Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-p872jazamk
Target 3a7eb05a575ea6c0ebd97a42d6a77e66.exe
SHA256 25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c

Threat Level: Known bad

The file 3a7eb05a575ea6c0ebd97a42d6a77e66.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

Process spawned unexpected child process

UAC bypass

DcRat

Dcrat family

DCRat payload

DCRat payload

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

System policy modification

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 13:01

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 13:01

Reported

2024-07-22 13:03

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Start Menu\dllhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\1610b97d3ab4a7 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\101b941d020240 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OSPPSVC.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\twain_32\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Windows\Globalization\ELS\Transliteration\services.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Windows\Globalization\ELS\Transliteration\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Windows\CSC\v2.0.6\sppsvc.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Windows\twain_32\dwm.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A
N/A N/A C:\Users\Default\Start Menu\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Start Menu\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Start Menu\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe C:\Windows\System32\cmd.exe
PID 2368 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe C:\Windows\System32\cmd.exe
PID 2368 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe C:\Windows\System32\cmd.exe
PID 2916 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2916 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2916 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2916 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Start Menu\dllhost.exe
PID 2916 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Start Menu\dllhost.exe
PID 2916 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Start Menu\dllhost.exe
PID 2788 wrote to memory of 3068 N/A C:\Users\Default\Start Menu\dllhost.exe C:\Windows\System32\WScript.exe
PID 2788 wrote to memory of 3068 N/A C:\Users\Default\Start Menu\dllhost.exe C:\Windows\System32\WScript.exe
PID 2788 wrote to memory of 3068 N/A C:\Users\Default\Start Menu\dllhost.exe C:\Windows\System32\WScript.exe
PID 2788 wrote to memory of 112 N/A C:\Users\Default\Start Menu\dllhost.exe C:\Windows\System32\WScript.exe
PID 2788 wrote to memory of 112 N/A C:\Users\Default\Start Menu\dllhost.exe C:\Windows\System32\WScript.exe
PID 2788 wrote to memory of 112 N/A C:\Users\Default\Start Menu\dllhost.exe C:\Windows\System32\WScript.exe
PID 3068 wrote to memory of 2432 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Start Menu\dllhost.exe
PID 3068 wrote to memory of 2432 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Start Menu\dllhost.exe
PID 3068 wrote to memory of 2432 N/A C:\Windows\System32\WScript.exe C:\Users\Default\Start Menu\dllhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Start Menu\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Start Menu\dllhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe

"C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "3a7eb05a575ea6c0ebd97a42d6a77e663" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\3a7eb05a575ea6c0ebd97a42d6a77e66.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "3a7eb05a575ea6c0ebd97a42d6a77e66" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\3a7eb05a575ea6c0ebd97a42d6a77e66.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "3a7eb05a575ea6c0ebd97a42d6a77e663" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\3a7eb05a575ea6c0ebd97a42d6a77e66.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\ELS\Transliteration\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\Transliteration\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\ELS\Transliteration\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkedXQt8Zz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Start Menu\dllhost.exe

"C:\Users\Default\Start Menu\dllhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b929aa3-ca7e-46d0-bbac-729c0accfe4c.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac4c8c9-ba31-49c4-8448-668015cb4ea5.vbs"

C:\Users\Default\Start Menu\dllhost.exe

"C:\Users\Default\Start Menu\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1007516.xsph.ru udp
RU 141.8.192.103:80 a1007516.xsph.ru tcp

Files

memory/2368-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

memory/2368-1-0x00000000009F0000-0x0000000000C70000-memory.dmp

memory/2368-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

memory/2368-3-0x0000000000350000-0x0000000000358000-memory.dmp

memory/2368-4-0x00000000003E0000-0x00000000003FC000-memory.dmp

memory/2368-6-0x0000000000410000-0x000000000041A000-memory.dmp

memory/2368-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2368-7-0x0000000000970000-0x00000000009C6000-memory.dmp

memory/2368-8-0x0000000000420000-0x000000000042C000-memory.dmp

memory/2368-9-0x0000000000520000-0x0000000000528000-memory.dmp

memory/2368-10-0x0000000000530000-0x000000000053C000-memory.dmp

memory/2368-11-0x00000000009C0000-0x00000000009C8000-memory.dmp

memory/2368-12-0x00000000009D0000-0x00000000009DC000-memory.dmp

memory/2368-13-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/2368-14-0x0000000002170000-0x0000000002178000-memory.dmp

memory/2368-15-0x0000000002180000-0x000000000218C000-memory.dmp

memory/2368-16-0x0000000002190000-0x000000000219A000-memory.dmp

memory/2368-17-0x00000000021A0000-0x00000000021AE000-memory.dmp

memory/2368-18-0x00000000022B0000-0x00000000022B8000-memory.dmp

memory/2368-19-0x00000000022C0000-0x00000000022C8000-memory.dmp

memory/2368-21-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

memory/2368-20-0x00000000022D0000-0x00000000022DC000-memory.dmp

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe

MD5 3a7eb05a575ea6c0ebd97a42d6a77e66
SHA1 71e362bd1e833c7192c0f93d219f9727f1c98297
SHA256 25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
SHA512 0e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6

memory/2368-64-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pkedXQt8Zz.bat

MD5 62bdb0888ce72121efa720d275652059
SHA1 731bf38799839951333aac0f701fadb3b11bf4f3
SHA256 e644aecbd868cff834d8d96bf302f2107a77381024a5677b5b762097d7f4f326
SHA512 ddc61b7c1c92f9d2a3f80552ed48e6a8478a585d2c9343468509ba35ebee60af2ce181796d2a2abf1a44277ae5d0d2154b6e534f75660ee60608f3278a9aa433

memory/2788-68-0x0000000000060000-0x00000000002E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7b929aa3-ca7e-46d0-bbac-729c0accfe4c.vbs

MD5 f5498868d27599bbb7ecd41fdd9e4757
SHA1 9df73cb7fba2eb02fe6d2618008ea6d67bb1ec4c
SHA256 74a9f87e9be97858348424f3b5ad57ff2a911b0819a06bb5ad8ee48cd728f5b1
SHA512 60711d032ad81569735ab36898fb457ca14884e448d954ab23045e9e0461403c6a4c44cc0e3a05a64637726785af0051f4e44341bffa4a8b2056d5c6141f95ff

C:\Users\Admin\AppData\Local\Temp\4ac4c8c9-ba31-49c4-8448-668015cb4ea5.vbs

MD5 f087d35c522c52601583d36baf9d422a
SHA1 aa13c1ab16223c61fd33bbe1e84fe28c52b83c51
SHA256 e0962a40eea50c9dcbf2a09d2369b264532ed06c71dfe2486bbc6bee7cd8c1e2
SHA512 e93feb917234a7cd5289d8303ae86e0903b6a5a08a8fb1a18acaa0719157eb7da6e2c711e053914e968455050b18eba2e8b8b500cec8399e77d10f681d2f0873

memory/2432-79-0x0000000001040000-0x00000000012C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 13:01

Reported

2024-07-22 13:03

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Windows NT\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Adobe\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Microsoft Office\Office16\winlogon.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Uninstall Information\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Windows NT\csrss.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Adobe\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Microsoft Office\Office16\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Portable Devices\Idle.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Windows Portable Devices\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Program Files\Uninstall Information\sysmon.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Prefetch\ReadyBoot\sysmon.exe C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
File created C:\Windows\Prefetch\ReadyBoot\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe

"C:\Users\Admin\AppData\Local\Temp\3a7eb05a575ea6c0ebd97a42d6a77e66.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f

C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe

"C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00c8b267-5832-4e35-8bf1-0787c5b4d6ea.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36e040ab-fbe7-4e52-a301-4a7490819e7f.vbs"

C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe

"C:\Program Files (x86)\WindowsPowerShell\SppExtComObj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 a1007516.xsph.ru udp
RU 141.8.192.103:80 a1007516.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4212-0-0x00007FFE4E763000-0x00007FFE4E765000-memory.dmp

memory/4212-1-0x0000000000310000-0x0000000000590000-memory.dmp

memory/4212-2-0x00007FFE4E760000-0x00007FFE4F221000-memory.dmp

memory/4212-3-0x00000000026A0000-0x00000000026A8000-memory.dmp

memory/4212-4-0x00000000026D0000-0x00000000026EC000-memory.dmp

memory/4212-5-0x000000001B760000-0x000000001B7B0000-memory.dmp

memory/4212-7-0x00000000026F0000-0x00000000026FA000-memory.dmp

memory/4212-6-0x00000000026B0000-0x00000000026B8000-memory.dmp

memory/4212-8-0x000000001B710000-0x000000001B766000-memory.dmp

memory/4212-9-0x000000001B1E0000-0x000000001B1EC000-memory.dmp

memory/4212-10-0x000000001B1F0000-0x000000001B1F8000-memory.dmp

memory/4212-11-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

memory/4212-12-0x000000001B7C0000-0x000000001B7C8000-memory.dmp

memory/4212-13-0x000000001B7D0000-0x000000001B7DC000-memory.dmp

memory/4212-14-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

memory/4212-15-0x000000001B8F0000-0x000000001B8F8000-memory.dmp

memory/4212-16-0x000000001B900000-0x000000001B90C000-memory.dmp

memory/4212-17-0x000000001B910000-0x000000001B91A000-memory.dmp

memory/4212-21-0x000000001BA90000-0x000000001BA9C000-memory.dmp

memory/4212-20-0x000000001BA80000-0x000000001BA88000-memory.dmp

memory/4212-19-0x000000001BA70000-0x000000001BA78000-memory.dmp

memory/4212-18-0x000000001BA20000-0x000000001BA2E000-memory.dmp

memory/4212-24-0x00007FFE4E760000-0x00007FFE4F221000-memory.dmp

memory/4212-25-0x00007FFE4E760000-0x00007FFE4F221000-memory.dmp

C:\Program Files (x86)\Windows NT\csrss.exe

MD5 3a7eb05a575ea6c0ebd97a42d6a77e66
SHA1 71e362bd1e833c7192c0f93d219f9727f1c98297
SHA256 25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
SHA512 0e4e9cc7d86949b349722e3e41d6e1686f8f55d44e98f93ff5f42f05a798c8300be75ff19ea0c369800c2cbc0fb4190a7138cbac5250ea812b11d185100403f6

memory/4212-69-0x00007FFE4E760000-0x00007FFE4F221000-memory.dmp

memory/720-70-0x000000001B9D0000-0x000000001BA26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c8b267-5832-4e35-8bf1-0787c5b4d6ea.vbs

MD5 3d173d11cbfe8ea295450e5de033772d
SHA1 65ea1035e97f1b05d8c692860e2ca64bfc6093bc
SHA256 56ae5ceec20c722cb275569edc570f0fd9a2d984fdb1b80474cba2227585f280
SHA512 3240ddcf655e379445bb98556a1ab13baf2fb3f0f67b4fe4953c340724519bff642b901a88bd4bd26da3f198bfc6697ee1946da18185f996061abc4066fd310d

C:\Users\Admin\AppData\Local\Temp\36e040ab-fbe7-4e52-a301-4a7490819e7f.vbs

MD5 ebd22e11b1c625ae098b8e489eedefff
SHA1 a0fee9f15489e25359ba3da77e48627dd9325d33
SHA256 43052049403ea9e1c64eb8719d229caa40501f37572d9fa00e2e2f1cd2fe3fbd
SHA512 5d088ff657c9e3c1965711bf46115affa6d34bb46e80190dbe62d63e1f285f16b9ac93cc788017b02ee701b58ba0fda23d6c89e5a6543674f4d234ef1f382f64

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 3690a1c3b695227a38625dcf27bd6dac
SHA1 c2ed91e98b120681182904fa2c7cd504e5c4b2f5
SHA256 2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73
SHA512 15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

memory/4348-83-0x000000001B2C0000-0x000000001B316000-memory.dmp