Malware Analysis Report

2024-10-10 12:54

Sample ID 240531-kvbzqadf67
Target NursultanClient.exe
SHA256 d7481cac8734f08d95bacc6aba8c846bc29edb591be84d85d2440a0f45dbba74
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7481cac8734f08d95bacc6aba8c846bc29edb591be84d85d2440a0f45dbba74

Threat Level: Known bad

The file NursultanClient.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 08:54

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 08:54

Reported

2024-05-31 08:57

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\comcontainerWebmonitorsvc\msComref.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\comcontainerWebmonitorsvc\msComref.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\upfc.exe C:\comcontainerWebmonitorsvc\msComref.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\upfc.exe C:\comcontainerWebmonitorsvc\msComref.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115 C:\comcontainerWebmonitorsvc\msComref.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\comcontainerWebmonitorsvc\msComref.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\msComref.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\msComref.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\comcontainerWebmonitorsvc\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\comcontainerWebmonitorsvc\msComref.exe N/A
Token: SeDebugPrivilege N/A C:\comcontainerWebmonitorsvc\smss.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe C:\Windows\SysWOW64\WScript.exe
PID 1684 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe C:\Windows\SysWOW64\WScript.exe
PID 1684 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe C:\Windows\SysWOW64\WScript.exe
PID 4152 wrote to memory of 448 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 448 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 448 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\comcontainerWebmonitorsvc\msComref.exe
PID 448 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe C:\comcontainerWebmonitorsvc\msComref.exe
PID 2632 wrote to memory of 4516 N/A C:\comcontainerWebmonitorsvc\msComref.exe C:\Windows\System32\cmd.exe
PID 2632 wrote to memory of 4516 N/A C:\comcontainerWebmonitorsvc\msComref.exe C:\Windows\System32\cmd.exe
PID 4516 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4516 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4516 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\comcontainerWebmonitorsvc\smss.exe
PID 4516 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\comcontainerWebmonitorsvc\smss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe

"C:\Users\Admin\AppData\Local\Temp\NursultanClient.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\comcontainerWebmonitorsvc\QCOFmH7q.bat" "

C:\comcontainerWebmonitorsvc\msComref.exe

"C:\comcontainerWebmonitorsvc\msComref.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msComref" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msComrefm" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\msComref.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\comcontainerWebmonitorsvc\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\comcontainerWebmonitorsvc\smss.exe

"C:\comcontainerWebmonitorsvc\smss.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2cc 0x494

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 a0989922.xsph.ru udp
RU 141.8.194.149:80 a0989922.xsph.ru tcp
RU 141.8.194.149:80 a0989922.xsph.ru tcp
US 8.8.8.8:53 149.194.8.141.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 141.8.194.149:80 a0989922.xsph.ru tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 141.8.194.149:80 a0989922.xsph.ru tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 141.8.194.149:80 a0989922.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
RU 141.8.194.149:80 a0989922.xsph.ru tcp
RU 141.8.194.149:80 a0989922.xsph.ru tcp

Files

C:\comcontainerWebmonitorsvc\RUyNLOkNYUEh7tK.vbe

MD5 5bd22e3a313a58c06fb058125c190ff1
SHA1 b78f042be1130c3e7e53b1a6b307d81b04db7d1a
SHA256 678960f5a802c56907c17696dcf24032de0af466fc51c52acfc073acafdbf796
SHA512 9763aa6e18836687a35d864b11d5b393e5a894b9b2b2b0f807a2be09a3293629682b9a1203e9dc923f08cdbdb8d6b48f09eb1ea66fbe2b656b5debfa721727e8

memory/2680-8-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-9-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-10-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-20-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-19-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-18-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-17-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-16-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-15-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

memory/2680-14-0x000001EC135A0000-0x000001EC135A1000-memory.dmp

C:\comcontainerWebmonitorsvc\QCOFmH7q.bat

MD5 1f04f28016b88fe0c71d5d7be904d0ce
SHA1 f22967304324283edd54468044e9b90617bcf3a0
SHA256 194e7d5c20652a0a19a2c47f8018750b1f01484902253b80199c8fef8464d2c6
SHA512 c799facb2e2c3cbdd63a6d5208656895ee758681c99fda5bc11eaaddef0444a5c66b2129b99f4220520948735239d98a90bb74cd12ca2db7b266249b9e95f0bf

C:\comcontainerWebmonitorsvc\msComref.exe

MD5 7c8a8de9865281c8407416e925b3f891
SHA1 694341cbce25fca3ae33579ca5a9afbd7c255b3e
SHA256 dcf3590f05eb0b79fda8788f177a40432efee3c860a793ebaf84f47b40eb98a6
SHA512 46310a4675974226fbb4bb7ce522888aa58bed2147b658a8321fafbddc21f971c82c968d1de01334913c05c0d38ba62b6fb28ac5bd3d0a9fb588bc02c3f12aba

memory/2632-25-0x0000000000460000-0x0000000000536000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zTR87A5U1o.bat

MD5 4cfb60f96ca7582df30ff07b83ee88d9
SHA1 42b20cdc612153b2486fc5fc5843260e62554db2
SHA256 93392efb627c655a6e671097972d2f4e61c97d00e8e83e6892414004b6f1cb08
SHA512 fa01de79ab5ad3c3205621755862b48751a63af6fd3b72cef193859d50e7f12f65c97ab859ddb592541620e0d1c67b1aeaa31c345b2d77ff51fdda2bba29fea4

memory/2532-41-0x000000001C570000-0x000000001C594000-memory.dmp

memory/2532-42-0x000000001C6E0000-0x000000001C78A000-memory.dmp