dcrat | 54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ef44e6c54801a42dc9cff0bf0459036.exe
Size

1.8MB
MD5

7ef44e6c54801a42dc9cff0bf0459036
SHA1

45322aee2375b98a8b443e08d5e9f58ac10e9e2d
SHA256

54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab
SHA512

dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250
SSDEEP

49152:ZWqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:DKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2716	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2612-1-0x00000000009D0000-0x0000000000B9C000-memory.dmp	dcrat
behavioral1/files/0x0006000000016ecf-30.dat	dcrat
behavioral1/files/0x001400000001202c-116.dat	dcrat
behavioral1/files/0x000b000000016df3-139.dat	dcrat
behavioral1/files/0x000a00000001749c-162.dat	dcrat
behavioral1/memory/1608-247-0x00000000003E0000-0x00000000005AC000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2064	powershell.exe
2516	powershell.exe
2988	powershell.exe
2920	powershell.exe
3012	powershell.exe
2936	powershell.exe
2996	powershell.exe
2724	powershell.exe
2796	powershell.exe
2108	powershell.exe
2680	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1608	lsm.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX4ABC.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCX55B0.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCX57B4.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\886983d96e3d3e	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\f3b6ecef712a24	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\services.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\c5b4cb5e9653cc	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX48B8.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\spoolsv.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCX57B5.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\spoolsv.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCX5542.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\services.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\886983d96e3d3e	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCX48B9.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX4ABD.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	7ef44e6c54801a42dc9cff0bf0459036.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\RCX45D8.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\lsm.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Tasks\lsm.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Tasks\lsm.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Tasks\101b941d020240	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Web\Wallpaper\Scenes\lsm.exe	7ef44e6c54801a42dc9cff0bf0459036.exe
File created	C:\Windows\Web\Wallpaper\Scenes\101b941d020240	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Tasks\RCX4608.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCX59C8.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\RCX5A36.tmp	7ef44e6c54801a42dc9cff0bf0459036.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2164	schtasks.exe
2400	schtasks.exe
688	schtasks.exe
792	schtasks.exe
2496	schtasks.exe
1908	schtasks.exe
2172	schtasks.exe
2488	schtasks.exe
2756	schtasks.exe
264	schtasks.exe
2736	schtasks.exe
1224	schtasks.exe
2256	schtasks.exe
2476	schtasks.exe
3036	schtasks.exe
2324	schtasks.exe
2972	schtasks.exe
1372	schtasks.exe
1208	schtasks.exe
1784	schtasks.exe
1892	schtasks.exe
2036	schtasks.exe
1588	schtasks.exe
2648	schtasks.exe
2984	schtasks.exe
1560	schtasks.exe
2492	schtasks.exe
2424	schtasks.exe
1416	schtasks.exe
2680	schtasks.exe
1332	schtasks.exe
2876	schtasks.exe
3020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2612	7ef44e6c54801a42dc9cff0bf0459036.exe
2920	powershell.exe
3012	powershell.exe
2996	powershell.exe
2796	powershell.exe
2724	powershell.exe
2732	powershell.exe
2064	powershell.exe
2516	powershell.exe
2680	powershell.exe
2936	powershell.exe
2108	powershell.exe
2988	powershell.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe
1608	lsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1608	lsm.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	7ef44e6c54801a42dc9cff0bf0459036.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1608	lsm.exe
Token: SeBackupPrivilege	3044	vssvc.exe
Token: SeRestorePrivilege	3044	vssvc.exe
Token: SeAuditPrivilege	3044	vssvc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2920	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	64
PID 2612 wrote to memory of 2920	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	64
PID 2612 wrote to memory of 2920	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	64
PID 2612 wrote to memory of 3012	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	65
PID 2612 wrote to memory of 3012	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	65
PID 2612 wrote to memory of 3012	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	65
PID 2612 wrote to memory of 2996	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	66
PID 2612 wrote to memory of 2996	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	66
PID 2612 wrote to memory of 2996	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	66
PID 2612 wrote to memory of 2936	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	68
PID 2612 wrote to memory of 2936	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	68
PID 2612 wrote to memory of 2936	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	68
PID 2612 wrote to memory of 2796	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	69
PID 2612 wrote to memory of 2796	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	69
PID 2612 wrote to memory of 2796	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	69
PID 2612 wrote to memory of 2724	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	71
PID 2612 wrote to memory of 2724	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	71
PID 2612 wrote to memory of 2724	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	71
PID 2612 wrote to memory of 2988	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	74
PID 2612 wrote to memory of 2988	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	74
PID 2612 wrote to memory of 2988	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	74
PID 2612 wrote to memory of 2516	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	76
PID 2612 wrote to memory of 2516	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	76
PID 2612 wrote to memory of 2516	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	76
PID 2612 wrote to memory of 2732	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	77
PID 2612 wrote to memory of 2732	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	77
PID 2612 wrote to memory of 2732	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	77
PID 2612 wrote to memory of 2680	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	78
PID 2612 wrote to memory of 2680	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	78
PID 2612 wrote to memory of 2680	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	78
PID 2612 wrote to memory of 2108	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	79
PID 2612 wrote to memory of 2108	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	79
PID 2612 wrote to memory of 2108	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	79
PID 2612 wrote to memory of 2064	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	80
PID 2612 wrote to memory of 2064	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	80
PID 2612 wrote to memory of 2064	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	80
PID 2612 wrote to memory of 2840	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	88
PID 2612 wrote to memory of 2840	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	88
PID 2612 wrote to memory of 2840	2612	7ef44e6c54801a42dc9cff0bf0459036.exe	88
PID 2840 wrote to memory of 2184	2840	cmd.exe	90
PID 2840 wrote to memory of 2184	2840	cmd.exe	90
PID 2840 wrote to memory of 2184	2840	cmd.exe	90
PID 2840 wrote to memory of 1608	2840	cmd.exe	91
PID 2840 wrote to memory of 1608	2840	cmd.exe	91
PID 2840 wrote to memory of 1608	2840	cmd.exe	91
PID 1608 wrote to memory of 1428	1608	lsm.exe	92
PID 1608 wrote to memory of 1428	1608	lsm.exe	92
PID 1608 wrote to memory of 1428	1608	lsm.exe	92
PID 1608 wrote to memory of 2788	1608	lsm.exe	93
PID 1608 wrote to memory of 2788	1608	lsm.exe	93
PID 1608 wrote to memory of 2788	1608	lsm.exe	93

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ef44e6c54801a42dc9cff0bf0459036.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe
"C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7ef44e6c54801a42dc9cff0bf0459036.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Scenes\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TlsVtvrHRy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2184
- - C:\Windows\Web\Wallpaper\Scenes\lsm.exe
    "C:\Windows\Web\Wallpaper\Scenes\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1608
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72eb61a7-2d3f-4333-92ac-1f8e00da1165.vbs"
      4⤵
      PID:1428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3b0ce95-94b7-4847-b196-abcb75137f87.vbs"
      4⤵
      PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Scenes\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Scenes\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Scenes\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\spoolsv.exe

Filesize
1.8MB

MD5
cccb53ac1bd9c7ebf5fa1577fd936ab4

SHA1
24ec36fe3a9999e091a8ee9e113e6fcacfdff12a

SHA256
d6d18d3d156631413d6e292a7716fa79d620118a36dc6227d40a5995f05a1287

SHA512
a8b8c474b62b32867bc845291332954d60d7ba2b92849490b6a24cd8b9ef317121eec86c2259eae9711d62231a6222c6dde99d469db0bd76ff4d927e9cd4026c

Download Submit
C:\ProgramData\Microsoft Help\dwm.exe

Filesize
1.8MB

MD5
ac5fca63347c3ae204bd0163ed7f9fb6

SHA1
4913e0d644285f262a970eec4cf6c048d6f189d9

SHA256
7c9803fa1200f03af97de1214d49941425f7fd4ed5646f3a1f312dc69d40b785

SHA512
5e27097dcaafc51035227c3da33e76ea215eca9b1c579c4ddd79a0934b6431a22146dd41cc8e5b525701f04dfa093bf17e85f674a600b428ba899c86c331014f

Download Submit
C:\Users\Admin\AppData\Local\Temp\72eb61a7-2d3f-4333-92ac-1f8e00da1165.vbs

Filesize
715B

MD5
f590b087c99ac450229cd05591d662fe

SHA1
9ee4cff29be69af79e0ebcad1d51f04a4a121150

SHA256
67e6302f1689f8fba774b35a2d9d789b3f61c79cc8cae3c92bce3d8d314e464f

SHA512
a43cb3190e79af1352df633766a4efb1bfab4f1ef042e61b98db0441f7cb5cb8eb07c250084d2b51a0b1c6ccafecbdc0584c2e975ad261396a59ffdfe7db92f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TlsVtvrHRy.bat

Filesize
204B

MD5
4bf5be5fa3687dfe8ca26d44fc0c0918

SHA1
f2b2639c2fb9ed5db15c3a81886975d52447090f

SHA256
06c9e97d068c37dc4cd20e3fea459153d0481c6f28fd8b5d8910ac75251ba556

SHA512
338d1d918b07d1b3bde6eec5497fb4e3210d5642556fc0139317bcbe1dded4c793d55c29509c350d0fd9076143523f7fa6acba3e59b0cf53c7d80638623404ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3b0ce95-94b7-4847-b196-abcb75137f87.vbs

Filesize
491B

MD5
81a1a4f36f707d22eeec10c4484a8469

SHA1
ab23abb10ac8bae9d7047fb82c17e16b20012b42

SHA256
089a8b65c79dace8a38c00a3ea37188141a7b5de1db5866e77bf8e638cff26a9

SHA512
64a3bb65e3bb174b8ef9a7d9451283213ec62b9c4eb199bb9615fd5018fa5c20eb003ffe96f459c95ca1ae5e66ac56573e8fe63f50b99e135cbf770c8618a675

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6aa1a0f10fbd80d842dac68d51a25fef

SHA1
6d90c0d1750eb86aca68171df9b8800ebd5d5e86

SHA256
abaedc447659777c9a6c80d29dfd1b7b3dbd6a28223a9b8c041d98c71ea2b669

SHA512
4589c503cdb1428cb01d03b242c4ebb7cfd9493625381749442217d504cd41fcfc242f769ecbba4c62406afca99755536deef0cbf4ff30d4ee25602880501c0e

Download Submit
C:\Users\Default\OSPPSVC.exe

Filesize
1.8MB

MD5
7ef44e6c54801a42dc9cff0bf0459036

SHA1
45322aee2375b98a8b443e08d5e9f58ac10e9e2d

SHA256
54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab

SHA512
dfdd479a802f308cc1b49886020cf420127dd87be5642d27452c3ee08198b1efbfca8358e62ed91141ed778ce3cef7ff154e0114eae27220ce81d6cd1acb5250

Download Submit
C:\Windows\Web\Wallpaper\Scenes\lsm.exe

Filesize
1.8MB

MD5
4897bfc9533933cbcc84c02f8d270cf9

SHA1
4383edf2d981e7d2dc013bcef3dad4d3531e9f97

SHA256
c9deaaf51b1be01e7ec7f0a66971fb54f47d7414e4495632ee748359a93b0fa5

SHA512
b0f60272ae5902b99f9b92db3d5244db0931ef3dc1100e2d3211a587221f63f45c6a455e332511929963fa09daabfae667226fa2185ffe27ab831221984b030a

Download Submit
memory/1608-247-0x00000000003E0000-0x00000000005AC000-memory.dmp

Filesize
1.8MB

Download
memory/2612-8-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/2612-9-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2612-11-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2612-12-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/2612-13-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/2612-14-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2612-15-0x0000000002390000-0x000000000239C000-memory.dmp

Filesize
48KB

Download
memory/2612-17-0x000000001A830000-0x000000001A83E000-memory.dmp

Filesize
56KB

Download
memory/2612-16-0x00000000023A0000-0x00000000023AA000-memory.dmp

Filesize
40KB

Download
memory/2612-18-0x000000001A840000-0x000000001A848000-memory.dmp

Filesize
32KB

Download
memory/2612-19-0x000000001A850000-0x000000001A85C000-memory.dmp

Filesize
48KB

Download
memory/2612-20-0x000000001A860000-0x000000001A86C000-memory.dmp

Filesize
48KB

Download
memory/2612-21-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-10-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2612-0-0x000007FEF6443000-0x000007FEF6444000-memory.dmp

Filesize
4KB

Download
memory/2612-7-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/2612-6-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/2612-1-0x00000000009D0000-0x0000000000B9C000-memory.dmp

Filesize
1.8MB

Download
memory/2612-192-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2612-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2612-2-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2920-194-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2920-193-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download