Malware Analysis Report

2024-10-10 13:00

Sample ID 240618-sf193ayeld
Target 0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe
SHA256 0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9

Threat Level: Known bad

The file 0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Process spawned unexpected child process

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 15:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 15:04

Reported

2024-06-18 15:07

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsComponenthostcrt\BlockComponenthost.exe N/A
N/A N/A C:\Users\Admin\Saved Games\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsComponenthostcrt\BlockComponenthost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Saved Games\services.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 3028 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 3028 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 3028 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 3028 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 3028 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 3028 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 3028 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2944 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2616 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 2388 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2388 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2388 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2388 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2440 wrote to memory of 1680 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Users\Admin\Saved Games\services.exe
PID 2440 wrote to memory of 1680 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Users\Admin\Saved Games\services.exe
PID 2440 wrote to memory of 1680 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Users\Admin\Saved Games\services.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe

"C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe"

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

"C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe"

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

"C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\MsComponenthostcrt\V8pyu.bat" "

C:\MsComponenthostcrt\BlockComponenthost.exe

"C:\MsComponenthostcrt\BlockComponenthost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\dwm.exe'" /rl HIGHEST /f

C:\Users\Admin\Saved Games\services.exe

"C:\Users\Admin\Saved Games\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0993996.xsph.ru udp
RU 141.8.192.93:80 a0993996.xsph.ru tcp

Files

memory/3028-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/3028-1-0x0000000000F50000-0x000000000107A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

MD5 ffa0e2bbc82794b112a5ef66d18b27e4
SHA1 ebc81ad3542f2bdf1f7ffa9589c4703c8c59ee83
SHA256 281c5ad0809300d2067220f782074348ec5449a7fd31cae5d8a212e6f7eb5055
SHA512 4501aa78e94a7c6599fb60c744025783b5c2774d6a99d168a345d893618c087ce098141edd561a9db91326c7c4a4c627f2d91d42348c2c7a0458751c92ced152

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

MD5 1033c448810d3b507423546432e2f502
SHA1 2bf9d04f68ed15b957378fb95daa78c85d5b2b26
SHA256 f0c85722b88d1e7a1941ba17551cd5c29aef99fad86d78a5631a0f5446b3f580
SHA512 aeb964632dfad41fc383a68ace0e6beb152a7075f21a32e449624a27da5d2a5ccda0665fbd90597d65d74b0790877baf6f81336660b1df4bf38b41cd0bc6cd44

memory/2520-15-0x0000000074311000-0x0000000074312000-memory.dmp

memory/3028-14-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2520-17-0x0000000074310000-0x00000000748BB000-memory.dmp

C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe

MD5 c05a26a0f85d0f422df97128fef29cd3
SHA1 c187a0cfb88c4beae723a173957181bb61908811
SHA256 78c756b19d29b70c47f908a98e8029b192329c571a792a16df1b6dc089858515
SHA512 5adfa06b02514375e14d370976ec7ec9c13890fb67d6904fa103e16f5d212afe34878a8a5891759da1a47562662545249fe3d7f213b52cb2ad3d1eb0ea1fabd9

C:\MsComponenthostcrt\V8pyu.bat

MD5 169e51661baeb41549847d1069e779f6
SHA1 b0f7c9ba64f8338312715e26741674c17d7c6dd6
SHA256 f1b2daf2c4f636fcf9994263066dd63d4df27ae090138939bc3e93f4bbb50338
SHA512 f00f9ac8fb8a4d7fefbf7cf008a9c26019d7dabe7984cb763ff5563d33c7dd8ee58872646f9c48f651f613967c5fcdd3cad83c2eb57cf476632b1503d3674c74

\MsComponenthostcrt\BlockComponenthost.exe

MD5 68866acdadaec4fe950d5648386e8d1f
SHA1 71332e0c4ed5f9117446d6735a946ebea6c90747
SHA256 311763efffec17158382ebb545b5e34116ff3ed5f4ccdbd2f00db805992d928c
SHA512 c2af0b8df821712116d5d9a1084c5441cf5a8d3f3cfdf2afbe000e4d457f47ceb9c6902f8343758e96bd6a3d314e06e94ff6dbd20158af23604ec0e99e604393

memory/2440-31-0x0000000000EA0000-0x0000000000F76000-memory.dmp

memory/1680-42-0x0000000000CC0000-0x0000000000D96000-memory.dmp

memory/2520-43-0x0000000074310000-0x00000000748BB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 15:04

Reported

2024-06-18 15:07

Platform

win10v2004-20240508-en

Max time kernel

47s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File opened for modification C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Uninstall Information\55b276f4edf653 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\BlockComponenthost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\c93b81794ab53e C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\TextInputHost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\22eafd247d37c3 C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\it-IT\TextInputHost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Windows\it-IT\22eafd247d37c3 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Windows\PLA\Reports\it-IT\csrss.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Windows\PLA\Reports\it-IT\886983d96e3d3e C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsComponenthostcrt\BlockComponenthost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2300 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2300 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2300 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2300 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2924 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2924 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2924 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 1600 wrote to memory of 3952 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 3952 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 3952 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 3952 wrote to memory of 4656 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 4656 wrote to memory of 2520 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Recovery\WindowsRE\cmd.exe
PID 4656 wrote to memory of 2520 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Recovery\WindowsRE\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe

"C:\Users\Admin\AppData\Local\Temp\0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9.exe"

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

"C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe"

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

"C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsComponenthostcrt\V8pyu.bat" "

C:\MsComponenthostcrt\BlockComponenthost.exe

"C:\MsComponenthostcrt\BlockComponenthost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\it-IT\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\it-IT\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\MsComponenthostcrt\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\MsComponenthostcrt\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\MsComponenthostcrt\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MsComponenthostcrt\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MsComponenthostcrt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MsComponenthostcrt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MsComponenthostcrt\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MsComponenthostcrt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MsComponenthostcrt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\ssh\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\MsComponenthostcrt\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\MsComponenthostcrt\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\MsComponenthostcrt\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockComponenthostB" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\BlockComponenthost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockComponenthost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\BlockComponenthost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BlockComponenthostB" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\BlockComponenthost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\cmd.exe

"C:\Recovery\WindowsRE\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 a0993996.xsph.ru udp
US 8.8.8.8:53 a0993996.xsph.ru udp

Files

memory/2300-0-0x00007FFD5BCF3000-0x00007FFD5BCF5000-memory.dmp

memory/2300-1-0x0000000000FB0000-0x00000000010DA000-memory.dmp

memory/2300-4-0x00007FFD5BCF0000-0x00007FFD5C7B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

MD5 ffa0e2bbc82794b112a5ef66d18b27e4
SHA1 ebc81ad3542f2bdf1f7ffa9589c4703c8c59ee83
SHA256 281c5ad0809300d2067220f782074348ec5449a7fd31cae5d8a212e6f7eb5055
SHA512 4501aa78e94a7c6599fb60c744025783b5c2774d6a99d168a345d893618c087ce098141edd561a9db91326c7c4a4c627f2d91d42348c2c7a0458751c92ced152

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

MD5 1033c448810d3b507423546432e2f502
SHA1 2bf9d04f68ed15b957378fb95daa78c85d5b2b26
SHA256 f0c85722b88d1e7a1941ba17551cd5c29aef99fad86d78a5631a0f5446b3f580
SHA512 aeb964632dfad41fc383a68ace0e6beb152a7075f21a32e449624a27da5d2a5ccda0665fbd90597d65d74b0790877baf6f81336660b1df4bf38b41cd0bc6cd44

memory/2008-24-0x0000000074C32000-0x0000000074C33000-memory.dmp

memory/2008-25-0x0000000074C30000-0x00000000751E1000-memory.dmp

memory/2300-33-0x00007FFD5BCF0000-0x00007FFD5C7B1000-memory.dmp

memory/2008-32-0x0000000074C30000-0x00000000751E1000-memory.dmp

C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe

MD5 c05a26a0f85d0f422df97128fef29cd3
SHA1 c187a0cfb88c4beae723a173957181bb61908811
SHA256 78c756b19d29b70c47f908a98e8029b192329c571a792a16df1b6dc089858515
SHA512 5adfa06b02514375e14d370976ec7ec9c13890fb67d6904fa103e16f5d212afe34878a8a5891759da1a47562662545249fe3d7f213b52cb2ad3d1eb0ea1fabd9

C:\MsComponenthostcrt\V8pyu.bat

MD5 169e51661baeb41549847d1069e779f6
SHA1 b0f7c9ba64f8338312715e26741674c17d7c6dd6
SHA256 f1b2daf2c4f636fcf9994263066dd63d4df27ae090138939bc3e93f4bbb50338
SHA512 f00f9ac8fb8a4d7fefbf7cf008a9c26019d7dabe7984cb763ff5563d33c7dd8ee58872646f9c48f651f613967c5fcdd3cad83c2eb57cf476632b1503d3674c74

C:\MsComponenthostcrt\BlockComponenthost.exe

MD5 68866acdadaec4fe950d5648386e8d1f
SHA1 71332e0c4ed5f9117446d6735a946ebea6c90747
SHA256 311763efffec17158382ebb545b5e34116ff3ed5f4ccdbd2f00db805992d928c
SHA512 c2af0b8df821712116d5d9a1084c5441cf5a8d3f3cfdf2afbe000e4d457f47ceb9c6902f8343758e96bd6a3d314e06e94ff6dbd20158af23604ec0e99e604393

memory/4656-40-0x0000000000A60000-0x0000000000B36000-memory.dmp

memory/2008-86-0x0000000074C30000-0x00000000751E1000-memory.dmp

memory/2008-87-0x0000000074C32000-0x0000000074C33000-memory.dmp