
MD5

1a98526d92138aeec690a1792f312f70
SHA1

4106d69f74c1feda16eb0e4ac813f5facaab2371
SHA256

0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c
SHA512

c8ed2301a56886b2558ba725043e36799443705cc04a09f0cf41c91665c03d54d7452d3cecf8bc77196f01321e466d27ec6ace976ec64720f4d1c90a3322731d
SSDEEP

12288:MyEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgoH:MyErYT+PvXIUln/1GJgoH

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1868	schtasks.exe	85

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/464-1-0x00000000009B0000-0x0000000000AAC000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b6b-25.dat	dcrat
behavioral2/files/0x000500000001da88-61.dat	dcrat
behavioral2/files/0x0010000000023b62-96.dat	dcrat
behavioral2/files/0x000c000000023b6b-107.dat	dcrat
behavioral2/files/0x000a000000023b86-118.dat	dcrat
behavioral2/files/0x000c000000023b8d-141.dat	dcrat
behavioral2/memory/3704-319-0x00000000006A0000-0x000000000079C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3408	powershell.exe
1068	powershell.exe
4848	powershell.exe
4368	powershell.exe
1552	powershell.exe
740	powershell.exe
2736	powershell.exe
5000	powershell.exe
3472	powershell.exe
2272	powershell.exe
3484	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe

Executes dropped EXE 1 IoCs

pid	Process
3704	MusNotification.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotification.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\dllhost.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Program Files (x86)\Common Files\Services\ea9f0e6c9e2dcd	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Program Files\Windows Mail\RCX664E.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX6D58.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCX6D59.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\taskhostw.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Program Files (x86)\Common Files\Services\taskhostw.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Program Files\Windows Mail\RCX664D.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\taskhostw.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\TAPI\RCX71F0.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\TAPI\RCX725E.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\ShellComponents\RuntimeBroker.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Windows\ShellComponents\RuntimeBroker.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\TAPI\sppsvc.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Windows\TAPI\sppsvc.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\ShellComponents\RCX7706.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\Prefetch\RCX7B7F.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\Prefetch\taskhostw.exe	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Windows\TAPI\0a1fd5f707cd16	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Windows\ShellComponents\9e8d7a4ca61bd9	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File created	C:\Windows\Prefetch\ea9f0e6c9e2dcd	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\ShellComponents\RCX7705.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
File opened for modification	C:\Windows\Prefetch\RCX7B7E.tmp	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1700	schtasks.exe
3576	schtasks.exe
5092	schtasks.exe
4964	schtasks.exe
1076	schtasks.exe
4740	schtasks.exe
3584	schtasks.exe
3012	schtasks.exe
1652	schtasks.exe
3532	schtasks.exe
1036	schtasks.exe
4576	schtasks.exe
3032	schtasks.exe
3988	schtasks.exe
2576	schtasks.exe
540	schtasks.exe
4200	schtasks.exe
1600	schtasks.exe
3964	schtasks.exe
3888	schtasks.exe
1960	schtasks.exe
2044	schtasks.exe
5048	schtasks.exe
1104	schtasks.exe
804	schtasks.exe
836	schtasks.exe
4208	schtasks.exe
4728	schtasks.exe
732	schtasks.exe
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
3472	powershell.exe
3472	powershell.exe
4368	powershell.exe
4368	powershell.exe
1552	powershell.exe
1552	powershell.exe
5000	powershell.exe
5000	powershell.exe
3408	powershell.exe
3408	powershell.exe
2736	powershell.exe
2736	powershell.exe
740	powershell.exe
740	powershell.exe
4848	powershell.exe
4848	powershell.exe
1068	powershell.exe
1068	powershell.exe
2272	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3704	MusNotification.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 4848	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	117
PID 464 wrote to memory of 4848	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	117
PID 464 wrote to memory of 3472	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	118
PID 464 wrote to memory of 3472	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	118
PID 464 wrote to memory of 1552	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	119
PID 464 wrote to memory of 1552	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	119
PID 464 wrote to memory of 4368	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	121
PID 464 wrote to memory of 4368	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	121
PID 464 wrote to memory of 3408	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	122
PID 464 wrote to memory of 3408	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	122
PID 464 wrote to memory of 1068	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	123
PID 464 wrote to memory of 1068	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	123
PID 464 wrote to memory of 2272	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	124
PID 464 wrote to memory of 2272	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	124
PID 464 wrote to memory of 3484	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	125
PID 464 wrote to memory of 3484	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	125
PID 464 wrote to memory of 740	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	126
PID 464 wrote to memory of 740	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	126
PID 464 wrote to memory of 2736	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	127
PID 464 wrote to memory of 2736	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	127
PID 464 wrote to memory of 5000	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	128
PID 464 wrote to memory of 5000	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	128
PID 464 wrote to memory of 3704	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	139
PID 464 wrote to memory of 3704	464	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe	139

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MusNotification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	MusNotification.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe
"C:\Users\Admin\AppData\Local\Temp\0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Users\All Users\MusNotification.exe
  "C:\Users\All Users\MusNotification.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Services\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\All Users\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Prefetch\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MusNotification.exe

Filesize
984KB

MD5
f808dbdb661b10d84ae19cb7feef4c27

SHA1
af5d7a5a82937015ce480e2eb2538ae120f1fac0

SHA256
880af5e04b1e6c7dc106a1962042f8cb622e87e279851919746523f6b3a07ded

SHA512
953be457277143baa33feec2122173784d668ab7668b8f3805cd58bd0076b9ac67dd9fd46bead9d62d480e49ec88e05c31b7f0c5ea7fb5ef69d38e4da6bc6b59

Download Submit
C:\Recovery\WindowsRE\System.exe

Filesize
984KB

MD5
1a98526d92138aeec690a1792f312f70

SHA1
4106d69f74c1feda16eb0e4ac813f5facaab2371

SHA256
0e01a81dedc0746ae1314e1243e92e32a7fceed35c0337c596bd2029eced9c6c

SHA512
c8ed2301a56886b2558ba725043e36799443705cc04a09f0cf41c91665c03d54d7452d3cecf8bc77196f01321e466d27ec6ace976ec64720f4d1c90a3322731d

Download Submit
C:\Recovery\WindowsRE\System.exe

Filesize
984KB

MD5
dcf33e58e092d699ae8210d18e88940d

SHA1
8fefd2f1897cb45def37ab7132215b225aae58e8

SHA256
d9d9b1e6065eee018b2b19715109796e45d81a75ad99ea5fa37a0a28bc3afc7a

SHA512
f4822f1d9c75d9e13b6600e884cac1578f261afd5e6f87d736c889c10d7bb3952e52220896cf78da742d3fe86c5b0993e8bf1ddca3b4a978cc8019d3319fde81

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
984KB

MD5
315a57f77dd120447872e8e8beb2437a

SHA1
65b57a8a6da9e6ec4ee67fbfa80655a09bf5225d

SHA256
cf9a5452d102dcbc3bad2a8136c381d53da0fedf69d97868b9efd4b20d9a6fb3

SHA512
03a2087e19b9ff05b1a7ff10feea9520a5a1bc3747fbc84151a20bbac2ff4271a261250792bff5699cdda2fdade5312be4c9f5d9b6d5df4e818c235e89860242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vimovzzh.i3b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\StartMenuExperienceHost.exe

Filesize
984KB

MD5
8ba66873c9e8aaaa61ec9b9c7ecf8ed4

SHA1
28dbebe110dc34d86a8fac361d22a7fdf2d284cc

SHA256
3117a0851998109e62ca94c1c061fa0dd6c6556130f45d71dc4c4b162ee7f3c5

SHA512
3b1371702949b4420a39c66f58d76baa28dfc5f484f9921a5510f7cf8e40e6f7fa10061b8e844ac420d820367109674a34927ee4c97e4eb8aefe5661892ba994

Download Submit
C:\Windows\TAPI\sppsvc.exe

Filesize
984KB

MD5
e64f4163af4d6e33a32bf17690fa8d3c

SHA1
8494e84dfe434f0564cf6a45775146242588aeaf

SHA256
1a9a74217246d2f4d346351d33d4b346e2b0f1836ea5544c5b0fb5a73a714c10

SHA512
3cfee3f38cd997396307cc742ecb368b6c4a3d39cf0f491950df9f2adf20b536a0c9977e91c89a6baea9d3babc8fbe29ae106990bae4bb6009da6398077637f0

Download Submit
memory/464-8-0x0000000002D10000-0x0000000002D1C000-memory.dmp

Filesize
48KB

Download
memory/464-156-0x00007FFD9B4A3000-0x00007FFD9B4A5000-memory.dmp

Filesize
8KB

Download
memory/464-17-0x00007FFD9B4A0000-0x00007FFD9BF61000-memory.dmp

Filesize
10.8MB

Download
memory/464-14-0x000000001B750000-0x000000001B75C000-memory.dmp

Filesize
48KB

Download
memory/464-18-0x00007FFD9B4A0000-0x00007FFD9BF61000-memory.dmp

Filesize
10.8MB

Download
memory/464-10-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/464-11-0x000000001B720000-0x000000001B728000-memory.dmp

Filesize
32KB

Download
memory/464-12-0x000000001B730000-0x000000001B73E000-memory.dmp

Filesize
56KB

Download
memory/464-13-0x000000001B740000-0x000000001B74C000-memory.dmp

Filesize
48KB

Download
memory/464-0-0x00007FFD9B4A3000-0x00007FFD9B4A5000-memory.dmp

Filesize
8KB

Download
memory/464-5-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/464-9-0x000000001B700000-0x000000001B70C000-memory.dmp

Filesize
48KB

Download
memory/464-6-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

Filesize
88KB

Download
memory/464-1-0x00000000009B0000-0x0000000000AAC000-memory.dmp

Filesize
1008KB

Download
memory/464-306-0x00007FFD9B4A0000-0x00007FFD9BF61000-memory.dmp

Filesize
10.8MB

Download
memory/464-318-0x00007FFD9B4A0000-0x00007FFD9BF61000-memory.dmp

Filesize
10.8MB

Download
memory/464-2-0x00007FFD9B4A0000-0x00007FFD9BF61000-memory.dmp

Filesize
10.8MB

Download
memory/464-7-0x0000000002D00000-0x0000000002D0A000-memory.dmp

Filesize
40KB

Download
memory/464-4-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

Filesize
32KB

Download
memory/464-3-0x0000000002CB0000-0x0000000002CBE000-memory.dmp

Filesize
56KB

Download
memory/1552-215-0x000001E0E19C0000-0x000001E0E19E2000-memory.dmp

Filesize
136KB

Download
memory/3704-319-0x00000000006A0000-0x000000000079C000-memory.dmp

Filesize
1008KB

Download