Malware Analysis Report

2024-11-15 05:52

Sample ID 240722-2np2faseqd
Target ROBLOXFARMER.exe
SHA256 d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83
Tags
rat dcrat evasion execution infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d89a9ab35a2173a4ec62cc98d54e2ffbff2f0d985386f98a8e11c5dc905bcb83

Threat Level: Known bad

The file ROBLOXFARMER.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion execution infostealer trojan

DCRat payload

Process spawned unexpected child process

UAC bypass

Dcrat family

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

System policy modification

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:43

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:43

Reported

2024-07-22 22:44

Platform

win10-20240404-en

Max time kernel

43s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\sysmon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\Offline\Idle.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files (x86)\Windows Defender\Offline\6ccacd8608530f C:\DriverintoPerfMonitor\driverdll.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\DriverintoPerfMonitor\driverdll.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A
N/A N/A C:\Users\Admin\sysmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe C:\Windows\SysWOW64\WScript.exe
PID 1680 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe C:\Windows\SysWOW64\WScript.exe
PID 1680 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe C:\Windows\SysWOW64\WScript.exe
PID 164 wrote to memory of 3532 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 164 wrote to memory of 3532 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 164 wrote to memory of 3532 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\DriverintoPerfMonitor\driverdll.exe
PID 3532 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\DriverintoPerfMonitor\driverdll.exe
PID 3984 wrote to memory of 2204 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2204 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2432 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2432 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2452 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2452 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2680 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2680 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4720 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4720 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 5068 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 5068 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4684 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4684 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 5020 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 5020 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4676 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4676 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4956 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4956 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4108 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4108 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4560 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4560 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 4148 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\cmd.exe
PID 3984 wrote to memory of 4148 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\cmd.exe
PID 4148 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4148 wrote to memory of 1148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3532 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 1840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4148 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\sysmon.exe
PID 4148 wrote to memory of 1884 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\sysmon.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe

"C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\DriverintoPerfMonitor\7tBtpkweNP1.bat" "

C:\DriverintoPerfMonitor\driverdll.exe

"C:\DriverintoPerfMonitor\driverdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\DriverintoPerfMonitor\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\Offline\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\DriverintoPerfMonitor\ApplicationFrameHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverintoPerfMonitor/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lxd1LPk0iB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Admin\sysmon.exe

"C:\Users\Admin\sysmon.exe"

C:\Windows\system32\notepad.exe

"C:\Windows\system32\notepad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1009107.xsph.ru udp
RU 141.8.192.58:80 a1009107.xsph.ru tcp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp

Files

C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe

MD5 529296e248ff3230c9b1ced537b7bf5d
SHA1 e5d534cb4125e530f4428b24483ec970e3d7f563
SHA256 53fdb76d26b6e3e3d9e6438bf42e21f96564cbb316b3addd781e6fd628199779
SHA512 7a197e20c4af21cfae6b0f628afa2be7d4a9b1acb19d1dab8bc5198f2b514ed5dcbdc54ce8d013a538f1d00c21f9fce93293aebab51fd256dd1ed507824437a7

C:\DriverintoPerfMonitor\7tBtpkweNP1.bat

MD5 e6cdcd7d35111e728abce425b094d0c3
SHA1 6aafefc2fc9aac870765642ce3e0c6baaf973a87
SHA256 0adb99738e12fc866bee55a4ad3aa614fe819fface03af273743e377c41899a5
SHA512 5d4b93d3aed63d68281406568344c76478a2a98e65c94c1eb7acd3b51715d458651c9c7fc70908c56c90a45e2d0480f78d621ac494655d00bbcae7c63fe8fd7c

C:\DriverintoPerfMonitor\driverdll.exe

MD5 0bdab38cf92a980d9682c00c384690fb
SHA1 fb9b9bed33eef416f594a9afee0721315295b12d
SHA256 e1d82f52161a36132915a860388b430bb8a1a129140ec03c3cab417593706032
SHA512 3a793187a4ae93b2a10102893e5095d3a8b48acd33e802c35974aa68a10758db6057a2e623d35c3d9cc07f0c1ff1a72c0bc24b399d5dcb7d496f49db7de69790

memory/3984-14-0x0000000000620000-0x00000000007C0000-memory.dmp

memory/3984-15-0x0000000002990000-0x000000000299E000-memory.dmp

memory/3984-16-0x00000000029A0000-0x00000000029BC000-memory.dmp

memory/3984-17-0x000000001B310000-0x000000001B360000-memory.dmp

memory/3984-20-0x000000001B2E0000-0x000000001B2E8000-memory.dmp

memory/3984-19-0x000000001B2C0000-0x000000001B2D6000-memory.dmp

memory/3984-21-0x000000001B2F0000-0x000000001B2FA000-memory.dmp

memory/3984-18-0x00000000029C0000-0x00000000029C8000-memory.dmp

memory/3984-22-0x000000001B300000-0x000000001B30C000-memory.dmp

memory/3984-23-0x000000001B360000-0x000000001B372000-memory.dmp

memory/3984-24-0x000000001C080000-0x000000001C5A6000-memory.dmp

memory/3984-25-0x000000001B390000-0x000000001B39C000-memory.dmp

memory/3984-26-0x000000001B3B0000-0x000000001B3BC000-memory.dmp

memory/3984-27-0x000000001B3C0000-0x000000001B3CC000-memory.dmp

memory/3984-28-0x000000001B410000-0x000000001B418000-memory.dmp

memory/3984-31-0x000000001BB50000-0x000000001BB5C000-memory.dmp

memory/3984-30-0x000000001B430000-0x000000001B438000-memory.dmp

memory/3984-29-0x000000001B420000-0x000000001B428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Lxd1LPk0iB.bat

MD5 6b692839e7e2e39f71c80bbdbe1dd86d
SHA1 40d52afdae5500bf275eb5e93ca1e6a10b892ed1
SHA256 5186abdced10702f2d837a5b90f0ebeb6a6ab50ec362d946e3b3b6ca9910edf7
SHA512 e3ada85f4118e73ff80fcc325452266f1c53bb53bb3dbc5ffda797b0b0e7caf4c4a925f93faeecc27498113232cea2a9681e806da313b21143ae1551cce4222b

memory/4684-95-0x0000025C20B20000-0x0000025C20B42000-memory.dmp

memory/2452-100-0x00000223EC010000-0x00000223EC086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlv5k3td.df4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0049d3f6418af68942fe70d66df26cc0
SHA1 77f4aa1ddf54d284d25a109366a2ad49c20ca9cd
SHA256 668805a11935c70be46aa9a20e37f43ed77b7920a8aaa97f6878889fdb1ffe57
SHA512 72d2cbd69695a526002defe0daca4f5e1b456976a0baa53ece1afa3091b7364474c3cb0636c23551bff621c069e950f5da26e18d992f3fc92a5993aa7cc7c2b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 127e9623b9a9a064b66f89901266ae4a
SHA1 a6f74bc3306fc0d5eafd7f1e74f827cd0ac88757
SHA256 bcf03f938569c0c4fa25aa0eb80547975b9c73040e2642c6cf93fc7efe1c5d98
SHA512 c49cf11d2131ed0cb379a663e6207ba73fcbfa0c6698262d1eb25ce5804fe73a5b1c80ee2a5d478541c2418d013ba9e685aa243c90b97e5c9db6d66e5944fc66

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 954472ae77869f2907b924f8e496fa70
SHA1 d27b2e528d53e4f56fdd1542ad5f67cea5a19251
SHA256 b3cb4c4c083c4d605541899fbd41d09f3efb32ff6ae1c980fcb060bda2cb9304
SHA512 9d7afaad76cdc20117c8fe1da118bc80549d14d53fbfd15ea6d7439e9dce9e35659b397bbd25f846fd2623136f2ed8b6ed65c4ab87fbafc823a179956ed47768

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f3acd17c5c0e091e64df0fd4294e9fbf
SHA1 88d8cfb391dd7249ce9f43e7b1027f120bec7c0c
SHA256 9a08bc360227dd00b57415902dbf35eaf65e0940ae87734775f04513534eca08
SHA512 69d8f732b04dff27a26e11c4cc8aa4c8c8b38e115efcb9ad8e3b3c5abfd5538498bf6dff1a1e2cf7ca4b09bbd7d4f94cbc0644ddc6d0c839fac2bc06b3aa9862

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd61dc8f9f145bb85d2c406fc6c34ded
SHA1 365987e5acc5d25cd33a12b29f2ad12decaa8330
SHA256 0647cf7307c472144500797e8f4938aeaf2c78550956445a3b200d13c795ab12
SHA512 33192f01e00f34fbd2c03a5334ced4791af20a0032d7bb62d7f2221770f64b2312d975a6c6e3406f041ef517592b882e41f02e0c2844547f896cb18c9e47a23c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cca714f154d362fe9bf0aac437b9f979
SHA1 3310322b74a5cff769aff7b0b421c1d688633be1
SHA256 6c0fde4a1d14c75cbf6cae68617191384d1c9c0f75ca7659b98361b93d17ba70
SHA512 2c1712c4dd670993f15a24b9ec7e35c78ad1bf95075807977e47d1774ee9887202cb954c84c011c63c6cd3f17fdf1782329b6309bb36424519b3688365652f59

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1d5ea3b46362261e127a3b54bebc4f22
SHA1 99b5e2c60722b40951cffdf24b7630364cdf6475
SHA256 5de9c52f11d80c46db18c0238415d11a1f088bb1ef9c5942fa02627c72efe117
SHA512 50f4f0fee0e4966a7d2c3f038ea2985c7cbd9e6a68aca40173b67e89e7f66bc417574b95ad98aca596c9f5146749517b3a3775cbf0013a7959a23139687eed1f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25bb2c187db92c38cfc6333ccc1ad710
SHA1 bb27ee06b75535aa1d7ea44c49cde588c67122b0
SHA256 0bcc971fa7c59ec061b228ab04f6c37428978b4ad3958fb9e33eb1fa5ae7b1b5
SHA512 f3e07248ad1cb20ad26f0ccf7037460e47e67c408269b0250cb3839a840e5df3069a74062058df56be4e1b55e905a1508df2683f21fbaa29b493898a189f4b00

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:43

Reported

2024-07-22 22:45

Platform

win10v2004-20240709-en

Max time kernel

34s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\DriverintoPerfMonitor\driverdll.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\uk-UA\sihost.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files\Internet Explorer\uk-UA\66fc9ff0ee96c2 C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files\ModifiableWindowsApps\lsass.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files\Common Files\System\es-ES\conhost.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files\Common Files\System\es-ES\088424020bedd6 C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\5940a34987c991 C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\sysmon.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\121e5b5079f7c0 C:\DriverintoPerfMonitor\driverdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Containers\serviced\6203df4a6bafc7 C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Windows\PrintDialog\sppsvc.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Windows\apppatch\CustomSDB\sihost.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Windows\apppatch\CustomSDB\66fc9ff0ee96c2 C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File opened for modification C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Windows\SKB\LanguageModels\eddb19405b7ce1 C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Windows\Containers\serviced\lsass.exe C:\DriverintoPerfMonitor\driverdll.exe N/A
File created C:\Windows\PrintDialog\0a1fd5f707cd16 C:\DriverintoPerfMonitor\driverdll.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe N/A
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\DriverintoPerfMonitor\driverdll.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\DriverintoPerfMonitor\driverdll.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe C:\Windows\SysWOW64\WScript.exe
PID 1672 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe C:\Windows\SysWOW64\WScript.exe
PID 1672 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe C:\Windows\SysWOW64\WScript.exe
PID 3068 wrote to memory of 4468 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 4468 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 4468 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\DriverintoPerfMonitor\driverdll.exe
PID 4468 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\DriverintoPerfMonitor\driverdll.exe
PID 2176 wrote to memory of 668 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 668 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2804 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2804 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2828 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2828 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2476 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2476 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2172 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2172 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2600 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2600 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2132 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2132 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3488 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3488 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3456 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3456 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3008 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3008 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 780 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 780 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3352 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3352 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 4940 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\cmd.exe
PID 2176 wrote to memory of 4940 N/A C:\DriverintoPerfMonitor\driverdll.exe C:\Windows\System32\cmd.exe
PID 4468 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4468 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4468 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4940 wrote to memory of 3088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4940 wrote to memory of 3088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4940 wrote to memory of 1656 N/A C:\Windows\System32\cmd.exe C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe
PID 4940 wrote to memory of 1656 N/A C:\Windows\System32\cmd.exe C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\DriverintoPerfMonitor\driverdll.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe

"C:\Users\Admin\AppData\Local\Temp\ROBLOXFARMER.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\DriverintoPerfMonitor\7tBtpkweNP1.bat" "

C:\DriverintoPerfMonitor\driverdll.exe

"C:\DriverintoPerfMonitor\driverdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\uk-UA\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\DriverintoPerfMonitor\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\DriverintoPerfMonitor\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PrintDialog\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\DriverintoPerfMonitor\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverintoPerfMonitor\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\DriverintoPerfMonitor\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\CustomSDB\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\apppatch\CustomSDB\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\apppatch\CustomSDB\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\es-ES\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverintoPerfMonitor/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tHfWPh1qyB.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe

"C:\Windows\SKB\LanguageModels\backgroundTaskHost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 a1009107.xsph.ru udp
RU 141.8.192.58:80 a1009107.xsph.ru tcp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\DriverintoPerfMonitor\rBZTKR2mYRfNEbvt9Nbq33ykB0q3.vbe

MD5 529296e248ff3230c9b1ced537b7bf5d
SHA1 e5d534cb4125e530f4428b24483ec970e3d7f563
SHA256 53fdb76d26b6e3e3d9e6438bf42e21f96564cbb316b3addd781e6fd628199779
SHA512 7a197e20c4af21cfae6b0f628afa2be7d4a9b1acb19d1dab8bc5198f2b514ed5dcbdc54ce8d013a538f1d00c21f9fce93293aebab51fd256dd1ed507824437a7

C:\DriverintoPerfMonitor\7tBtpkweNP1.bat

MD5 e6cdcd7d35111e728abce425b094d0c3
SHA1 6aafefc2fc9aac870765642ce3e0c6baaf973a87
SHA256 0adb99738e12fc866bee55a4ad3aa614fe819fface03af273743e377c41899a5
SHA512 5d4b93d3aed63d68281406568344c76478a2a98e65c94c1eb7acd3b51715d458651c9c7fc70908c56c90a45e2d0480f78d621ac494655d00bbcae7c63fe8fd7c

C:\DriverintoPerfMonitor\driverdll.exe

MD5 0bdab38cf92a980d9682c00c384690fb
SHA1 fb9b9bed33eef416f594a9afee0721315295b12d
SHA256 e1d82f52161a36132915a860388b430bb8a1a129140ec03c3cab417593706032
SHA512 3a793187a4ae93b2a10102893e5095d3a8b48acd33e802c35974aa68a10758db6057a2e623d35c3d9cc07f0c1ff1a72c0bc24b399d5dcb7d496f49db7de69790

memory/2176-12-0x0000000000640000-0x00000000007E0000-memory.dmp

memory/2176-13-0x00007FFDFD4F3000-0x00007FFDFD4F5000-memory.dmp

memory/2176-14-0x00000000028F0000-0x00000000028FE000-memory.dmp

memory/2176-15-0x0000000002920000-0x000000000293C000-memory.dmp

memory/2176-16-0x000000001B480000-0x000000001B4D0000-memory.dmp

memory/2176-18-0x0000000002940000-0x0000000002956000-memory.dmp

memory/2176-19-0x0000000002960000-0x0000000002968000-memory.dmp

memory/2176-17-0x0000000002900000-0x0000000002908000-memory.dmp

memory/2176-20-0x0000000002970000-0x000000000297A000-memory.dmp

memory/2176-21-0x0000000002980000-0x000000000298C000-memory.dmp

memory/2176-22-0x0000000002990000-0x00000000029A2000-memory.dmp

memory/2176-23-0x000000001C050000-0x000000001C578000-memory.dmp

memory/2176-24-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

memory/2176-25-0x000000001B500000-0x000000001B50C000-memory.dmp

memory/2176-29-0x000000001BC40000-0x000000001BC48000-memory.dmp

memory/2176-28-0x000000001BC30000-0x000000001BC38000-memory.dmp

memory/2176-27-0x000000001BDA0000-0x000000001BDA8000-memory.dmp

memory/2176-26-0x000000001BB20000-0x000000001BB2C000-memory.dmp

memory/2176-30-0x000000001BC50000-0x000000001BC5C000-memory.dmp

memory/3456-73-0x00000269DB100000-0x00000269DB122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnbt50b1.qnr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tHfWPh1qyB.bat

MD5 32757917fff5707317d21a0b3814cccb
SHA1 d6b1eec5200c2fdb7e12fff2bb4cd27222a33089
SHA256 fad18e5f105453e8e50124ada5030785148df27fa6d1b9b55ba1d710715c2b29
SHA512 a3793b7443944da6649ff21cb6615e056982fee2eea402eb4d88fe7a2f09bba8c5c387aa937d5229dd65fd36767f2c1b215fe09f6b6829b43dfeb9a77bb8093d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/1656-202-0x000000001C280000-0x000000001C292000-memory.dmp