Malware Analysis Report

2024-11-15 05:49

Sample ID 240514-aqs3bsbf5v
Target 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad
SHA256 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad
Tags
dcrat infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad

Threat Level: Known bad

The file 9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat spyware stealer

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

Detects executables packed with SmartAssembly

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 00:25

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 00:25

Reported

2024-05-14 00:28

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\Windows\TAPI\lsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\fonts\6ccacd8608530f C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\b75386f1303e64 C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\audiodg.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\42af1c969fbb7b C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\Idle.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\servicing\de-DE\Idle.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\SchCache\audiodg.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\SchCache\42af1c969fbb7b C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\TAPI\lsm.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\TAPI\101b941d020240 C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\AppCompat\lsm.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\AppCompat\101b941d020240 C:\bridgeComponentRuntimehostnet\componentRef.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\TAPI\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TAPI\lsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe C:\Windows\SysWOW64\WScript.exe
PID 1504 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe C:\Windows\SysWOW64\WScript.exe
PID 1504 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe C:\Windows\SysWOW64\WScript.exe
PID 1504 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe C:\Windows\SysWOW64\WScript.exe
PID 2344 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeComponentRuntimehostnet\componentRef.exe
PID 2572 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeComponentRuntimehostnet\componentRef.exe
PID 2572 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeComponentRuntimehostnet\componentRef.exe
PID 2572 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeComponentRuntimehostnet\componentRef.exe
PID 2644 wrote to memory of 1704 N/A C:\bridgeComponentRuntimehostnet\componentRef.exe C:\Windows\System32\cmd.exe
PID 2644 wrote to memory of 1704 N/A C:\bridgeComponentRuntimehostnet\componentRef.exe C:\Windows\System32\cmd.exe
PID 2644 wrote to memory of 1704 N/A C:\bridgeComponentRuntimehostnet\componentRef.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\TAPI\lsm.exe
PID 1704 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\TAPI\lsm.exe
PID 1704 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\TAPI\lsm.exe
PID 1948 wrote to memory of 2500 N/A C:\Windows\TAPI\lsm.exe C:\Windows\System32\WScript.exe
PID 1948 wrote to memory of 2500 N/A C:\Windows\TAPI\lsm.exe C:\Windows\System32\WScript.exe
PID 1948 wrote to memory of 2500 N/A C:\Windows\TAPI\lsm.exe C:\Windows\System32\WScript.exe
PID 1948 wrote to memory of 2784 N/A C:\Windows\TAPI\lsm.exe C:\Windows\System32\WScript.exe
PID 1948 wrote to memory of 2784 N/A C:\Windows\TAPI\lsm.exe C:\Windows\System32\WScript.exe
PID 1948 wrote to memory of 2784 N/A C:\Windows\TAPI\lsm.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe

"C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\bridgeComponentRuntimehostnet\worw0dI33.bat" "

C:\bridgeComponentRuntimehostnet\componentRef.exe

"C:\bridgeComponentRuntimehostnet\componentRef.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\de-DE\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\AppCompat\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\bridgeComponentRuntimehostnet\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\bridgeComponentRuntimehostnet\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\bridgeComponentRuntimehostnet\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Pictures\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeComponentRuntimehostnet\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeComponentRuntimehostnet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\bridgeComponentRuntimehostnet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "componentRefc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\componentRef.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "componentRef" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\componentRef.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "componentRefc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\componentRef.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\SchCache\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\TAPI\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\lsm.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rA5VqWe8jw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\TAPI\lsm.exe

"C:\Windows\TAPI\lsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d61ed3b9-aa48-4eba-bfca-b974c8b81813.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce7a82a2-36c7-4f08-8f41-ff7e12726b0a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.145.184:80 aery-messages.000webhostapp.com tcp
US 145.14.145.184:80 aery-messages.000webhostapp.com tcp
US 145.14.145.184:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.145.69:80 aery-messages.000webhostapp.com tcp

Files

memory/1504-0-0x0000000000D10000-0x0000000001111000-memory.dmp

memory/1504-9-0x0000000000D10000-0x0000000001111000-memory.dmp

C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe

MD5 403a1462c9f6034000cc5f6180be08b3
SHA1 fd7f04eafaaa752786aaffba321366fc1938c062
SHA256 adaf424ebd8d37a552019d5e4c8394031fadffa5411420db2a0ed8b002834424
SHA512 61437b7aa711a1f6d598a00bcbb4919be2b72d58be5b6ad525272657992726c90ff79d39436dcae07a81f73978e01a223bcd11d0a2dce2423ac12de54d4f1e2c

\bridgeComponentRuntimehostnet\componentRef.exe

MD5 526153cbd86009228ad53cd262a9c6b3
SHA1 6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA256 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA512 9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

C:\bridgeComponentRuntimehostnet\worw0dI33.bat

MD5 349cd009e089597bd6a43bdb489cd4d3
SHA1 732820f42c008d4d5d10c04bc0f49ffcc9855619
SHA256 e4039e78bca312c284c412fc8a05d28521421824776faa4a5549a7b32742f671
SHA512 c5941a91c608027c924a366c38adff267fdad0f89b82b72db10ee632219bb5622255e97a0b02d4f46a2dd34130593ab1cf5d1c2b518b52e1c2d633c39bd9fd50

memory/2644-16-0x0000000000F80000-0x00000000011F6000-memory.dmp

memory/2644-20-0x0000000000B40000-0x0000000000B96000-memory.dmp

memory/2644-19-0x0000000000670000-0x0000000000686000-memory.dmp

memory/2644-18-0x0000000000160000-0x0000000000168000-memory.dmp

memory/2644-21-0x0000000000350000-0x000000000035C000-memory.dmp

memory/2644-22-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/2644-17-0x0000000000650000-0x000000000066C000-memory.dmp

memory/2644-25-0x0000000000C50000-0x0000000000C5E000-memory.dmp

memory/2644-24-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

memory/2644-26-0x0000000000C60000-0x0000000000C6C000-memory.dmp

memory/2644-23-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rA5VqWe8jw.bat

MD5 49d59a86e8cea4c09a60ba4349a0e9ca
SHA1 f4d979f13f9d7663e2d5e48bb7ce88ccb6c280e0
SHA256 e430b9e4db49c4602765f3ed6efb00f67a8d969eb7f3cc6d240fca831648769a
SHA512 4bcfb5090b5b2f1fc639d52dd8b4e24c926ba29b463c4b0a29ae35c98aaab0452f6c8977b0cf160cdddab9aa64ae3e27f99ee78c1b6ccba89d67594c53fec061

memory/1948-66-0x0000000000300000-0x0000000000576000-memory.dmp

memory/1948-67-0x00000000005E0000-0x00000000005F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ce7a82a2-36c7-4f08-8f41-ff7e12726b0a.vbs

MD5 3e8576fb7323320a9e0791c6c83ef217
SHA1 d9fa2cb7f8655451f31f5c5dc0d68299cefd6bbd
SHA256 f9c45210d9d56bedde616cd4db9f8645d22976f6dfd9c621f1c4cbb29fd102f3
SHA512 71708bcf8a1701f717993aa5d4d8b673f306e5da40cae74429c3aae8fc60214c30be6dab6e519f4882b7a24959d6b85fba6edc832334964dd5561d2f15a8ee20

C:\Users\Admin\AppData\Local\Temp\d61ed3b9-aa48-4eba-bfca-b974c8b81813.vbs

MD5 0805f3d1d1145da00c49f6953106d619
SHA1 e20e1e226c546263b9939bab91fe2e1b8908d62e
SHA256 433488437c3e04b28e0aa2df41f27f1892c1fa5578a17c930b00096a28a73b61
SHA512 20715595effcdbbb959a5ca8149bfb29e3160993a4e90805945a1bbc0f8e8871a87db401eedde81abbef9651b6f50ac68ac7174477075d637050bc35947fe1bd

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 00:25

Reported

2024-05-14 00:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\9e8d7a4ca61bd9 C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\0a1fd5f707cd16 C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files (x86)\Adobe\RuntimeBroker.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\9e8d7a4ca61bd9 C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\ebf1f9fa8afd6d C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\cc11b995f2a76d C:\bridgeComponentRuntimehostnet\componentRef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\winlogon.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\SKB\LanguageModels\taskhostw.exe C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
File created C:\Windows\SKB\LanguageModels\ea9f0e6c9e2dcd C:\bridgeComponentRuntimehostnet\componentRef.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeComponentRuntimehostnet\componentRef.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe C:\Windows\SysWOW64\WScript.exe
PID 1700 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe C:\Windows\SysWOW64\WScript.exe
PID 1700 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe C:\Windows\SysWOW64\WScript.exe
PID 2896 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 4716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeComponentRuntimehostnet\componentRef.exe
PID 4716 wrote to memory of 332 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeComponentRuntimehostnet\componentRef.exe
PID 332 wrote to memory of 696 N/A C:\bridgeComponentRuntimehostnet\componentRef.exe C:\Windows\System32\cmd.exe
PID 332 wrote to memory of 696 N/A C:\bridgeComponentRuntimehostnet\componentRef.exe C:\Windows\System32\cmd.exe
PID 696 wrote to memory of 3396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 696 wrote to memory of 3396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 696 wrote to memory of 3480 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe
PID 696 wrote to memory of 3480 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe
PID 3480 wrote to memory of 1688 N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3480 wrote to memory of 1688 N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3480 wrote to memory of 3112 N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 3480 wrote to memory of 3112 N/A C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe C:\Windows\System32\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe

"C:\Users\Admin\AppData\Local\Temp\9f850ca7aa37d6c00c1bd44a6a3f71d37762e0cc474a35e5b67e1d487d9f9aad.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgeComponentRuntimehostnet\worw0dI33.bat" "

C:\bridgeComponentRuntimehostnet\componentRef.exe

"C:\bridgeComponentRuntimehostnet\componentRef.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Videos\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Favorites\Links\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\LanguageModels\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DZ8Dwvi6fQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe

"C:\Program Files\Windows Security\BrowserCore\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1837dce6-ccdc-4b94-9bd2-a3daef544867.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ac48c4b-3cc5-4e10-9f14-837ae7bd1257.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.145.184:80 aery-messages.000webhostapp.com tcp
US 145.14.145.184:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 184.145.14.145.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 145.14.145.184:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 aery-messages.000webhostapp.com udp
US 145.14.144.39:80 aery-messages.000webhostapp.com tcp
US 8.8.8.8:53 39.144.14.145.in-addr.arpa udp
US 145.14.144.39:80 aery-messages.000webhostapp.com tcp

Files

memory/1700-0-0x00000000007F0000-0x0000000000BF1000-memory.dmp

memory/1700-10-0x00000000007F0000-0x0000000000BF1000-memory.dmp

C:\bridgeComponentRuntimehostnet\RUoOQWhVCa6Opchlz1AD.vbe

MD5 403a1462c9f6034000cc5f6180be08b3
SHA1 fd7f04eafaaa752786aaffba321366fc1938c062
SHA256 adaf424ebd8d37a552019d5e4c8394031fadffa5411420db2a0ed8b002834424
SHA512 61437b7aa711a1f6d598a00bcbb4919be2b72d58be5b6ad525272657992726c90ff79d39436dcae07a81f73978e01a223bcd11d0a2dce2423ac12de54d4f1e2c

C:\bridgeComponentRuntimehostnet\worw0dI33.bat

MD5 349cd009e089597bd6a43bdb489cd4d3
SHA1 732820f42c008d4d5d10c04bc0f49ffcc9855619
SHA256 e4039e78bca312c284c412fc8a05d28521421824776faa4a5549a7b32742f671
SHA512 c5941a91c608027c924a366c38adff267fdad0f89b82b72db10ee632219bb5622255e97a0b02d4f46a2dd34130593ab1cf5d1c2b518b52e1c2d633c39bd9fd50

C:\bridgeComponentRuntimehostnet\componentRef.exe

MD5 526153cbd86009228ad53cd262a9c6b3
SHA1 6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA256 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA512 9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

memory/332-15-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

memory/332-16-0x0000000000E80000-0x00000000010F6000-memory.dmp

memory/332-17-0x000000001BD10000-0x000000001BD2C000-memory.dmp

memory/332-18-0x000000001C290000-0x000000001C2E0000-memory.dmp

memory/332-19-0x00000000019C0000-0x00000000019C8000-memory.dmp

memory/332-20-0x000000001C240000-0x000000001C256000-memory.dmp

memory/332-21-0x000000001C2E0000-0x000000001C336000-memory.dmp

memory/332-22-0x000000001C260000-0x000000001C26C000-memory.dmp

memory/332-23-0x000000001C270000-0x000000001C282000-memory.dmp

memory/332-24-0x000000001CBD0000-0x000000001D0F8000-memory.dmp

memory/332-25-0x000000001C280000-0x000000001C288000-memory.dmp

memory/332-28-0x000000001C350000-0x000000001C35C000-memory.dmp

memory/332-27-0x000000001C460000-0x000000001C46E000-memory.dmp

memory/332-26-0x000000001C450000-0x000000001C45A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DZ8Dwvi6fQ.bat

MD5 27fa206b2865a6116d20efd9a5321c47
SHA1 6c2b8aeb48da6001ae176a3b4c64543aea98ae5f
SHA256 ae3624eac1d2c2a289cdfaa037cb086673e92a53dbcaead32c5c34642bcd4873
SHA512 4bd0b318d1ba75842262685edf001719953dff61da317035765cd9ded595c49b09bd7ba314ed38a8cb13e2ff0c8d3993c0628be01fffbded1cec13207d810a39

C:\Users\Admin\AppData\Local\Temp\1837dce6-ccdc-4b94-9bd2-a3daef544867.vbs

MD5 d627f60ba2b58d0e9f08b372c2288bba
SHA1 952b3daceb679e24df8d910e9dc135fe545f90ef
SHA256 ae366485892bd07d2d38d7d478a04a3ebd208f364d85797fe79eed1996985d22
SHA512 96a6d2cf025e18697b20de0d1322e1859d6863296cd7ed093815eb65cc8a4547930f7753cde576fe1e1357221ea81c2d5039423b5baf7c89589c379458239ea9

C:\Users\Admin\AppData\Local\Temp\5ac48c4b-3cc5-4e10-9f14-837ae7bd1257.vbs

MD5 fd71bf046507149a02b8266bea39ca5a
SHA1 547858e0af078794b058e4c0d729129600687225
SHA256 248de724be4295206e483acc7e3e7c7c908401e1224ec18269ee9042f2e72021
SHA512 462d716864457f76b78cf1a3d720b7a2cc9fc9a72f482bfabdbef89c907e97f1a12a15c59811cfabc0d83e685abc292410234ee8312e60139d37c083b3942f68

memory/3480-126-0x000000001E2A0000-0x000000001E449000-memory.dmp