dcrat | 16771b819b03044356bad5b6d2a6b0f84e7fbd94c336743b58bbe5dc2e2ccbe8

Analysis

max time kernel
259s
max time network
296s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ebabb8b4bb51cf.exe
Size

8.1MB
MD5

9ae6eccd4947fa65016152db60a1e9c4
SHA1

ac6693c8fc03c286c93860e0c13474151c2f1557
SHA256

16771b819b03044356bad5b6d2a6b0f84e7fbd94c336743b58bbe5dc2e2ccbe8
SHA512

11974385658bd5a20819cf859c7058198f61fbad1566ddbd9788806097b559434ba8cd12a59ea82dd86e3c8a225571d3b2cac3a97514c20cdbe49f6a0423adf8
SSDEEP

49152:Evqgk7XySAxNIQcmwYEhwUdKTMcZONvPUMPbANZ9B0hKuSZDidHutYPibit:Phzt

Score

10^/10

dcrat umbral evasion execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1238029585401118791/gfyAlvpc7SDO3NG27soVqIFhCMnxRnPz2IckSI5fgwGxsHtYvpmkNmab2e4eUEVs2XqF

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 8 IoCs

resource	yara_rule
behavioral1/memory/2956-17-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral1/memory/2956-15-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral1/memory/2956-21-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral1/memory/2956-12-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral1/memory/2956-9-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral1/memory/2956-7-0x0000000000400000-0x000000000060E000-memory.dmp	family_umbral
behavioral1/files/0x003400000001480e-34.dat	family_umbral
behavioral1/memory/2428-42-0x00000000000F0000-0x0000000000130000-memory.dmp	family_umbral

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1684	schtasks.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1684	schtasks.exe	45

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2956-17-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral1/memory/2956-15-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral1/memory/2956-21-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral1/memory/2956-12-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral1/memory/2956-9-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral1/memory/2956-7-0x0000000000400000-0x000000000060E000-memory.dmp	dcrat
behavioral1/files/0x000b0000000144e0-25.dat	dcrat
behavioral1/files/0x0007000000014eb9-72.dat	dcrat
behavioral1/memory/2216-76-0x0000000000940000-0x0000000000ACC000-memory.dmp	dcrat
behavioral1/files/0x000d000000015cce-159.dat	dcrat
behavioral1/files/0x0010000000015cce-209.dat	dcrat
behavioral1/files/0x000b000000015cd9-243.dat	dcrat
behavioral1/memory/2624-286-0x0000000000EC0000-0x000000000104C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2704	svchost.exe
2428	explorer.exe
2216	savesref.exe
2624	savesref.exe

Loads dropped DLL 4 IoCs

pid	Process
2956	RegAsm.exe
2956	RegAsm.exe
1376	cmd.exe
1376	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	savesref.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 2956	1664	7ebabb8b4bb51cf.exe	28

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX4ACF.tmp	savesref.exe
File created	C:\Program Files\Internet Explorer\de-DE\7a0fd90576e088	savesref.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\lsass.exe	savesref.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCX3663.tmp	savesref.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\explorer.exe	savesref.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\lsass.exe	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX345D.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX345E.tmp	savesref.exe
File created	C:\Program Files\Internet Explorer\de-DE\explorer.exe	savesref.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\56085415360792	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX4ACE.tmp	savesref.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\6203df4a6bafc7	savesref.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RCX3662.tmp	savesref.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe	savesref.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\RCX3D4C.tmp	savesref.exe
File opened for modification	C:\Windows\Cursors\conhost.exe	savesref.exe
File created	C:\Windows\Cursors\conhost.exe	savesref.exe
File created	C:\Windows\Cursors\088424020bedd6	savesref.exe
File opened for modification	C:\Windows\Cursors\RCX3CDE.tmp	savesref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1228	schtasks.exe
2832	schtasks.exe
2404	schtasks.exe
2584	schtasks.exe
2288	schtasks.exe
2096	schtasks.exe
2372	schtasks.exe
2904	schtasks.exe
2356	schtasks.exe
1316	schtasks.exe
1516	schtasks.exe
380	schtasks.exe
2900	schtasks.exe
904	schtasks.exe
876	schtasks.exe
2564	schtasks.exe
2772	schtasks.exe
2120	schtasks.exe
2972	schtasks.exe
2996	schtasks.exe
2940	schtasks.exe
2508	schtasks.exe
2164	schtasks.exe
2060	schtasks.exe
980	schtasks.exe
2456	schtasks.exe
1616	schtasks.exe
652	schtasks.exe
1072	schtasks.exe
2012	schtasks.exe
1656	schtasks.exe
2644	schtasks.exe
2312	schtasks.exe
1492	schtasks.exe
1052	schtasks.exe
952	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1992	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2064	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2668	powershell.exe
2300	powershell.exe
1908	powershell.exe
1708	powershell.exe
2216	savesref.exe
2216	savesref.exe
2216	savesref.exe
2216	savesref.exe
2216	savesref.exe
2676	powershell.exe
2624	savesref.exe
2624	savesref.exe
2624	savesref.exe
2624	savesref.exe
2624	savesref.exe
2624	savesref.exe
2624	savesref.exe
2624	savesref.exe
2624	savesref.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	savesref.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	7ebabb8b4bb51cf.exe
Token: SeDebugPrivilege	2428	explorer.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2216	savesref.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeIncreaseQuotaPrivilege	724	wmic.exe
Token: SeSecurityPrivilege	724	wmic.exe
Token: SeTakeOwnershipPrivilege	724	wmic.exe
Token: SeLoadDriverPrivilege	724	wmic.exe
Token: SeSystemProfilePrivilege	724	wmic.exe
Token: SeSystemtimePrivilege	724	wmic.exe
Token: SeProfSingleProcessPrivilege	724	wmic.exe
Token: SeIncBasePriorityPrivilege	724	wmic.exe
Token: SeCreatePagefilePrivilege	724	wmic.exe
Token: SeBackupPrivilege	724	wmic.exe
Token: SeRestorePrivilege	724	wmic.exe
Token: SeShutdownPrivilege	724	wmic.exe
Token: SeDebugPrivilege	724	wmic.exe
Token: SeSystemEnvironmentPrivilege	724	wmic.exe
Token: SeRemoteShutdownPrivilege	724	wmic.exe
Token: SeUndockPrivilege	724	wmic.exe
Token: SeManageVolumePrivilege	724	wmic.exe
Token: 33	724	wmic.exe
Token: 34	724	wmic.exe
Token: 35	724	wmic.exe
Token: SeIncreaseQuotaPrivilege	724	wmic.exe
Token: SeSecurityPrivilege	724	wmic.exe
Token: SeTakeOwnershipPrivilege	724	wmic.exe
Token: SeLoadDriverPrivilege	724	wmic.exe
Token: SeSystemProfilePrivilege	724	wmic.exe
Token: SeSystemtimePrivilege	724	wmic.exe
Token: SeProfSingleProcessPrivilege	724	wmic.exe
Token: SeIncBasePriorityPrivilege	724	wmic.exe
Token: SeCreatePagefilePrivilege	724	wmic.exe
Token: SeBackupPrivilege	724	wmic.exe
Token: SeRestorePrivilege	724	wmic.exe
Token: SeShutdownPrivilege	724	wmic.exe
Token: SeDebugPrivilege	724	wmic.exe
Token: SeSystemEnvironmentPrivilege	724	wmic.exe
Token: SeRemoteShutdownPrivilege	724	wmic.exe
Token: SeUndockPrivilege	724	wmic.exe
Token: SeManageVolumePrivilege	724	wmic.exe
Token: 33	724	wmic.exe
Token: 34	724	wmic.exe
Token: 35	724	wmic.exe
Token: SeIncreaseQuotaPrivilege	2556	wmic.exe
Token: SeSecurityPrivilege	2556	wmic.exe
Token: SeTakeOwnershipPrivilege	2556	wmic.exe
Token: SeLoadDriverPrivilege	2556	wmic.exe
Token: SeSystemProfilePrivilege	2556	wmic.exe
Token: SeSystemtimePrivilege	2556	wmic.exe
Token: SeProfSingleProcessPrivilege	2556	wmic.exe
Token: SeIncBasePriorityPrivilege	2556	wmic.exe
Token: SeCreatePagefilePrivilege	2556	wmic.exe
Token: SeBackupPrivilege	2556	wmic.exe
Token: SeRestorePrivilege	2556	wmic.exe
Token: SeShutdownPrivilege	2556	wmic.exe
Token: SeDebugPrivilege	2556	wmic.exe
Token: SeSystemEnvironmentPrivilege	2556	wmic.exe
Token: SeRemoteShutdownPrivilege	2556	wmic.exe
Token: SeUndockPrivilege	2556	wmic.exe
Token: SeManageVolumePrivilege	2556	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 1664 wrote to memory of 2956	1664	7ebabb8b4bb51cf.exe	28
PID 2956 wrote to memory of 2704	2956	RegAsm.exe	29
PID 2956 wrote to memory of 2704	2956	RegAsm.exe	29
PID 2956 wrote to memory of 2704	2956	RegAsm.exe	29
PID 2956 wrote to memory of 2704	2956	RegAsm.exe	29
PID 2956 wrote to memory of 2428	2956	RegAsm.exe	30
PID 2956 wrote to memory of 2428	2956	RegAsm.exe	30
PID 2956 wrote to memory of 2428	2956	RegAsm.exe	30
PID 2956 wrote to memory of 2428	2956	RegAsm.exe	30
PID 2704 wrote to memory of 2332	2704	svchost.exe	31
PID 2704 wrote to memory of 2332	2704	svchost.exe	31
PID 2704 wrote to memory of 2332	2704	svchost.exe	31
PID 2704 wrote to memory of 2332	2704	svchost.exe	31
PID 2428 wrote to memory of 2680	2428	explorer.exe	32
PID 2428 wrote to memory of 2680	2428	explorer.exe	32
PID 2428 wrote to memory of 2680	2428	explorer.exe	32
PID 2428 wrote to memory of 2668	2428	explorer.exe	34
PID 2428 wrote to memory of 2668	2428	explorer.exe	34
PID 2428 wrote to memory of 2668	2428	explorer.exe	34
PID 2428 wrote to memory of 2300	2428	explorer.exe	36
PID 2428 wrote to memory of 2300	2428	explorer.exe	36
PID 2428 wrote to memory of 2300	2428	explorer.exe	36
PID 2428 wrote to memory of 1908	2428	explorer.exe	38
PID 2428 wrote to memory of 1908	2428	explorer.exe	38
PID 2428 wrote to memory of 1908	2428	explorer.exe	38
PID 2332 wrote to memory of 1376	2332	WScript.exe	40
PID 2332 wrote to memory of 1376	2332	WScript.exe	40
PID 2332 wrote to memory of 1376	2332	WScript.exe	40
PID 2332 wrote to memory of 1376	2332	WScript.exe	40
PID 2428 wrote to memory of 1708	2428	explorer.exe	42
PID 2428 wrote to memory of 1708	2428	explorer.exe	42
PID 2428 wrote to memory of 1708	2428	explorer.exe	42
PID 1376 wrote to memory of 2216	1376	cmd.exe	44
PID 1376 wrote to memory of 2216	1376	cmd.exe	44
PID 1376 wrote to memory of 2216	1376	cmd.exe	44
PID 1376 wrote to memory of 2216	1376	cmd.exe	44
PID 2428 wrote to memory of 724	2428	explorer.exe	58
PID 2428 wrote to memory of 724	2428	explorer.exe	58
PID 2428 wrote to memory of 724	2428	explorer.exe	58
PID 2428 wrote to memory of 2556	2428	explorer.exe	70
PID 2428 wrote to memory of 2556	2428	explorer.exe	70
PID 2428 wrote to memory of 2556	2428	explorer.exe	70
PID 2428 wrote to memory of 2552	2428	explorer.exe	77
PID 2428 wrote to memory of 2552	2428	explorer.exe	77
PID 2428 wrote to memory of 2552	2428	explorer.exe	77
PID 2428 wrote to memory of 2676	2428	explorer.exe	85
PID 2428 wrote to memory of 2676	2428	explorer.exe	85
PID 2428 wrote to memory of 2676	2428	explorer.exe	85
PID 2428 wrote to memory of 1992	2428	explorer.exe	90
PID 2428 wrote to memory of 1992	2428	explorer.exe	90
PID 2428 wrote to memory of 1992	2428	explorer.exe	90
PID 2428 wrote to memory of 3068	2428	explorer.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	savesref.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	savesref.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe
"C:\Users\Admin\AppData\Local\Temp\7ebabb8b4bb51cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\discord\KVGHJrchTtXZ1.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\discord\91XI5GEPShJXCgG0eVHRJ.bat" "
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Users\Admin\AppData\Roaming\discord\savesref.exe
        
        "C:\Users\Admin\AppData\Roaming\discord\savesref.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2216
        
        C:\Users\Admin\savesref.exe
        
        "C:\Users\Admin\savesref.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        System policy modification
        
        PID:2624
- - C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
      4⤵
      Views/modifies file attributes
      PID:2680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\explorer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:724
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2676
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1992
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\explorer.exe" && pause
      4⤵
      PID:3068
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesrefs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\savesref.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesref" /sc ONLOGON /tr "'C:\Users\Admin\savesref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesrefs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\savesref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesrefs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\savesref.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesref" /sc ONLOGON /tr "'C:\Users\Default User\savesref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesrefs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\savesref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe

Filesize
1.5MB

MD5
bb911b229aa5aeba477103037d501768

SHA1
67bf87968716318cb30a01a90ec93e993c207847

SHA256
f5cd57146216195fd2d1027f8561043596fd5d8e99aca2e2267ff19c1195c351

SHA512
152d78106476bf0a0a69d38721454db837bc856c71e7f24885d4c84dc4c2a70aed88904daaa5c6a045b7c6fded154b9a529f2937f1616440ef1ba0068280adab

Download Submit
C:\Program Files (x86)\Windows Sidebar\fr-FR\RCX345E.tmp

Filesize
1.5MB

MD5
bf164fec3cd078761a70462be31050fb

SHA1
48ebbb45426cbe2056e5f0bca1bd03e06ddfa5a2

SHA256
1d547dd97ae48345cae40c0a76258b3efa12dd8e9ea689f3d022e482584aa173

SHA512
fc4dbc0aa8d172b2b6c706e778acf5e49a5fc4c1c1fa763bd01a6d4332f1731ae5a87bfb500027067c3bb1b7508326c81b0462c08667b2b7a68bdc1ec38e748b

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
231KB

MD5
5a006cd74e0225a15746bee6928d62f1

SHA1
a17dabdb634d9667c3590436998252148a5fab92

SHA256
0350fdb32852f781665e056a04f318e94c746612f7b4e3cd430d808c894aae4c

SHA512
59d6b467cf48cf1aafaf13e1acfdd6ae4806403f0bc92e759590b04da4ecd719488300ecd412d92931e7b65daf0ab2229d7a165b31595334676b40942bb30f81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0833765340e9bcf89635bca1b3d01644

SHA1
fe384ed6ba4ce0e3ac8688465ac66a8b14249406

SHA256
ca6ffc9a8226141ae5df8bc9efb3efad17c3862658de6c486142cdaa6e5d7fb0

SHA512
7d3ab9b5bafb3fc1668de19098dc277180cae211bff32cdbb17298f04f86f3d6e5a6bfece46e57448a943d41e0970845e9981e523829647f74d6ab88ca561bc7

Download Submit
C:\Users\Admin\AppData\Roaming\discord\91XI5GEPShJXCgG0eVHRJ.bat

Filesize
32B

MD5
84814a18997996f8a95ba8e868396e90

SHA1
30b79b2158d922433ba25117fb79f8720470fb44

SHA256
92c8ccb6b3a9abc0798ad760255c47356c3750a74b11e38590876c68927f3797

SHA512
b1b820e12c49fe4993229222a218a769e5d6913f303d382baaff735f3b24a5b068adcfb344397004dd9d7aa637c4e9baedf2e3ca3dfb3f56e86c8c8f8cf9cf7e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\KVGHJrchTtXZ1.vbe

Filesize
212B

MD5
cdb5dc99d1017d58fdbfce66f048da76

SHA1
e1903f365d81996da9810b9f0dc40bc65b3324c7

SHA256
bd9e0e5f3e6379d03907896d71843cc2dbfef7e209cc0896b4755fa0422a3b43

SHA512
72e3e2f3b5f385c402faf7ac89690a99806f648f90e85f46b01db66284f247c10dbe03e612e41c46775cd29fecaeede2fd26bc8dc2e22e252f9f1ce9b801f88d

Download Submit
C:\Windows\Cursors\conhost.exe

Filesize
1.5MB

MD5
465a747d34628ce15ae129dd4976a335

SHA1
735df85fef275edc98bf0ba13da7ce84c2dd2a48

SHA256
6ccd2fbb055f95f614793676575a55c17e9190f614ec571bef6fea31304db827

SHA512
e742eb15b5e60558ea5f3a42627db4c2ab3240ed344a895dba7b0638e8d3a5f3c9dc99c1c116e4de154b4d5b607a1544e0f232032453862857514ab7d2b49a7d

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
1.8MB

MD5
45008c4cc3fc25a5d5184742ae2fe72b

SHA1
f5e7b3110df6917df0e07a822c313c52eec335fd

SHA256
09d240d54a5458bcc9362ea0f06e23a345b69e196e127462d5f33e8a475ccd57

SHA512
3059e4e59cb103f08fd13f776bf65d41b4cfec7a7f6610a2c945e134d4b913185f64bdf357bbc3c52e26da77f9e04a19c121611ad11fb40bf486aade1751e335

Download Submit
\Users\Admin\AppData\Roaming\discord\savesref.exe

Filesize
1.5MB

MD5
0a32536cc1d5e2a35d7d289b4ff0e76b

SHA1
98736b0b5a6f3709f81365c9e6477819074c3170

SHA256
8d31ae46e123de0d23937d664298428e37b45a7a135a95d73f5887779ee48710

SHA512
b2d5d91eb7ecfc6eb295c63ecba5c3ceb4b4a865fc9a9f90bd1e82bff4bc39905baf9ab2962580ee708761632e5499694f3f823aa2f139bce809398262eb3b73

Download Submit
memory/1664-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/1664-20-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1664-4-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1664-3-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1664-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1664-1-0x0000000000E10000-0x000000000163A000-memory.dmp

Filesize
8.2MB

Download
memory/1708-83-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/1708-82-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2216-94-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2216-85-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2216-87-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2216-89-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/2216-90-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/2216-95-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2216-91-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/2216-92-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/2216-93-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/2216-76-0x0000000000940000-0x0000000000ACC000-memory.dmp

Filesize
1.5MB

Download
memory/2216-88-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/2216-84-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2216-86-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2300-56-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2300-55-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2428-42-0x00000000000F0000-0x0000000000130000-memory.dmp

Filesize
256KB

Download
memory/2624-286-0x0000000000EC0000-0x000000000104C000-memory.dmp

Filesize
1.5MB

Download
memory/2668-49-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2668-48-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2676-129-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2676-130-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2956-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2956-7-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2956-6-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2956-12-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2956-21-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2956-15-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2956-17-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2956-5-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2956-9-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download