Malware Analysis Report

2025-06-15 19:46

Sample ID 240325-cnc97sdd29
Target 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe
SHA256 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239

Threat Level: Known bad

The file 6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 02:13

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 02:12

Reported

2024-03-25 02:15

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\it-IT\csrss.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Windows Sidebar\it-IT\886983d96e3d3e C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\winlogon.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\cc11b995f2a76d C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\MSBuild\winlogon.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\MSBuild\cc11b995f2a76d C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\42af1c969fbb7b C:\BlockSurrogateagentFont\hostnet.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 1704 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 928 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2724 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2724 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2724 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2708 wrote to memory of 576 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2708 wrote to memory of 576 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2708 wrote to memory of 576 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 576 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 576 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 576 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 576 wrote to memory of 1032 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 576 wrote to memory of 1032 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 576 wrote to memory of 1032 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 1032 wrote to memory of 2164 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe
PID 1032 wrote to memory of 2164 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe
PID 1032 wrote to memory of 2164 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\BlockSurrogateagentFont\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\BlockSurrogateagentFont\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zq1Fy1aHNJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\lsass.exe'" /rl HIGHEST /f

C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe

"C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\taskhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0869574.xsph.ru udp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
RU 141.8.197.42:80 a0869574.xsph.ru tcp

Files

C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe

MD5 277c7ccc3313d83f51d594cba0ae300d
SHA1 48531a959a24846841b8fda471c5fea259f2ca38
SHA256 175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512 311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac

C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat

MD5 15611ce0ff6e3e772e3a8b7ac6cf4653
SHA1 75bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256 630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA512 1151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71

\BlockSurrogateagentFont\hostnet.exe

MD5 53827648303c620a8fa81a2998ae5ae5
SHA1 8aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256 b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512 273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d

memory/2708-13-0x0000000000C40000-0x0000000000DC2000-memory.dmp

memory/2708-14-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/2708-15-0x00000000023E0000-0x0000000002460000-memory.dmp

memory/2708-16-0x00000000009F0000-0x00000000009FE000-memory.dmp

memory/2708-17-0x0000000000A00000-0x0000000000A1C000-memory.dmp

memory/2708-18-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

memory/2708-19-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/2708-20-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

memory/2708-21-0x0000000002380000-0x000000000238E000-memory.dmp

memory/2708-22-0x0000000002390000-0x000000000239C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Zq1Fy1aHNJ.bat

MD5 dfd3448f8b540b954f8fe09a3394f5bc
SHA1 322b64b2096f0d470abbd0867a75b0d41c9b00b9
SHA256 4299e6f03e2f5f837278a2931fcf762bdc2d190c3c1538dad7df431538795485
SHA512 d11812c5ab0aeb1f94af6ba3cd63113437857eed44056b5a77ae2017bc4ef1e198fb83ef081d47161d6df4cd819cefde6c7a50c617d7e5b0058994cd4725c2f1

memory/2708-37-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

memory/1032-40-0x0000000000110000-0x0000000000292000-memory.dmp

memory/1032-41-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1032-42-0x000000001B120000-0x000000001B1A0000-memory.dmp

memory/1032-43-0x0000000000820000-0x0000000000832000-memory.dmp

C:\Users\Default User\6ccacd8608530f

MD5 412b61071e59225e752822fc53838004
SHA1 50e3b04b429ac19e6d4fe5953d7bb3ec8aaa90d9
SHA256 c23dec0292acbca4edab608442a9228376c9b52b82cc130984d929a2b432901c
SHA512 2f402d6552f91e86808e59a36eec5225fbf191ec246ae5cedf71b6d928a52c3b3e0a2813f427b9051483d80bc6770f2ada3c6b31d6dd1d141f6ee41b9e337684

memory/2164-70-0x0000000000810000-0x0000000000992000-memory.dmp

memory/2164-71-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/1032-73-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

memory/2164-72-0x000000001B100000-0x000000001B180000-memory.dmp

memory/2164-74-0x00000000004B0000-0x00000000004C2000-memory.dmp

memory/2164-75-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 02:12

Reported

2024-03-25 02:15

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\BlockSurrogateagentFont\hostnet.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\BlockSurrogateagentFont\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\0a1fd5f707cd16 C:\BlockSurrogateagentFont\hostnet.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings C:\BlockSurrogateagentFont\hostnet.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 1000 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 1000 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 1776 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2012 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 748 wrote to memory of 952 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 748 wrote to memory of 952 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 952 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 952 wrote to memory of 4700 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 952 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\RuntimeBroker.exe
PID 952 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\BlockSurrogateagentFont\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\BlockSurrogateagentFont\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\DeviceSync\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\DeviceSync\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\DeviceSync\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y05nXIVCAi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\BlockSurrogateagentFont\RuntimeBroker.exe

"C:\BlockSurrogateagentFont\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 a0869574.xsph.ru udp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe

MD5 277c7ccc3313d83f51d594cba0ae300d
SHA1 48531a959a24846841b8fda471c5fea259f2ca38
SHA256 175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512 311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac

C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat

MD5 15611ce0ff6e3e772e3a8b7ac6cf4653
SHA1 75bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256 630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA512 1151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71

C:\BlockSurrogateagentFont\hostnet.exe

MD5 53827648303c620a8fa81a2998ae5ae5
SHA1 8aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256 b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512 273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d

memory/748-12-0x0000000000CE0000-0x0000000000E62000-memory.dmp

memory/748-13-0x00007FFAC4700000-0x00007FFAC51C1000-memory.dmp

memory/748-14-0x000000001BA30000-0x000000001BA40000-memory.dmp

memory/748-15-0x0000000002EE0000-0x0000000002EEE000-memory.dmp

memory/748-16-0x0000000002F70000-0x0000000002F8C000-memory.dmp

memory/748-18-0x000000001B9C0000-0x000000001B9D6000-memory.dmp

memory/748-17-0x000000001C040000-0x000000001C090000-memory.dmp

memory/748-19-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/748-20-0x000000001B9E0000-0x000000001B9F2000-memory.dmp

memory/748-21-0x000000001C7B0000-0x000000001CCD8000-memory.dmp

memory/748-22-0x000000001B980000-0x000000001B98E000-memory.dmp

memory/748-23-0x000000001B990000-0x000000001B99C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\y05nXIVCAi.bat

MD5 2417f4df9c111291240f0f565b0a2051
SHA1 78daf7252bd731c6d7e7d0bd1a930b8f82d64d6a
SHA256 1d53031193abc462fa9141a906577ef7040d5f73d1cda7b94d9200d6e50fa2dd
SHA512 e3293a6e12468c4b83b2b3ce91fc3fe7ba428f3744f69a5c1824f75a7e95931cdf978c60ebaed7b495cc5a41dfbd08ae08250694f3fd912faded341f46821574

memory/748-38-0x00007FFAC4700000-0x00007FFAC51C1000-memory.dmp

memory/2596-42-0x00007FFAC4700000-0x00007FFAC51C1000-memory.dmp

memory/2596-44-0x00007FFAC4700000-0x00007FFAC51C1000-memory.dmp