Malware Analysis Report

2025-08-10 11:55

Sample ID 241230-c86r9avrbw
Target cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe
SHA256 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67

Threat Level: Known bad

The file cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

DcRat

Dcrat family

DCRat payload

UAC bypass

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-30 02:45

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-30 02:45

Reported

2024-12-30 02:48

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXCFF8.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXCDF3.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Google\b75386f1303e64 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\f4995097cd8868 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCXD066.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\7-Zip\Lang\24dbde2999530e C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXC778.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\RCXC97D.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCXC574.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\RCXC97E.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Windows Defender\ja-JP\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\RCXC573.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\services.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXCDF4.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Google\RCXD26A.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Google\taskhost.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\7-Zip\Lang\WmiPrvSE.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Google\taskhost.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\101b941d020240 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\RCXC779.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Google\RCXD26B.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Windows Defender\ja-JP\services.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_wiabr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_63f68d8597f9d5c4\lsm.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe

"C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sppsvc.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe

"C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cr39969.tw1.ru udp
RU 185.114.245.123:80 cr39969.tw1.ru tcp
RU 185.114.245.123:80 cr39969.tw1.ru tcp

Files

memory/2520-0-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp

memory/2520-1-0x0000000000F60000-0x000000000122A000-memory.dmp

memory/2520-2-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

memory/2520-3-0x00000000003D0000-0x00000000003DE000-memory.dmp

memory/2520-4-0x0000000000A20000-0x0000000000A3C000-memory.dmp

memory/2520-5-0x00000000003E0000-0x00000000003E8000-memory.dmp

memory/2520-6-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2520-8-0x0000000000A60000-0x0000000000A68000-memory.dmp

memory/2520-7-0x0000000000A40000-0x0000000000A56000-memory.dmp

memory/2520-9-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

memory/2520-10-0x0000000000B00000-0x0000000000B56000-memory.dmp

memory/2520-11-0x0000000000B50000-0x0000000000B58000-memory.dmp

memory/2520-12-0x0000000000B60000-0x0000000000B72000-memory.dmp

memory/2520-13-0x0000000000F20000-0x0000000000F28000-memory.dmp

memory/2520-14-0x0000000000F30000-0x0000000000F3C000-memory.dmp

memory/2520-15-0x0000000000F40000-0x0000000000F48000-memory.dmp

memory/2520-16-0x0000000000F50000-0x0000000000F5C000-memory.dmp

memory/2520-17-0x000000001AD60000-0x000000001AD6E000-memory.dmp

memory/2520-19-0x000000001AD80000-0x000000001AD8C000-memory.dmp

memory/2520-18-0x000000001AD70000-0x000000001AD7E000-memory.dmp

memory/2520-20-0x000000001AD90000-0x000000001AD9C000-memory.dmp

memory/2520-21-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsm.exe

MD5 2397e7230770a20dd685f8903b0e7759
SHA1 bc280c16c4f89338df7c3745d0821432443d565c
SHA256 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
SHA512 97923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\audiodg.exe

MD5 0d7069a748e26776c124602ea98c2d64
SHA1 422eedfee5e7918363947aa9a219d78859d36685
SHA256 71a4cd77b80a4cb67a67ac8a5431b9a1cac939f5be9c41362ed44607df43bd1f
SHA512 3c8c9d328616e0c3e0576d175d3a44ff1b4e2a44bc0708deda232b3291c24bb1add0ce685a8652bcce2050c7993ecd7aa8d1b018cf9f5c0fbb08fccc863ed0f0

C:\Users\Default\sppsvc.exe

MD5 be45c9bfb41a60772e95105e3f00cfde
SHA1 2a65e4febe0863070c56e69c0ce75d8806c15a60
SHA256 98f667db4918fd77c14520609436555b19c14afcd28e61abcd15257a8d310ac4
SHA512 bccf38abac0135152d02d051a95996cf9a74f4370802f315817c724e6f9cd81a89cf3775a86fa3dfe215b024f35897d7697ff77fe0490b01f07facfeb8516b25

memory/2520-147-0x000007FEF59D3000-0x000007FEF59D4000-memory.dmp

memory/2520-172-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

memory/2520-197-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

C:\Users\Default\csrss.exe

MD5 1a4d5652bfbc907dde444f5755637a72
SHA1 535a7dc6e5f5c06e9f7f623f11132755ca05a925
SHA256 99b23402f8bd95601e1bdde5683c5e904115258a6bad84cd96bac54aa62a0668
SHA512 aec6a064d4882b9eb34a0532a124ba50fea16af752bf6e16af40eff3bd3125a488fe23d18396a057d13867a53437ae56bb8ee6e8784540b99ef33ede87e9a2ba

C:\Users\Public\Pictures\RCXE28F.tmp

MD5 f66e86fa8dc954088f3e2a8836c65b07
SHA1 415a7e186a5d52238d18b3920be728137f295982
SHA256 f7094d6aa726adfaf925828ce8f4440d86d9bf5356fdc1ded11048d3bb2b7aa4
SHA512 d47b02814d0220f2282ffa986b35659b216299a899fafd1ce52d8b589b3e392e3c0d5508b7ca4ce4bfb897736f4b8559398410dc683c767af9b86fb1ab5caced

memory/872-229-0x0000000000DB0000-0x000000000107A000-memory.dmp

memory/2520-228-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

memory/872-230-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-30 02:45

Reported

2024-12-30 02:48

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Mail\RCXE03E.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\RCXE564.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\sysmon.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Common Files\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXCF87.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD19C.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXDE3A.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\RCXE0BC.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\RCXE563.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\29c1c3cc0f7685 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Common Files\sysmon.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\RCXD19D.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Program Files (x86)\Windows Mail\f4995097cd8868 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\RCXCF88.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXDDBC.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PrintDialog\RCXD3E0.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Windows\PrintDialog\RCXD3E1.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Windows\PrintDialog\services.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXD683.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Windows\PrintDialog\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXD682.tmp C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Windows\PrintDialog\services.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
N/A N/A C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe

"C:\Users\Admin\AppData\Local\Temp\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PrintDialog\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67c" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\sysmon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ryfxXmZBx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe

"C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 cr39969.tw1.ru udp
RU 185.114.245.123:80 cr39969.tw1.ru tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.114.245.123:80 cr39969.tw1.ru tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3660-0-0x00007FF80F383000-0x00007FF80F385000-memory.dmp

memory/3660-1-0x00000000007F0000-0x0000000000ABA000-memory.dmp

memory/3660-2-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

memory/3660-3-0x0000000002BC0000-0x0000000002BCE000-memory.dmp

memory/3660-4-0x0000000002CF0000-0x0000000002D0C000-memory.dmp

memory/3660-5-0x0000000002D60000-0x0000000002DB0000-memory.dmp

memory/3660-9-0x0000000002D40000-0x0000000002D48000-memory.dmp

memory/3660-8-0x0000000002D20000-0x0000000002D36000-memory.dmp

memory/3660-7-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/3660-6-0x0000000002BD0000-0x0000000002BD8000-memory.dmp

memory/3660-10-0x0000000002D50000-0x0000000002D5A000-memory.dmp

memory/3660-11-0x000000001B7A0000-0x000000001B7F6000-memory.dmp

memory/3660-12-0x0000000002DB0000-0x0000000002DB8000-memory.dmp

memory/3660-13-0x000000001B800000-0x000000001B812000-memory.dmp

memory/3660-14-0x000000001C3C0000-0x000000001C8E8000-memory.dmp

memory/3660-16-0x000000001B840000-0x000000001B84C000-memory.dmp

memory/3660-15-0x000000001B830000-0x000000001B838000-memory.dmp

memory/3660-17-0x000000001C0D0000-0x000000001C0D8000-memory.dmp

memory/3660-20-0x000000001B870000-0x000000001B87E000-memory.dmp

memory/3660-23-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

memory/3660-22-0x000000001C0F0000-0x000000001C0FC000-memory.dmp

memory/3660-21-0x000000001C0E0000-0x000000001C0EC000-memory.dmp

memory/3660-18-0x000000001B850000-0x000000001B85C000-memory.dmp

memory/3660-19-0x000000001B860000-0x000000001B86E000-memory.dmp

memory/3660-26-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

C:\Recovery\WindowsRE\upfc.exe

MD5 2397e7230770a20dd685f8903b0e7759
SHA1 bc280c16c4f89338df7c3745d0821432443d565c
SHA256 cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
SHA512 97923122007bae611db6deb97e25a83f3636bec7c4d4d60aea2638edbeeaf85cef4c7c8755a442fd6525940154ec0d92258a65acdc065d75e1729b602510d7aa

C:\Recovery\WindowsRE\upfc.exe

MD5 bd706a261eee6ace2d2aa0a35f1a3659
SHA1 7090bf7dd97c0ef87cf6da75f14764599a08a31e
SHA256 a2d56fe9e690c760fc7328bf380699a74230e55f53fb5bdd65119ff44a7c7fa7
SHA512 ed19653b2bf438bc3b630219281bf8afcb09ed49a359a20d79ddc3c2733093bc46dcf9c83d14cd35bdb93ed292084c042cce89a0341fd6f1166e00877b431a63

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\fontdrvhost.exe

MD5 55b44b2aa67aeb5c1978020fe0525ab0
SHA1 fd4586c4a198ad77659790bdbe7f5af6bf4631e1
SHA256 99d7df56a6722c0b7d43179542b6ab93ba49ceb7876b3ab638dc7810b160f405
SHA512 d616e1e297310fce9d8322b73d1834144ddcb82ed26efd5d964baa95e7aab7f964ccdec72cbec0a9c43362a5bcb138fd3c491da94111c1d0f4ffa708ac7c8fec

C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe

MD5 0c9d53abcd0b101509cbaac22edddbf4
SHA1 aca4f5ee718a56092414d88ec481688809128827
SHA256 51ec9e2169306feae98fae7613b7577f51d5e8aa3c7ea8fe2339005b9d580f79
SHA512 f6faf6656a3c6a46249cc41178981ee84896b6f3f3c0f9d5d18275b2593cf0542958e203a4c5162601afe53ab45302e4efd7c876d9ef573037a553367c73bb0c

C:\Program Files (x86)\Windows Mail\cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67.exe

MD5 ca7f5fd10bd8e691232ef4247b74a1dc
SHA1 ac0c89b983f196fd87079122ee3e369014f06b2b
SHA256 1134ca885e92277be87acc2de25a6e5ec727f6f5b776639135576d3a8b3932f2
SHA512 da86c080a3ee5e0f9b43751f166278700cf4be017df8ea232cd4f8149192ac6c00cb4ac22e5dfb8ed13c074a93f47daae232d89b30b7d8be4bd7f848ca63f22d

C:\Recovery\WindowsRE\fontdrvhost.exe

MD5 3862b35134c9578137946e8c8f6f2558
SHA1 fa0a99694accf014b4bd241e07c915e0f8051bd6
SHA256 f781efcb9fb79269c8015fb1e0738d135c3f724b331c8a3eaee750171c1393c2
SHA512 5c1be4e42b4e8107f639d1089d1608738fb1123e07d2176f25db23a6d8f7ff811361c6df118e662bcd6344c52091d71a30b5ba1fa9a1b2484862dd04ae3d630d

memory/3660-152-0x00007FF80F383000-0x00007FF80F385000-memory.dmp

memory/3660-170-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

memory/3660-172-0x00007FF80F380000-0x00007FF80FE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ryfxXmZBx.bat

MD5 748c7f6dbdc2dcdb68744c341b7c126d
SHA1 53b8e066babcec9224cc0adb46bfe4fdef9527dc
SHA256 03223c537c10b5ba3ac4487240494aa481346fc7c9d1fb55e1e8581938e28d9f
SHA512 750f424de3b29bcfc0cb0ed056fbff737ec1035456fedaa6f27ed8f31865cdae2013de50c20f4aeaedf09f67ee89e6c994da0b01536e3d79be39955c5ae0558f

memory/3672-177-0x00000000001B0000-0x000000000047A000-memory.dmp

memory/3672-178-0x000000001B7A0000-0x000000001B7F6000-memory.dmp