Malware Analysis Report

2025-06-15 19:46

Sample ID 240324-qxkmjada76
Target 1cf1c8a6b74890f6d1913bf3b9e46a79.exe
SHA256 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239

Threat Level: Known bad

The file 1cf1c8a6b74890f6d1913bf3b9e46a79.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 13:38

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 13:38

Reported

2024-03-24 13:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\Users\Admin\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\886983d96e3d3e C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\ja-JP\wininit.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\ja-JP\56085415360792 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\6203df4a6bafc7 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Internet Explorer\csrss.exe C:\BlockSurrogateagentFont\hostnet.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe C:\Windows\SysWOW64\WScript.exe
PID 1940 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe C:\Windows\SysWOW64\WScript.exe
PID 1940 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe C:\Windows\SysWOW64\WScript.exe
PID 1940 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe C:\Windows\SysWOW64\WScript.exe
PID 2364 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2632 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2632 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2632 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2668 wrote to memory of 300 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2668 wrote to memory of 300 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2668 wrote to memory of 300 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 300 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 300 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 300 wrote to memory of 1952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 300 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\cmd.exe
PID 300 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\cmd.exe
PID 300 wrote to memory of 848 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe

"C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\BlockSurrogateagentFont\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\BlockSurrogateagentFont\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\BlockSurrogateagentFont\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\BlockSurrogateagentFont\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FQxHpKLGFs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\cmd.exe

"C:\Users\Admin\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0869574.xsph.ru udp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
RU 141.8.197.42:80 a0869574.xsph.ru tcp

Files

C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe

MD5 277c7ccc3313d83f51d594cba0ae300d
SHA1 48531a959a24846841b8fda471c5fea259f2ca38
SHA256 175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512 311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac

C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat

MD5 15611ce0ff6e3e772e3a8b7ac6cf4653
SHA1 75bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256 630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA512 1151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71

\BlockSurrogateagentFont\hostnet.exe

MD5 53827648303c620a8fa81a2998ae5ae5
SHA1 8aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256 b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512 273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d

memory/2668-13-0x00000000011F0000-0x0000000001372000-memory.dmp

memory/2668-14-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/2668-15-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/2668-16-0x0000000000340000-0x000000000034E000-memory.dmp

memory/2668-17-0x00000000003D0000-0x00000000003EC000-memory.dmp

memory/2668-18-0x00000000004E0000-0x00000000004F6000-memory.dmp

memory/2668-19-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2668-20-0x0000000000510000-0x0000000000522000-memory.dmp

memory/2668-21-0x0000000000520000-0x000000000052E000-memory.dmp

memory/2668-22-0x0000000000A90000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FQxHpKLGFs.bat

MD5 9ad142580f53d79680d8876cbed7d591
SHA1 e104dd929652969b8e05b10481e1cf13e440674f
SHA256 409ef1c88662d66d6890335d9b0f8a15c25522a014578dc54546628b0dfcc886
SHA512 1c1652b99bd2f18177512b1d982ac174afc08b39935b775e9836c7c20f5a61f3759533705d9d6043d66fafc542b26971befa90a3296369d1ec679c7d9184699f

memory/2668-51-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

memory/848-55-0x00000000001E0000-0x0000000000362000-memory.dmp

memory/848-57-0x0000000000830000-0x00000000008B0000-memory.dmp

memory/848-56-0x000007FEF47E0000-0x000007FEF51CC000-memory.dmp

memory/848-58-0x000007FEF47E0000-0x000007FEF51CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 13:38

Reported

2024-03-24 13:40

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\BlockSurrogateagentFont\hostnet.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\Recovery\WindowsRE\WaaSMedicAgent.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\bin\plugin2\cc11b995f2a76d C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Common Files\System\en-US\eddb19405b7ce1 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Internet Explorer\en-US\unsecapp.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\unsecapp.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Internet Explorer\en-US\29c1c3cc0f7685 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe C:\BlockSurrogateagentFont\hostnet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CSC\StartMenuExperienceHost.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Windows\Cursors\SearchApp.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Windows\Cursors\38384e6a620884 C:\BlockSurrogateagentFont\hostnet.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\BlockSurrogateagentFont\hostnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\WaaSMedicAgent.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe C:\Windows\SysWOW64\WScript.exe
PID 1080 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe C:\Windows\SysWOW64\WScript.exe
PID 1080 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe C:\Windows\SysWOW64\WScript.exe
PID 3764 wrote to memory of 5588 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 5588 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 5588 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5588 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 5588 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 3376 wrote to memory of 3944 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 3376 wrote to memory of 3944 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 3944 wrote to memory of 4780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3944 wrote to memory of 4780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3944 wrote to memory of 6096 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\WaaSMedicAgent.exe
PID 3944 wrote to memory of 6096 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\WaaSMedicAgent.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe

"C:\Users\Admin\AppData\Local\Temp\1cf1c8a6b74890f6d1913bf3b9e46a79.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\bin\plugin2\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\System\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\odt\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pki5XcHhHF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\WaaSMedicAgent.exe

"C:\Recovery\WindowsRE\WaaSMedicAgent.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 a0869574.xsph.ru udp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe

MD5 277c7ccc3313d83f51d594cba0ae300d
SHA1 48531a959a24846841b8fda471c5fea259f2ca38
SHA256 175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512 311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac

C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat

MD5 15611ce0ff6e3e772e3a8b7ac6cf4653
SHA1 75bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256 630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA512 1151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71

C:\BlockSurrogateagentFont\hostnet.exe

MD5 53827648303c620a8fa81a2998ae5ae5
SHA1 8aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256 b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512 273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d

memory/3376-12-0x00000000005A0000-0x0000000000722000-memory.dmp

memory/3376-13-0x00007FFCBBB90000-0x00007FFCBC651000-memory.dmp

memory/3376-14-0x000000001B330000-0x000000001B340000-memory.dmp

memory/3376-15-0x00000000027F0000-0x00000000027FE000-memory.dmp

memory/3376-16-0x000000001B240000-0x000000001B25C000-memory.dmp

memory/3376-17-0x000000001B2B0000-0x000000001B300000-memory.dmp

memory/3376-18-0x000000001B260000-0x000000001B276000-memory.dmp

memory/3376-19-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3376-20-0x000000001B280000-0x000000001B292000-memory.dmp

memory/3376-21-0x000000001C0B0000-0x000000001C5D8000-memory.dmp

memory/3376-22-0x000000001B300000-0x000000001B30E000-memory.dmp

memory/3376-23-0x000000001B310000-0x000000001B31C000-memory.dmp

memory/3376-49-0x00007FFCBBB90000-0x00007FFCBC651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pki5XcHhHF.bat

MD5 d9beaa7b00a98853c9096c9a81dd024c
SHA1 3137a1d447b5ca3b5b1ed5387eff84825742610d
SHA256 b6f184ee1e95c1ffcf7b80b42a8b1e2db1f47272f6d8279777b4a41e7ca9e544
SHA512 8ce8edf7bfc8e66ee9534e68d2ff540de092805bb59c615529e548e0aa84494c88b2a73677a3421d835e6856496991a6066e4082c71909739eef57a0b6638106

memory/6096-54-0x00007FFCBBB90000-0x00007FFCBC651000-memory.dmp

memory/6096-55-0x000000001B100000-0x000000001B110000-memory.dmp

memory/6096-57-0x00007FFCBBB90000-0x00007FFCBC651000-memory.dmp

memory/3944-58-0x0000014789840000-0x0000014789850000-memory.dmp

memory/3944-74-0x0000014789940000-0x0000014789950000-memory.dmp

memory/3944-90-0x0000014791C70000-0x0000014791C71000-memory.dmp

memory/3944-92-0x0000014791CA0000-0x0000014791CA1000-memory.dmp

memory/3944-93-0x0000014791CA0000-0x0000014791CA1000-memory.dmp

memory/3944-94-0x0000014791DB0000-0x0000014791DB1000-memory.dmp