Malware Analysis Report

2024-10-10 13:02

Sample ID 240618-wefhraxgml
Target 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe
SHA256 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f

Threat Level: Known bad

The file 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DCRat payload

DcRat

Process spawned unexpected child process

UAC bypass

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 17:49

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 17:49

Reported

2024-06-18 17:52

Platform

win7-20240611-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\dllhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\dllhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\lsm.exe C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files\MSBuild\101b941d020240 C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A
N/A N/A C:\Users\Default\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\dllhost.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe

"C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f

C:\Users\Default\dllhost.exe

"C:\Users\Default\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e87e51c7-0ec5-49d1-aac6-5810b4bb7701.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8eab65dc-3862-4a59-8605-40921b38898b.vbs"

C:\Users\Default\dllhost.exe

C:\Users\Default\dllhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cq11142.tw1.ru udp
RU 92.53.96.121:80 cq11142.tw1.ru tcp
US 8.8.8.8:53 vh432.timeweb.ru udp
RU 92.53.96.121:443 vh432.timeweb.ru tcp
RU 92.53.96.121:443 vh432.timeweb.ru tcp

Files

memory/1724-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

memory/1724-1-0x0000000000AE0000-0x0000000000DF4000-memory.dmp

memory/1724-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1724-3-0x0000000000430000-0x0000000000438000-memory.dmp

memory/1724-4-0x0000000000440000-0x000000000045C000-memory.dmp

memory/1724-5-0x0000000000460000-0x0000000000468000-memory.dmp

memory/1724-6-0x0000000000470000-0x0000000000480000-memory.dmp

memory/1724-7-0x0000000000480000-0x0000000000496000-memory.dmp

memory/1724-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/1724-9-0x00000000004C0000-0x00000000004D2000-memory.dmp

memory/1724-10-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/1724-11-0x0000000000500000-0x000000000050A000-memory.dmp

memory/1724-12-0x0000000000A40000-0x0000000000A96000-memory.dmp

memory/1724-13-0x00000000004B0000-0x00000000004BC000-memory.dmp

memory/1724-14-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/1724-15-0x0000000000510000-0x000000000051C000-memory.dmp

memory/1724-16-0x0000000000520000-0x0000000000532000-memory.dmp

memory/1724-17-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/1724-18-0x00000000005E0000-0x00000000005EC000-memory.dmp

memory/1724-19-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/1724-20-0x0000000000600000-0x000000000060C000-memory.dmp

memory/1724-21-0x0000000000A90000-0x0000000000A9C000-memory.dmp

memory/1724-22-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

memory/1724-23-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

memory/1724-25-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

memory/1724-24-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

memory/1724-26-0x0000000002300000-0x0000000002308000-memory.dmp

memory/1724-27-0x0000000002310000-0x000000000231C000-memory.dmp

memory/1724-28-0x0000000002320000-0x0000000002328000-memory.dmp

memory/1724-29-0x0000000002330000-0x000000000233A000-memory.dmp

memory/1724-30-0x0000000002340000-0x000000000234C000-memory.dmp

memory/1724-31-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1724-36-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe

MD5 50041c9d3b476dda21ed199fdf346aaf
SHA1 5a73df246d5b9970f9c445127651b62ed502a375
SHA256 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
SHA512 16440fb313281c9da99370cf05a433a28af41ac6a34692b7b31254e61b7af53c6b903fa9a885a33263d931b8246de307b14ffe0a24a6f30f8c16612b9b48c730

memory/1116-53-0x0000000001090000-0x00000000013A4000-memory.dmp

memory/1724-54-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1116-55-0x00000000005B0000-0x00000000005C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8eab65dc-3862-4a59-8605-40921b38898b.vbs

MD5 03dde6b3ead9d5372762e3eef896e1ee
SHA1 fc4c88f6b7b60c398554a74c002be9259d638f49
SHA256 0198471cd79d56e6a3347f356e05e517cb660357a3b87dad3eb1e161a67fd664
SHA512 1968725c01a7f04ee68b84634f3059a31bfa272bd98e311798c11ef22e8b4bd9d809edab29eb022b7e676a4907319ece54b0994e016a94702cda4e7c73989db1

C:\Users\Admin\AppData\Local\Temp\e87e51c7-0ec5-49d1-aac6-5810b4bb7701.vbs

MD5 2670247cdec63d2eb633f1dfac203c31
SHA1 5ebc0ebbd5b18fe917b2706dec6c4e5d28c67fd1
SHA256 879f64812c0e1e4d0c5474dd240b34210fd4d34ff1b4ebf2d54702bef84a8088
SHA512 75c2dcf27ffbb2034c3e350bfa9fba93f267ad0c503c8692e81bb5e92263359d3514c14e967f7e7f97032faa151efb8dbda601be4d33cce625c5f45253a12311

C:\Users\Admin\AppData\Local\Temp\CabB3F6.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB4C4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2736-172-0x0000000000220000-0x0000000000534000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 17:49

Reported

2024-06-18 17:52

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Public\Libraries\SppExtComObj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Adobe\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\explorer.exe C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files\Windows Mail\csrss.exe C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\b9ef282d50d431 C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files\Windows Mail\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Users\Public\Libraries\SppExtComObj.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
N/A N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\SppExtComObj.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Public\Libraries\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe

"C:\Users\Admin\AppData\Local\Temp\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f8" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f8" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Adobe\8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\TAPI\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kkMQtbsa5G.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Libraries\SppExtComObj.exe

"C:\Users\Public\Libraries\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5005523a-07ab-47a5-bd84-75142f2848df.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c94ffb4-4dd6-4d91-bc7e-ead00586d273.vbs"

C:\Users\Public\Libraries\SppExtComObj.exe

C:\Users\Public\Libraries\SppExtComObj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.243:443 www.bing.com tcp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 243.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 cq11142.tw1.ru udp
RU 92.53.96.121:80 cq11142.tw1.ru tcp
US 8.8.8.8:53 vh432.timeweb.ru udp
RU 92.53.96.121:443 vh432.timeweb.ru tcp
US 8.8.8.8:53 121.96.53.92.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/4728-0-0x00007FF9F28E3000-0x00007FF9F28E5000-memory.dmp

memory/4728-1-0x0000000000DD0000-0x00000000010E4000-memory.dmp

memory/4728-2-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

memory/4728-3-0x00000000019C0000-0x00000000019C8000-memory.dmp

memory/4728-4-0x0000000001AE0000-0x0000000001AFC000-memory.dmp

memory/4728-5-0x000000001C3C0000-0x000000001C410000-memory.dmp

memory/4728-7-0x000000001BD30000-0x000000001BD40000-memory.dmp

memory/4728-6-0x0000000003450000-0x0000000003458000-memory.dmp

memory/4728-9-0x000000001C370000-0x000000001C378000-memory.dmp

memory/4728-10-0x000000001C380000-0x000000001C392000-memory.dmp

memory/4728-8-0x000000001BD40000-0x000000001BD56000-memory.dmp

memory/4728-11-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

memory/4728-12-0x000000001C510000-0x000000001C51A000-memory.dmp

memory/4728-13-0x000000001C520000-0x000000001C576000-memory.dmp

memory/4728-14-0x000000001C390000-0x000000001C39C000-memory.dmp

memory/4728-15-0x000000001C3A0000-0x000000001C3A8000-memory.dmp

memory/4728-16-0x000000001C570000-0x000000001C57C000-memory.dmp

memory/4728-17-0x000000001C580000-0x000000001C592000-memory.dmp

memory/4728-18-0x000000001CAE0000-0x000000001D008000-memory.dmp

memory/4728-20-0x000000001C5C0000-0x000000001C5CC000-memory.dmp

memory/4728-19-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

memory/4728-21-0x000000001C5D0000-0x000000001C5D8000-memory.dmp

memory/4728-22-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

memory/4728-23-0x000000001C5F0000-0x000000001C5FC000-memory.dmp

memory/4728-24-0x000000001C700000-0x000000001C708000-memory.dmp

memory/4728-29-0x000000001C890000-0x000000001C89C000-memory.dmp

memory/4728-28-0x000000001C880000-0x000000001C888000-memory.dmp

memory/4728-27-0x000000001C870000-0x000000001C87E000-memory.dmp

memory/4728-26-0x000000001C720000-0x000000001C72A000-memory.dmp

memory/4728-25-0x000000001C710000-0x000000001C71C000-memory.dmp

memory/4728-30-0x000000001C8A0000-0x000000001C8A8000-memory.dmp

memory/4728-31-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

memory/4728-33-0x000000001C8C0000-0x000000001C8CC000-memory.dmp

memory/4728-32-0x000000001C8B0000-0x000000001C8BA000-memory.dmp

memory/4728-34-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

C:\Program Files\Windows Mail\csrss.exe

MD5 50041c9d3b476dda21ed199fdf346aaf
SHA1 5a73df246d5b9970f9c445127651b62ed502a375
SHA256 8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
SHA512 16440fb313281c9da99370cf05a433a28af41ac6a34692b7b31254e61b7af53c6b903fa9a885a33263d931b8246de307b14ffe0a24a6f30f8c16612b9b48c730

memory/4728-72-0x00007FF9F28E0000-0x00007FF9F33A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kkMQtbsa5G.bat

MD5 0ba51c7ff374c654a652a65ccad5bba6
SHA1 de38be745582ea3c294f8d947e1ccc4282850a32
SHA256 a519f072f4a98c63a9216b203e83c45d404205e815fef77f4ab4df5bb09f171d
SHA512 0e9d0475eb987417ff4ccca69d9263c7a869dbad7dd5e103bd6e6a6d72ba072feef3c17b9f9bf8c2ce313f6a06f1344e476af7a3530b06c82648a10bde430996

C:\Users\Admin\AppData\Local\Temp\5005523a-07ab-47a5-bd84-75142f2848df.vbs

MD5 a02fb59194fefe6b4a609f10cd022fd5
SHA1 d5770552c71daf19026c4126ad4a9e75ba318271
SHA256 aa43e09c153ec6e1a030d9bfd7e42776b0c0a1e87c69aee524a4f77705736c7e
SHA512 2233bd80193a00bcca675c67b833e9cfe9790c19b06af688f95ff7c77663579697236c57780e7f9a7c3a60f4e74ed3c4f71351e3e2f765a4eb9642f790c8b214

C:\Users\Admin\AppData\Local\Temp\6c94ffb4-4dd6-4d91-bc7e-ead00586d273.vbs

MD5 c5f66434b530de7684d3ddebac30f13a
SHA1 6858af84a74cea6c0fe5c743f14027780d4a849d
SHA256 168329b486c7d6ac319df5433c4dab47126a3e7aa9c36d7b7dd1aba7ffca151a
SHA512 41a6692a8491278b8956baf51be9f15659214f2235b1da36f6045c22407c4d6c83cb868a1d539f3d82a1543b6d7e912c8cad302f93e6e1a111b98d081d058939

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 4a667f150a4d1d02f53a9f24d89d53d1
SHA1 306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256 414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA512 4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

memory/944-89-0x000000001BE00000-0x000000001BE12000-memory.dmp