Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-c1ad3sae7x
Target NEAS.93db67acc5572ee4096c1d1962766430.exe
SHA256 b87a60099a45285a03886378f0786131c3fa551bd84bd6134f858703d17ab74a
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b87a60099a45285a03886378f0786131c3fa551bd84bd6134f858703d17ab74a

Threat Level: Known bad

The file NEAS.93db67acc5572ee4096c1d1962766430.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

DcRat

Process spawned unexpected child process

UAC bypass

DCRat payload

Dcrat family

DCRat payload

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 02:32

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 02:32

Reported

2023-11-18 02:34

Platform

win7-20231020-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\ticrf\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\WMPhoto\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\ProgramData\\Microsoft Help\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PerfLogs\\Admin\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\vccorlib140\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\WMPhoto\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\WMPhoto\886983d96e3d3e31032c679b2d4ea91b6c05afef C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\vccorlib140\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\vccorlib140\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File opened for modification C:\Windows\System32\ticrf\RCX7D1D.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File opened for modification C:\Windows\System32\WMPhoto\RCX7F21.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File opened for modification C:\Windows\System32\WMPhoto\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File opened for modification C:\Windows\System32\ticrf\lsm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\ticrf\101b941d020240259ca4912829b53995ad543df6 C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File opened for modification C:\Windows\System32\vccorlib140\RCX8599.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File opened for modification C:\Windows\System32\vccorlib140\services.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\ticrf\lsm.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\WMPhoto\csrss.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\System32\WMPhoto\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\System32\WMPhoto\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A
N/A N/A C:\Windows\System32\WMPhoto\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WMPhoto\csrss.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\WMPhoto\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\ticrf\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\WMPhoto\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\ProgramData\Microsoft Help\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PerfLogs\Admin\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\vccorlib140\services.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SUoFbHmupk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\WMPhoto\csrss.exe

"C:\Windows\System32\WMPhoto\csrss.exe"

Network

Country Destination Domain Proto
RU 92.63.192.30:80 92.63.192.30 tcp
RU 92.63.192.30:443 tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
RU 92.63.192.30:443 tcp

Files

memory/2152-0-0x0000000000AB0000-0x0000000000B7A000-memory.dmp

memory/2152-1-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

memory/2152-2-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2152-3-0x0000000000450000-0x0000000000458000-memory.dmp

memory/2152-5-0x0000000000470000-0x0000000000480000-memory.dmp

memory/2152-4-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2152-6-0x0000000000480000-0x0000000000488000-memory.dmp

memory/2152-7-0x0000000000A00000-0x0000000000A0C000-memory.dmp

memory/2152-8-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/2152-9-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/2152-10-0x00000000004C0000-0x00000000004C8000-memory.dmp

memory/2152-11-0x0000000000490000-0x0000000000498000-memory.dmp

memory/2152-12-0x0000000000A10000-0x0000000000A18000-memory.dmp

memory/2152-13-0x0000000000A20000-0x0000000000A28000-memory.dmp

memory/2152-14-0x0000000000A40000-0x0000000000A48000-memory.dmp

memory/2152-16-0x0000000000A60000-0x0000000000A68000-memory.dmp

memory/2152-15-0x0000000000A50000-0x0000000000A58000-memory.dmp

memory/2152-17-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2152-18-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/2152-20-0x0000000000A90000-0x0000000000A98000-memory.dmp

memory/2152-19-0x0000000000A80000-0x0000000000A88000-memory.dmp

memory/2152-21-0x0000000000A30000-0x0000000000A3C000-memory.dmp

memory/2152-22-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2152-23-0x0000000000A70000-0x0000000000A78000-memory.dmp

C:\Windows\System32\vccorlib140\services.exe

MD5 93db67acc5572ee4096c1d1962766430
SHA1 811ef2712a3b2a757b0efcd7fdb95cdea777111d
SHA256 b87a60099a45285a03886378f0786131c3fa551bd84bd6134f858703d17ab74a
SHA512 cc30b4df6ed1142b4344081f1ab19abc82f3556556871e540cac9149ab70465a35cc4d9224d9664b87bc4063d5b2f9b9fdb2c493b89c400a76bd25fb0dbaf6e8

memory/2152-34-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2152-38-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2152-51-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2152-66-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2152-73-0x000000001AFE0000-0x000000001B060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SUoFbHmupk.bat

MD5 ecc6148435d6efce8eae415ee9f6554b
SHA1 07a97427f65b296efb3b58721b2ef853c7d59bd0
SHA256 0338fec493b4b5fb10ae260ab6877732e9690e21976351a09f527d628d4dcbe3
SHA512 486491b8cda691842537188be2701dc6476452d977b5b75d4846b4cb3c5b18b28ef3d2e57066f10c056825e39e6d366cbebab30ce7b8e1646f242a19de9b05d5

memory/2152-80-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

C:\Windows\System32\WMPhoto\csrss.exe

MD5 09dbadf467b9943775ca41371aadd8b5
SHA1 a742211d3663d4c66b8f50819c5fe7995f6b65f4
SHA256 4bdd3970202d52d6130bd4ef801d0c4c3393e07c2ffae29772a7a154e0a5adc7
SHA512 edeb9abfc6c23d3dad0ff44f561b6bac9ac0210bc57700eb3c4801c93b33d0cece1448bee8e74d5118b67733292c4fac117f7aaaf6bf4b93756c3ae82e61a5c6

C:\Windows\System32\WMPhoto\csrss.exe

MD5 09dbadf467b9943775ca41371aadd8b5
SHA1 a742211d3663d4c66b8f50819c5fe7995f6b65f4
SHA256 4bdd3970202d52d6130bd4ef801d0c4c3393e07c2ffae29772a7a154e0a5adc7
SHA512 edeb9abfc6c23d3dad0ff44f561b6bac9ac0210bc57700eb3c4801c93b33d0cece1448bee8e74d5118b67733292c4fac117f7aaaf6bf4b93756c3ae82e61a5c6

memory/2084-83-0x0000000001040000-0x000000000110A000-memory.dmp

memory/2084-84-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/2084-85-0x000000001B140000-0x000000001B1C0000-memory.dmp

memory/2084-86-0x000000001B140000-0x000000001B1C0000-memory.dmp

memory/2084-87-0x000000001B140000-0x000000001B1C0000-memory.dmp

memory/2084-88-0x000000001B140000-0x000000001B1C0000-memory.dmp

memory/2084-89-0x000000001B140000-0x000000001B1C0000-memory.dmp

memory/2084-99-0x000000001B140000-0x000000001B1C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB35A.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarB408.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80fea5c2cbc8d93390441c81ddc5abe8
SHA1 f3a52805a26aaef15f812538efba1c2e822f5527
SHA256 ccd2a34713305c2f5c153dc1f1aad4d9b9c0fa856c57f54985e06bbb9181af4e
SHA512 d1b63cdbc95553da7691b9b3825515fe912483315ea2e3e7847a9cf167141d26309d286c524ef4f43ffce711f74f7aa9db2d105911d956561f7c2306dd047b3d

memory/2084-170-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 02:32

Reported

2023-11-18 02:35

Platform

win10v2004-20231023-en

Max time kernel

188s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\framedynos\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\cimdmtf\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NEAS.93db67acc5572ee4096c1d1962766430 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AdobeSFX\\NEAS.93db67acc5572ee4096c1d1962766430.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\odt\\System.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\ProgramData\\Adobe\\Setup\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\LayoutData\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\framedynos\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\framedynos\eddb19405b7ce1152b3e19997f2b467f0b72b3d3 C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\wbem\cimdmtf\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\System32\wbem\cimdmtf\24dbde2999530ef5fd907494bc374d663924116c C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\22eafd247d37c30fed3795ee41d259ec72bb351c C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.93db67acc5572ee4096c1d1962766430.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\LayoutData\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\framedynos\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\cimdmtf\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NEAS.93db67acc5572ee4096c1d1962766430" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\AdobeSFX\NEAS.93db67acc5572ee4096c1d1962766430.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\ProgramData\Adobe\Setup\RuntimeBroker.exe'" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 121.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

memory/3172-0-0x00000000001C0000-0x000000000028A000-memory.dmp

memory/3172-1-0x00007FFC61D70000-0x00007FFC62831000-memory.dmp

memory/3172-2-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-3-0x0000000000A30000-0x0000000000A38000-memory.dmp

memory/3172-4-0x0000000000A40000-0x0000000000A48000-memory.dmp

memory/3172-5-0x0000000000A50000-0x0000000000A60000-memory.dmp

memory/3172-6-0x0000000002560000-0x0000000002568000-memory.dmp

memory/3172-7-0x0000000002430000-0x000000000243C000-memory.dmp

memory/3172-8-0x0000000000A60000-0x0000000000A6A000-memory.dmp

memory/3172-9-0x0000000000A70000-0x0000000000A7A000-memory.dmp

memory/3172-10-0x0000000002580000-0x0000000002588000-memory.dmp

memory/3172-11-0x0000000002570000-0x0000000002578000-memory.dmp

memory/3172-12-0x0000000002590000-0x0000000002598000-memory.dmp

memory/3172-13-0x00000000025B0000-0x00000000025B8000-memory.dmp

memory/3172-14-0x00000000025D0000-0x00000000025D8000-memory.dmp

memory/3172-15-0x00000000025A0000-0x00000000025A8000-memory.dmp

memory/3172-16-0x00000000025C0000-0x00000000025C8000-memory.dmp

memory/3172-17-0x000000001ADB0000-0x000000001ADB8000-memory.dmp

memory/3172-18-0x000000001ADD0000-0x000000001ADD8000-memory.dmp

memory/3172-19-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-21-0x000000001ADC0000-0x000000001ADC8000-memory.dmp

memory/3172-20-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-22-0x000000001AE20000-0x000000001AE28000-memory.dmp

memory/3172-23-0x000000001AE30000-0x000000001AE3C000-memory.dmp

memory/3172-24-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-25-0x000000001AE50000-0x000000001AE58000-memory.dmp

C:\odt\System.exe

MD5 93db67acc5572ee4096c1d1962766430
SHA1 811ef2712a3b2a757b0efcd7fdb95cdea777111d
SHA256 b87a60099a45285a03886378f0786131c3fa551bd84bd6134f858703d17ab74a
SHA512 cc30b4df6ed1142b4344081f1ab19abc82f3556556871e540cac9149ab70465a35cc4d9224d9664b87bc4063d5b2f9b9fdb2c493b89c400a76bd25fb0dbaf6e8

memory/3172-38-0x00007FFC61D70000-0x00007FFC62831000-memory.dmp

memory/3172-39-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-40-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-41-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-42-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-43-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/3172-44-0x00007FFC61D70000-0x00007FFC62831000-memory.dmp