Malware Analysis Report

2025-08-06 00:36

Sample ID 231205-wajplsea29
Target 2e8356dfe51bd0a98aadcbd170a6d777.exe
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8

Threat Level: Known bad

The file 2e8356dfe51bd0a98aadcbd170a6d777.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-05 17:43

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-05 17:43

Reported

2023-12-05 17:45

Platform

win7-20231023-en

Max time kernel

138s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Default\Music\smss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\en-US\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\Windows Photo Viewer\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\7-Zip\101b941d020240 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\Windows Photo Viewer\smss.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\explorer.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\MSBuild\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\MSBuild\winlogon.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Adobe\audiodg.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\audiodg.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Adobe\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\DVD Maker\en-US\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\7-Zip\lsm.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\smss.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Windows\Offline Web Pages\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Music\smss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe

"C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Music\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Users\Default\Music\smss.exe

"C:\Users\Default\Music\smss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 www.zubareff.site udp
RU 31.31.198.105:80 www.zubareff.site tcp

Files

memory/2228-0-0x0000000000B70000-0x0000000000CAE000-memory.dmp

memory/2228-1-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

memory/2228-2-0x000000001B050000-0x000000001B0D0000-memory.dmp

memory/2228-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

memory/2228-4-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2228-5-0x0000000000410000-0x0000000000422000-memory.dmp

C:\Program Files\7-Zip\lsm.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

C:\Users\Default\Music\smss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

C:\Users\Default\Music\smss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

memory/2228-47-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

memory/3012-48-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

memory/3012-46-0x00000000000A0000-0x00000000001DE000-memory.dmp

memory/3012-49-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/3012-50-0x00000000002F0000-0x0000000000302000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar8C30.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/3012-88-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

memory/3012-89-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/3012-90-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-05 17:43

Reported

2023-12-05 17:45

Platform

win10v2004-20231130-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\f363630c424400 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\csrss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Portable Devices\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\Idle.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Microsoft\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\Windows Mail\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\Windows Portable Devices\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Microsoft\csrss.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\f363630c424400 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\ee2ad38f3d4382 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\explorer.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Program Files\Windows Mail\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\explorer.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\apppatch\ja-JP\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Windows\apppatch\ja-JP\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Windows\Vss\Writers\System\55b276f4edf653 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Windows\IdentityCRL\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
File created C:\Windows\IdentityCRL\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3212 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe C:\Windows\System32\cmd.exe
PID 3212 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe C:\Windows\System32\cmd.exe
PID 4596 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4596 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4596 wrote to memory of 5080 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe
PID 4596 wrote to memory of 5080 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe
PID 5080 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 5080 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 4124 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 4124 wrote to memory of 2068 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2068 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2068 wrote to memory of 3396 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 2068 wrote to memory of 3396 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 3396 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 3396 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 3948 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3948 wrote to memory of 2324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3948 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 3948 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 2452 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 4972 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 4972 wrote to memory of 4916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4972 wrote to memory of 4916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4972 wrote to memory of 3684 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 4972 wrote to memory of 3684 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 3684 wrote to memory of 2512 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 3684 wrote to memory of 2512 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2512 wrote to memory of 3328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2512 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 2512 wrote to memory of 4824 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 4824 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 4824 wrote to memory of 3144 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 3144 wrote to memory of 3472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3144 wrote to memory of 3472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3144 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 3144 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 3908 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 1948 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 1948 wrote to memory of 1896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1948 wrote to memory of 1896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1948 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 1948 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 2888 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 2888 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 4928 wrote to memory of 4608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4928 wrote to memory of 4608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4928 wrote to memory of 3928 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 4928 wrote to memory of 3928 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\csrss.exe
PID 3928 wrote to memory of 4768 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 3928 wrote to memory of 4768 N/A C:\Program Files (x86)\Microsoft\csrss.exe C:\Windows\System32\cmd.exe
PID 4768 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4768 wrote to memory of 1940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe

"C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d7772" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d777" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "2e8356dfe51bd0a98aadcbd170a6d7772" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\2e8356dfe51bd0a98aadcbd170a6d777.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LY5L01moAk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe

"C:\Users\Admin\AppData\Local\Temp\2e8356dfe51bd0a98aadcbd170a6d777.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\IdentityCRL\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\odt\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\csrss.exe

"C:\Program Files (x86)\Microsoft\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/3212-0-0x0000000000330000-0x000000000046E000-memory.dmp

memory/3212-1-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

memory/3212-2-0x000000001B290000-0x000000001B2A0000-memory.dmp

memory/3212-4-0x0000000002800000-0x0000000002850000-memory.dmp

memory/3212-3-0x0000000002660000-0x000000000267C000-memory.dmp

memory/3212-5-0x0000000002680000-0x0000000002696000-memory.dmp

memory/3212-6-0x00000000026A0000-0x00000000026B2000-memory.dmp

memory/3212-7-0x000000001BE30000-0x000000001C358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LY5L01moAk.bat

MD5 4f31d8885eede8073acf4a3ac753385e
SHA1 220a54c237bd4ca7875f450736e1af445267387f
SHA256 66be23fdfd17db2182e17bd9443a9172ff8d29fc02f0b4ffd65341d03b69ec53
SHA512 f180c04904980ef125f2f9b4ee3b8b67f36b3dda5323e1b24c59dc0c11ab42689db53026ec5e184092cbfcd0f45cb3595d7dd9e5001c9ac10f0985cb247fe65a

memory/3212-18-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2e8356dfe51bd0a98aadcbd170a6d777.exe.log

MD5 bbb951a34b516b66451218a3ec3b0ae1
SHA1 7393835a2476ae655916e0a9687eeaba3ee876e9
SHA256 eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a
SHA512 63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

memory/5080-21-0x000000001B740000-0x000000001B750000-memory.dmp

memory/5080-20-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

memory/5080-22-0x0000000001330000-0x0000000001342000-memory.dmp

C:\Program Files (x86)\Google\CrashReports\Idle.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

memory/4124-68-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

memory/5080-67-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

memory/4124-74-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

MD5 536519c09b01c51a80149c004f5cd76c
SHA1 82c0d604d68309c72f8559abcde65126c0b42282
SHA256 1b0a5574cd70d101632253ceb6ac0aaef6c9e63319bbed035d3476ae9f81560a
SHA512 21f0a42191b8b67903d9823c64679cc564c5d92ea9ed9e6b1ea06f626055feba3973514b86ad8929e50f031bf4d33094aacab3fb36b206b1232e62fef89ba487

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 9699cf9bb24ebbc9b1035710e92b7bd2
SHA1 73f0f26db57ea306970a76f42c647bbce02a3f23
SHA256 fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5
SHA512 3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

memory/3396-78-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

memory/3396-79-0x000000001AFF0000-0x000000001B002000-memory.dmp

memory/3396-85-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

MD5 03f5e9db0b73cd0132566699e8555b68
SHA1 68e34d41734218eec03a269e5a83af1fb9ae864a
SHA256 0fc671f200ad653b723d0f25dc16b844e5ce73fdf17df1fd6485532ecfa170cd
SHA512 19c1bcf9071f5ca41056c22653eda98aed52a2a5842b588c4ebdfd3d1d60918e1d946e016848e22bf230ecf2c63c1eefffdceaac30081e9c8be8b967ddeaf3b0

memory/2452-87-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

memory/2452-88-0x0000000000BF0000-0x0000000000C02000-memory.dmp

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

memory/2452-94-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

MD5 7921b68d82f670b3fe1038b31cb94b41
SHA1 3015edc3c6c71cb66d180373d4eaa8b5a501416e
SHA256 c17a3af4f77b1284c9beca24b8c520901bd67b080005017181c0181ce26c6a1f
SHA512 f91df8f01e7e7e4faa3a1e7dab59039b6a9673ea760616ed71916dd4a66b5347d7693f803662e33c8a8d146447e1c1a33419f6ce939631f7a9779eae17f458b0

memory/3684-96-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

MD5 f459e8ea151c40d8f3a73f84c7d28b74
SHA1 5112610f15c70a9c7e7b9b92cb8f54fd61406434
SHA256 a75c973131d8a1a62a18a06e3c176987dce1d8d119e6f89be39f5b6c24394907
SHA512 a597fb516090f8598c926845722296b69a2cbaedb588d3dbf09be1e97e76cd92ee6b571a904b365349db14a7c7d2b77b929e183edba8891ef6a95436cc5b655e

memory/3684-102-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

memory/4824-104-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

MD5 4be080300b85da53ebb163336f4a6704
SHA1 d783baf9f6a36e0cf67c5bd136c3f119c959801d
SHA256 bf08946bbab8b20e2b2addb8d4a1a49619b9d77f4f5ef74ca6364181b3ca5933
SHA512 b7431c68d5a1d19d01d2aa9e80e26e632ebe8f9b34eb5f6262c76bc3a3beba2a1a5311a4f77465f93bc8c629cc7aa55eec68a6931b1d1a62b821beec37d5886f

memory/4824-110-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

memory/3908-112-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

memory/3908-118-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

MD5 4ac6f7c5402bd6b9910ded5e4a9b48b2
SHA1 35b28bd4418390fe9441dc4fd390c35d95b1f9cc
SHA256 4c44043b62b1db93f01a7b960d4018bbe981ef7affff01e9765c7bf2580acae3
SHA512 633ca9c281b9220585bf014a9aeec2c099b2421e63defdc49586fafab140aabd9940ce4cec8305a7cda958adf53a524a6b06fd5fc55807e2ec06d9db7fb0fb3e

memory/2888-120-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

MD5 d2c79b7656cc439ac4919e0763fcaf01
SHA1 4ccb601831808ea4dcd29bec1c91f1582103d889
SHA256 05c8d5bfb130e7306f98fcf0040e62269268f318d601ce004dee6194d1c7e2db
SHA512 b926a04a7881da26eed8d4136010de1af36108f2a5187698d877f3feb30a752c7bb014760aa4cc5c66118779e30685b7d560398781e959fee33f3af57c382f41

memory/2888-126-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Program Files (x86)\Microsoft\csrss.exe

MD5 2e8356dfe51bd0a98aadcbd170a6d777
SHA1 4bd29d52517f4b14433ca5e911e277123968dbfb
SHA256 e4ae89fae552ad33c4e25a0feb8f8547254f27c197e51c183ee16edae898f6c8
SHA512 2615a8c39079d57e70dcae1c0f180e4a6d292348c28d8c094f9b1312bfbd74f02e40bada740faadd563c061067f99dde00de32d71d261b1424ed1ef8ce0926ef

memory/3928-128-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

MD5 28a1bf82b53399caeffc43087b8d7d18
SHA1 db72d3daa3fed839f66c218866b0b9277497f6d2
SHA256 7aa574b4f4f75cb399abb284f533d3a89c9fb3ec3bdf78e70af0124dd4e477a4
SHA512 0785ecdd2b121c5f4bdce7775fd06c8e795cff13d17c91541bb02c5eba87006cde290a33999f34690cdb0e4f38400ad42f37a80fc64753ce232227eb155b2746

memory/3928-134-0x00007FFFB7680000-0x00007FFFB8141000-memory.dmp