Malware Analysis Report

2025-08-11 06:15

Sample ID 231118-ad25gafg92
Target 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe
SHA256 3dd0a5685e10ef6d63758cafee7c651f8ae80a47664158976ace7b80c825a032
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dd0a5685e10ef6d63758cafee7c651f8ae80a47664158976ace7b80c825a032

Threat Level: Known bad

The file 3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DCRat payload

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-18 00:06

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-18 00:06

Reported

2023-11-18 00:09

Platform

win10v2004-20231023-en

Max time kernel

137s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\fontintosessionsvc\bridgeWebdll.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Windows Photo Viewer\9ff02be898d660 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\eddb19405b7ce1 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\services.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\e6c9b481da804f C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\fontdrvhost.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\sysmon.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\OCR\en-us\conhost.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\5b884080fd4f94 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\Fonts\csrss.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Windows\Fonts\886983d96e3d3e C:\fontintosessionsvc\bridgeWebdll.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings C:\fontintosessionsvc\bridgeWebdll.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A
N/A N/A C:\Users\Default\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3740 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3740 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3740 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3740 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 3740 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 3740 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 1372 wrote to memory of 4600 N/A C:\Windows\system32\schtasks.exe C:\Windows\SysWOW64\WScript.exe
PID 1372 wrote to memory of 4600 N/A C:\Windows\system32\schtasks.exe C:\Windows\SysWOW64\WScript.exe
PID 1372 wrote to memory of 4600 N/A C:\Windows\system32\schtasks.exe C:\Windows\SysWOW64\WScript.exe
PID 4600 wrote to memory of 2192 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2192 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2192 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2192 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 3172 wrote to memory of 3856 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\Windows\System32\cmd.exe
PID 3172 wrote to memory of 3856 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\Windows\System32\cmd.exe
PID 3856 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3856 wrote to memory of 3440 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3856 wrote to memory of 5080 N/A C:\Windows\System32\cmd.exe C:\Users\Default\conhost.exe
PID 3856 wrote to memory of 5080 N/A C:\Windows\System32\cmd.exe C:\Users\Default\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe

"C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

"C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\fontintosessionsvc\AtbmE4.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat" "

C:\fontintosessionsvc\bridgeWebdll.exe

"C:\fontintosessionsvc\bridgeWebdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\fontintosessionsvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeWebdll" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeWebdllb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\bridgeWebdll.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pfPAM1z6vu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\conhost.exe

"C:\Users\Default\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
DE 5.254.105.122:7777 udp
US 8.8.8.8:53 122.105.254.5.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 400886cm.nyashnyash.top udp
US 188.114.97.0:80 400886cm.nyashnyash.top tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 169.255.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

memory/3740-14-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\fontintosessionsvc\AtbmE4.vbe

MD5 bfc4c3394520c5407a7a70e99743ca72
SHA1 e6e32f2b7807d33f03d6e35a4fc77f4dfbe85d17
SHA256 c37245170203c5ab6487bf1ec57aed0eba66da843a1ed5b87e3752b903381e6d
SHA512 2ca69c9e6056a44cb097c95c32c7a93bf2c007766bbf81bd46f9da861d831eddee2d977103bd61c7efabfb967b6f4eb833e5166a85f33acd07ee38afe322cca1

C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat

MD5 72fa4f55254901b819a5996d5eff7bcb
SHA1 950f1b3bf5a55a2d88fce41b03a3b5ab079d716d
SHA256 962a03b716b55d4758553f335d4028caaa453667d6181f899db95ab1fc9f71e0
SHA512 c4c090eb5f9584b88ce8a9052a8fe11c1bf9bce33bc7574347d0a161e551a374d7d41146a2b5e64242786e510fd73b3f6a194596d3ad6105b06c31965be32ce6

C:\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

C:\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

memory/3172-29-0x00000000001A0000-0x00000000002D2000-memory.dmp

memory/3172-30-0x00007FFA02A80000-0x00007FFA03541000-memory.dmp

memory/3172-31-0x000000001AE70000-0x000000001AE80000-memory.dmp

memory/3172-32-0x0000000002570000-0x000000000258C000-memory.dmp

memory/3172-33-0x000000001B5A0000-0x000000001B5F0000-memory.dmp

memory/3172-34-0x000000001AED0000-0x000000001AEE6000-memory.dmp

memory/3172-35-0x000000001AE60000-0x000000001AE6C000-memory.dmp

C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\pris\fontdrvhost.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

C:\Users\Admin\AppData\Local\Temp\pfPAM1z6vu.bat

MD5 ebab391a7c17fb232c6e950f72ede442
SHA1 a880a45ffb58477cd1291414fb31929a49b98e96
SHA256 73415633ab112333ba2aec293bdc9ddea610e21cc80ae96bcb71cd82fea1b932
SHA512 d0fda3299265f26a81ca5ec543b72842fa290ebaddb2813c2c55cc67a3c61a9833b3d994301de5b57babacff4750e3f144e4b189387e492a608c62706c94f88d

memory/3172-76-0x00007FFA02A80000-0x00007FFA03541000-memory.dmp

C:\Users\Default\conhost.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

C:\Users\Default\conhost.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

memory/5080-80-0x00007FFA029D0000-0x00007FFA03491000-memory.dmp

memory/5080-81-0x000000001BC90000-0x000000001BCA0000-memory.dmp

memory/5080-83-0x00007FFA029D0000-0x00007FFA03491000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-18 00:06

Reported

2023-11-18 00:09

Platform

win7-20231020-en

Max time kernel

117s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\14.0\Common C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\95489503ac1ec1 C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\f3b6ecef712a24 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\ebf1f9fa8afd6d C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\c5b4cb5e9653cc C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\3a6fe29a7ceee6 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\95489503ac1ec1 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\42af1c969fbb7b C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\schtasks.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Uninstall Information\explorer.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\services.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files\Uninstall Information\7a0fd90576e088 C:\fontintosessionsvc\bridgeWebdll.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\6cb0b6c459d5d3 C:\fontintosessionsvc\bridgeWebdll.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\v2.0.6\schtasks.exe C:\fontintosessionsvc\bridgeWebdll.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
Token: SeDebugPrivilege N/A C:\fontintosessionsvc\bridgeWebdll.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2520 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2520 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2520 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2520 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 2520 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 2520 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 2520 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 2520 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 2520 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 2520 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe
PID 2284 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2284 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2284 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2284 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2800 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2980 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2980 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2980 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2756 wrote to memory of 328 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2756 wrote to memory of 328 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 2756 wrote to memory of 328 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\fontintosessionsvc\bridgeWebdll.exe
PID 328 wrote to memory of 364 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe
PID 328 wrote to memory of 364 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe
PID 328 wrote to memory of 364 N/A C:\fontintosessionsvc\bridgeWebdll.exe C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe

"C:\Users\Admin\AppData\Local\Temp\3DD0A5685E10EF6D63758CAFEE7C651F8AE80A4766415.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

"C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\fontintosessionsvc\AtbmE4.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat" "

C:\fontintosessionsvc\bridgeWebdll.exe

"C:\fontintosessionsvc\bridgeWebdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RakLaunchR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RakLaunch" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RakLaunchR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\RakLaunch.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\fontintosessionsvc\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\fontintosessionsvc\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\fontintosessionsvc\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\fontintosessionsvc\bridgeWebdll.exe

"C:\fontintosessionsvc\bridgeWebdll.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\schtasks.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\fontintosessionsvc\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\fontintosessionsvc\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\fontintosessionsvc\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\schtasks.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\schtasks.exe'" /rl HIGHEST /f

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe

"C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe"

Network

Country Destination Domain Proto
DE 5.254.105.122:7777 udp
US 8.8.8.8:53 400886cm.nyashnyash.top udp
US 188.114.96.0:80 400886cm.nyashnyash.top tcp

Files

\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 8548cc870e74723070353d67d1df6cba
SHA1 1e51a150d92378cecb1c60ffb4715da8838d9fa4
SHA256 37a20cc147c98eb43b4532c1cb76e7b3358fc4b815d930aaa8507dc6ac3095b6
SHA512 c236b7600429cebf88fecbb1815c7eac3b92891828d7c3646da10e93223490a31b6c7c50df70203ca5977d2cdb17d3135549b43ea866e05c25df62f1126c41c0

memory/2520-12-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

C:\Users\Admin\AppData\Local\Temp\RakLaunch.exe

MD5 73809a6768903e090178f10eb46ff2c1
SHA1 8449c27be4b36b4066996b50b9b3d6078a4f736c
SHA256 0ed4df7c5b8324315b6625586bb0e2cd09cdb7db2d2278910cd377fe7f371ee5
SHA512 dcdd5c6cf5e18bafcf1d8b478726777f6735d53ceb1356e90ad7016ed2462161a4cf1595db2d754dcfc20395564b8aa35029b4691067eccbc7c599d52aa4968e

C:\fontintosessionsvc\AtbmE4.vbe

MD5 bfc4c3394520c5407a7a70e99743ca72
SHA1 e6e32f2b7807d33f03d6e35a4fc77f4dfbe85d17
SHA256 c37245170203c5ab6487bf1ec57aed0eba66da843a1ed5b87e3752b903381e6d
SHA512 2ca69c9e6056a44cb097c95c32c7a93bf2c007766bbf81bd46f9da861d831eddee2d977103bd61c7efabfb967b6f4eb833e5166a85f33acd07ee38afe322cca1

C:\fontintosessionsvc\aWM6CbC4aFWBvDgJSFPV9Iz.bat

MD5 72fa4f55254901b819a5996d5eff7bcb
SHA1 950f1b3bf5a55a2d88fce41b03a3b5ab079d716d
SHA256 962a03b716b55d4758553f335d4028caaa453667d6181f899db95ab1fc9f71e0
SHA512 c4c090eb5f9584b88ce8a9052a8fe11c1bf9bce33bc7574347d0a161e551a374d7d41146a2b5e64242786e510fd73b3f6a194596d3ad6105b06c31965be32ce6

\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

C:\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

C:\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

memory/2756-28-0x0000000001010000-0x0000000001142000-memory.dmp

memory/2756-29-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/2756-30-0x0000000000F90000-0x0000000001010000-memory.dmp

memory/2756-31-0x0000000000350000-0x000000000036C000-memory.dmp

memory/2756-32-0x0000000000370000-0x0000000000386000-memory.dmp

memory/2756-33-0x0000000000620000-0x000000000062C000-memory.dmp

C:\Recovery\63bfbcc2-6fc3-11ee-a99b-e9009f524de1\winlogon.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

C:\fontintosessionsvc\bridgeWebdll.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

memory/328-45-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/328-46-0x000000001B040000-0x000000001B0C0000-memory.dmp

memory/2756-47-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\schtasks.exe

MD5 d241d05d6cc53887772cc12e93759c50
SHA1 e13109e21acd264714539f7f3c9b7f0ff44d0211
SHA256 8099f7f6bf26e317f40ad8af13118c7610fcddd838cc1ca7ffeb69e1634ae0b0
SHA512 eb3c382d99a723697dec52c6b24ea4f5b941c1bda390e01321ea2bd9805ae6db88ad51137b488f2bac1300e55e6043bc0b365d3ccf9c5acbaaec4658dcb23712

memory/364-86-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/328-85-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

memory/364-84-0x0000000000310000-0x0000000000442000-memory.dmp

memory/364-87-0x000000001B080000-0x000000001B100000-memory.dmp

memory/364-88-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp