Malware Analysis Report

2024-11-13 13:43

Sample ID 240516-becfwadc83
Target 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe
SHA256 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924

Threat Level: Known bad

The file 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DCRat payload

DcRat

Dcrat family

DCRat payload

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 01:03

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 01:03

Reported

2024-05-16 01:05

Platform

win7-20240419-en

Max time kernel

119s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\Desktop\lsm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\7-Zip\Lang\56085415360792 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\dllhost.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\7-Zip\Lang\wininit.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\MSBuild\csrss.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\MSBuild\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\CRMLog\lsass.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\Registration\CRMLog\6203df4a6bafc7 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\Downloaded Program Files\dwm.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\Downloaded Program Files\6cb0b6c459d5d3 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\diagnostics\system\Device\taskhost.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Desktop\lsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\lsm.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe

"C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\Users\Default\Videos\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Vault\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Vault\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Vault\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Templates\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YEA7wgkB3K.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\Desktop\lsm.exe

"C:\Users\Public\Desktop\lsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0981008.xsph.ru udp
RU 141.8.192.169:80 a0981008.xsph.ru tcp
RU 141.8.192.169:80 a0981008.xsph.ru tcp
RU 141.8.192.169:80 a0981008.xsph.ru tcp

Files

memory/2944-0-0x000007FEF5F53000-0x000007FEF5F54000-memory.dmp

memory/2944-1-0x0000000000AF0000-0x0000000000BC6000-memory.dmp

memory/2944-2-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

C:\Users\Public\Favorites\services.exe

MD5 3a1b3746d26413c8668fb533ab612284
SHA1 875d159c892558473519f947c0421672717f7e2c
SHA256 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924
SHA512 26f20ae889e6a327d6cd710082c0a2ccf4e94a6cc90bd8b3916f7b28a00e7f7c23448c7dfc817242b48e80468779b815133db64a7a4b7b77dc8729a940e5a8fe

C:\Users\Admin\AppData\Local\Temp\YEA7wgkB3K.bat

MD5 25605db4dc3fffef2cd62eb9f11892bb
SHA1 b46eb670e9fe78e70a95e06119500e4b2eb59a47
SHA256 ba938e898bb081145ddca44f44ddd18af46921fc9b450c140a863825df16fc73
SHA512 6d562b18b82970e05472a1e1db60586c40538c9b84c501b3907e7bdbe0ed739250acfb134d54a90e53a641672c62a5d21f0a3117701b5fcab6be36df969bb83b

memory/2944-44-0x000007FEF5F50000-0x000007FEF693C000-memory.dmp

memory/2956-47-0x0000000001170000-0x0000000001246000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 01:03

Reported

2024-05-16 01:05

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Web\MusNotification.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\Windows Portable Devices\Idle.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\Windows Portable Devices\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\eddb19405b7ce1 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\2fc4ebd81aba05 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\e1ef82546f0b02 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\System.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\Web\MusNotification.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\Web\aa97147c4c782d C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\CSC\TextInputHost.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
File created C:\Windows\Speech\Engines\SR\en-US\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A
N/A N/A C:\Windows\Web\MusNotification.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Web\MusNotification.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\MusNotification.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe

"C:\Users\Admin\AppData\Local\Temp\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\MusNotification.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\Web\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\MusNotification.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Downloads\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e579240" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ClHr12lP5M.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\MusNotification.exe

"C:\Windows\Web\MusNotification.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 a0981008.xsph.ru udp
RU 141.8.192.169:80 a0981008.xsph.ru tcp
RU 141.8.192.169:80 a0981008.xsph.ru tcp
US 8.8.8.8:53 169.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 141.8.192.169:80 a0981008.xsph.ru tcp

Files

memory/1968-0-0x00007FFE57C23000-0x00007FFE57C25000-memory.dmp

memory/1968-1-0x0000000000400000-0x00000000004D6000-memory.dmp

memory/1968-4-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

C:\Users\Public\AccountPictures\wininit.exe

MD5 3a1b3746d26413c8668fb533ab612284
SHA1 875d159c892558473519f947c0421672717f7e2c
SHA256 0d57ce22e6ce4c0c232e21fbfab3ebde73d0a2f0f210602ece8d066d37e57924
SHA512 26f20ae889e6a327d6cd710082c0a2ccf4e94a6cc90bd8b3916f7b28a00e7f7c23448c7dfc817242b48e80468779b815133db64a7a4b7b77dc8729a940e5a8fe

memory/1968-44-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ClHr12lP5M.bat

MD5 5d07efcba474f9b2f7d07695b176c113
SHA1 47a0444fc72b55c9ad3e4f7c2a7611ab9cc643fa
SHA256 afe0aebbadbfb680e425de4acc28c2dce8448e29302bb5ee5c1fee296ecc5661
SHA512 720b258662f5a69aa8de824dca394bb17a938425c6aac7176ebdcd8524c6d0bf1c96b3c8668060c2efba8acfdc34114f78ab80c2b4a7e741c1bc7f064b261fd1