Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-gjfxrabh92
Target NEAS.8a3f7accb656f787354b8280323176a0.exe
SHA256 32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f
Tags
rat dcrat evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f

Threat Level: Known bad

The file NEAS.8a3f7accb656f787354b8280323176a0.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer persistence trojan

UAC bypass

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 05:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 05:49

Reported

2023-11-18 05:52

Platform

win7-20231023-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\mib\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\mib\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\mib\explorer.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\mib\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\comcat\\winlogon.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\mib\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\\services.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ProgramData\\Desktop\\sppsvc.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\lsm.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\mib\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\mib\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\comcat\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\System32\comcat\cc11b995f2a76da408ea6a601e682e64743153ad C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File opened for modification C:\Windows\System32\comcat\RCX6761.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File opened for modification C:\Windows\System32\comcat\winlogon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\mib\explorer.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\mib\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File opened for modification C:\Windows\mib\RCX5ED4.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File opened for modification C:\Windows\mib\explorer.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\mib\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\mib\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\mib\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\mib\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\mib\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\mib\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\mib\explorer.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\mib\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\mib\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\mib\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\mib\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\Desktop\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\comcat\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DgVfj2ze01.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\mib\explorer.exe

"C:\Windows\mib\explorer.exe"

Network

Country Destination Domain Proto
RU 92.63.192.30:80 92.63.192.30 tcp
RU 92.63.192.30:443 tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
RU 92.63.192.30:443 tcp

Files

memory/2580-0-0x0000000000E80000-0x0000000000F4A000-memory.dmp

memory/2580-1-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

memory/2580-2-0x000000001AEC0000-0x000000001AF40000-memory.dmp

memory/2580-3-0x00000000001D0000-0x00000000001D8000-memory.dmp

memory/2580-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

memory/2580-5-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2580-6-0x00000000003F0000-0x00000000003F8000-memory.dmp

memory/2580-7-0x00000000004A0000-0x00000000004AC000-memory.dmp

memory/2580-8-0x0000000000490000-0x000000000049A000-memory.dmp

memory/2580-9-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2580-10-0x00000000004B0000-0x00000000004B8000-memory.dmp

memory/2580-11-0x0000000000730000-0x0000000000738000-memory.dmp

memory/2580-12-0x0000000000740000-0x0000000000748000-memory.dmp

memory/2580-13-0x0000000000780000-0x0000000000788000-memory.dmp

memory/2580-14-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/2580-17-0x00000000007D0000-0x00000000007D8000-memory.dmp

memory/2580-16-0x00000000007C0000-0x00000000007C8000-memory.dmp

memory/2580-15-0x00000000007A0000-0x00000000007A8000-memory.dmp

memory/2580-18-0x00000000007F0000-0x00000000007F8000-memory.dmp

memory/2580-19-0x0000000000D50000-0x0000000000D58000-memory.dmp

memory/2580-20-0x0000000000D60000-0x0000000000D68000-memory.dmp

memory/2580-21-0x00000000007E0000-0x00000000007EC000-memory.dmp

memory/2580-22-0x0000000000750000-0x0000000000758000-memory.dmp

memory/2580-23-0x000000001AEC0000-0x000000001AF40000-memory.dmp

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe

MD5 8a3f7accb656f787354b8280323176a0
SHA1 c9544d9107ed710954bf4b575598cc392d567f26
SHA256 32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f
SHA512 c81e198a992c469d5e533cc35a7604fc00097b2c2d4bf0ebed85487f4d9708c8adca543ebf11963d464e007379bc7e62a00bdca84d7dec79b7cefbaa9775bb7e

memory/2580-36-0x000000001AEC0000-0x000000001AF40000-memory.dmp

memory/2580-46-0x000000001AEC0000-0x000000001AF40000-memory.dmp

memory/2580-54-0x000000001AEC0000-0x000000001AF40000-memory.dmp

memory/2580-69-0x000000001AEC0000-0x000000001AF40000-memory.dmp

memory/2580-83-0x000000001AEC0000-0x000000001AF40000-memory.dmp

memory/2580-89-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DgVfj2ze01.bat

MD5 942352f680718d05661a18d0607b050e
SHA1 b9034e7a47dc210273d8cc296d99c381a6a17087
SHA256 ee9dab0179014e9f2695c7056b43d1497591196c01d9a6ef2ddaaf94df18091d
SHA512 998229c76c964be5c6b79f38d5138e90f5ce2f5dc54353cfe1b4df32720ccb89909fab1c403e8e570bbd57186b76614de7b3fdf506a4aeea76785db142c5b545

C:\Windows\mib\explorer.exe

MD5 8a3f7accb656f787354b8280323176a0
SHA1 c9544d9107ed710954bf4b575598cc392d567f26
SHA256 32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f
SHA512 c81e198a992c469d5e533cc35a7604fc00097b2c2d4bf0ebed85487f4d9708c8adca543ebf11963d464e007379bc7e62a00bdca84d7dec79b7cefbaa9775bb7e

C:\Windows\mib\explorer.exe

MD5 8a3f7accb656f787354b8280323176a0
SHA1 c9544d9107ed710954bf4b575598cc392d567f26
SHA256 32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f
SHA512 c81e198a992c469d5e533cc35a7604fc00097b2c2d4bf0ebed85487f4d9708c8adca543ebf11963d464e007379bc7e62a00bdca84d7dec79b7cefbaa9775bb7e

memory/1496-93-0x0000000000D10000-0x0000000000DDA000-memory.dmp

memory/1496-94-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

memory/1496-95-0x000000001AFD0000-0x000000001B050000-memory.dmp

memory/1496-96-0x000000001AFD0000-0x000000001B050000-memory.dmp

memory/1496-97-0x000000001AFD0000-0x000000001B050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab88B2.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar8922.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25f3e186d36910937cf94dfc62865d97
SHA1 e4e1e0fbf599837dcf9f30175e9a2e8ac14543d1
SHA256 24a96b16046d01cd380a3a6a617dde78968ae6628a9033f3fe18c697c730e5d4
SHA512 c85a185e216791211982e67e9ec7c2bde78c3db2650be34905bbb5a5964cad783180bdc0596ecf5bd780b924e30f199e1f4093b511d833efbb5be8d32dc6ed00

memory/1496-177-0x000000001AFD0000-0x000000001B050000-memory.dmp

memory/1496-178-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 05:49

Reported

2023-11-18 05:52

Platform

win10v2004-20231023-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\PerfLogs\\TextInputHost.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\TimeBrokerServer\\dllhost.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\bootstat\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\ProgramData\\SoftwareDistribution\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\appidsvc\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\netttcim_uninstall\\unsecapp.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\TimeBrokerServer\dllhost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\System32\TimeBrokerServer\5940a34987c99120d96dace90a3f93f329dcad63 C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\System32\appidsvc\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\System32\appidsvc\eddb19405b7ce1152b3e19997f2b467f0b72b3d3 C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\System32\wbem\netttcim_uninstall\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\System32\wbem\netttcim_uninstall\29c1c3cc0f76855c7e7456076a4ffc27e4947119 C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File opened for modification C:\Windows\System32\TimeBrokerServer\RCXFA8E.tmp C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\bootstat\sysmon.exe C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
File created C:\Windows\bootstat\121e5b5079f7c0e46d90f99b3864022518bbbda9 C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.8a3f7accb656f787354b8280323176a0.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\PerfLogs\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\TimeBrokerServer\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\bootstat\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ProgramData\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\appidsvc\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\netttcim_uninstall\unsecapp.exe'" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 122.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/112-0-0x0000000000570000-0x000000000063A000-memory.dmp

memory/112-1-0x00007FFC70320000-0x00007FFC70DE1000-memory.dmp

memory/112-2-0x000000001B3F0000-0x000000001B400000-memory.dmp

memory/112-3-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

memory/112-4-0x0000000000E00000-0x0000000000E08000-memory.dmp

memory/112-5-0x0000000000E10000-0x0000000000E20000-memory.dmp

memory/112-6-0x0000000000E20000-0x0000000000E28000-memory.dmp

memory/112-7-0x00000000026E0000-0x00000000026EC000-memory.dmp

memory/112-8-0x00000000026F0000-0x00000000026FA000-memory.dmp

memory/112-9-0x0000000002710000-0x000000000271A000-memory.dmp

memory/112-10-0x0000000002700000-0x0000000002708000-memory.dmp

memory/112-11-0x0000000002720000-0x0000000002728000-memory.dmp

memory/112-12-0x0000000002730000-0x0000000002738000-memory.dmp

memory/112-14-0x0000000002750000-0x0000000002758000-memory.dmp

memory/112-15-0x0000000002760000-0x0000000002768000-memory.dmp

memory/112-13-0x0000000002740000-0x0000000002748000-memory.dmp

memory/112-16-0x0000000002770000-0x0000000002778000-memory.dmp

memory/112-17-0x0000000002780000-0x0000000002788000-memory.dmp

memory/112-18-0x0000000002790000-0x0000000002798000-memory.dmp

memory/112-20-0x000000001B3F0000-0x000000001B400000-memory.dmp

memory/112-19-0x00000000027A0000-0x00000000027A8000-memory.dmp

memory/112-21-0x00000000027B0000-0x00000000027B8000-memory.dmp

memory/112-23-0x000000001B3F0000-0x000000001B400000-memory.dmp

memory/112-22-0x00000000027C0000-0x00000000027CC000-memory.dmp

memory/112-24-0x000000001B2B0000-0x000000001B2B8000-memory.dmp

memory/112-29-0x000000001B3F0000-0x000000001B400000-memory.dmp

C:\Windows\System32\appidsvc\backgroundTaskHost.exe

MD5 8a3f7accb656f787354b8280323176a0
SHA1 c9544d9107ed710954bf4b575598cc392d567f26
SHA256 32b2a8994267885e9c2e1b70dfe03a088e45714f90f9aab8c5c89649dba6b80f
SHA512 c81e198a992c469d5e533cc35a7604fc00097b2c2d4bf0ebed85487f4d9708c8adca543ebf11963d464e007379bc7e62a00bdca84d7dec79b7cefbaa9775bb7e

memory/112-41-0x000000001B3F0000-0x000000001B400000-memory.dmp

memory/112-55-0x00007FFC70320000-0x00007FFC70DE1000-memory.dmp