Malware Analysis Report

2024-10-10 12:51

Sample ID 240601-caz7taee46
Target d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe
SHA256 d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae

Threat Level: Known bad

The file d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

Detects executables packed with SmartAssembly

DCRat payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 01:53

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 01:53

Reported

2024-06-01 01:55

Platform

win7-20240220-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Windows NT\TableTextService\ja-JP\27d1bcfc3c54e0 C:\portServercrt\Comcommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\portServercrt\Comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe C:\Windows\SysWOW64\WScript.exe
PID 2464 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe C:\Windows\SysWOW64\WScript.exe
PID 2464 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe C:\Windows\SysWOW64\WScript.exe
PID 2464 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe C:\Windows\SysWOW64\WScript.exe
PID 2656 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\portServercrt\Comcommon.exe
PID 2576 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\portServercrt\Comcommon.exe
PID 2576 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\portServercrt\Comcommon.exe
PID 2576 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\portServercrt\Comcommon.exe
PID 2608 wrote to memory of 2372 N/A C:\portServercrt\Comcommon.exe C:\Windows\System32\cmd.exe
PID 2608 wrote to memory of 2372 N/A C:\portServercrt\Comcommon.exe C:\Windows\System32\cmd.exe
PID 2608 wrote to memory of 2372 N/A C:\portServercrt\Comcommon.exe C:\Windows\System32\cmd.exe
PID 2372 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2372 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2372 wrote to memory of 2668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2372 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe
PID 2372 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe
PID 2372 wrote to memory of 2712 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe

"C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "

C:\portServercrt\Comcommon.exe

"C:\portServercrt\Comcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDdOsbL9Ya.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe

"C:\Program Files\Windows NT\TableTextService\ja-JP\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 naratnik888.whf.bz udp
US 198.45.114.194:80 naratnik888.whf.bz tcp

Files

C:\portServercrt\DwNQE.vbe

MD5 588844585deebaa15919f153bc9447f0
SHA1 6e067e41f4abea125c891cf1672d9062d771d209
SHA256 7070398fff90d278d0f5681fa9a7923eea74811856972eaf0adaa1d738a7fcd1
SHA512 dfe8093be45de5f5b9df7310b270e3e7fc26cebcb94e5146bfab85dcc954eeb8a5d8a35d9286015493df6e087b34400df92b117390816464e1698e8f9ad4635d

C:\portServercrt\Comcommon.exe

MD5 1c3c6b206b20d18d049ed7586e330929
SHA1 aa9e8e3adb308b5a1a7d1c0495febd3ab72aacc2
SHA256 b670fb654e4d987a06482ce19145d0a487245da4e67b90175d81233e3529424e
SHA512 a81ccdfb60c92d8bd4e718fff38bae956eed71009b829d007db3975c60c361a198d94349256d558221cc90dad8215e58aa7197ae1d5c449a0c6417d027cabc53

memory/2608-13-0x0000000001010000-0x0000000001110000-memory.dmp

C:\portServercrt\ZHAklq6LBoJU.bat

MD5 db82c18bb79cfc990b4cde2874b61c10
SHA1 183605f521813b881e1a5847e569b831232c0fd1
SHA256 943267a241c1e345f7e010e95299b1af5b5cade19faddbbf46784282dbc50f13
SHA512 7cef1f08019c7bd5ed13acb8d960352acc014e88b3d2ac0708478889d117bf826346ce080e4a68bfebe10d6ffee634cd1672903ab187c60a3643f3871e72c471

memory/2608-14-0x00000000001E0000-0x00000000001EE000-memory.dmp

memory/2608-16-0x0000000000200000-0x000000000020C000-memory.dmp

memory/2608-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nDdOsbL9Ya.bat

MD5 a9ed4a2f8a2e64c20201e6301e0a5410
SHA1 55ce415c4fdfc9bc1f9a6c5a284a72cf2e79bde1
SHA256 a2a75c4b830573d622ad788f0ce8037af083addaa9cdeac6033344690ef03a64
SHA512 5657a36f030c0530812e04d55464254ff0cddaff37e5f0f4f63161d1412c2ede7d09f084df023b72f716a9df0986b2271c12619fe8985f2eb8e930a5d6789dea

memory/2712-28-0x00000000001C0000-0x00000000002C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 01:53

Reported

2024-06-01 01:55

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\portServercrt\Comcommon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\Recovery\WindowsRE\conhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\es-MX\Idle.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\SysWOW64\es-MX\6ccacd8608530f C:\portServercrt\Comcommon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\Visualizations\fontdrvhost.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Internet Explorer\en-US\unsecapp.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\WmiPrvSE.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Java\jre8\lib\c5b4cb5e9653cc C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\ModifiableWindowsApps\wininit.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\MSBuild\9e8d7a4ca61bd9 C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Windows NT\upfc.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Internet Explorer\en-US\29c1c3cc0f7685 C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Windows Multimedia Platform\c82b8037eab33d C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\c5b4cb5e9653cc C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\MSBuild\RuntimeBroker.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\9e8d7a4ca61bd9 C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Visualizations\5b884080fd4f94 C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\services.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Windows NT\ea1d8f6d871115 C:\portServercrt\Comcommon.exe N/A
File created C:\Program Files\Java\jre8\lib\services.exe C:\portServercrt\Comcommon.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellComponents\RuntimeBroker.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\ShellComponents\9e8d7a4ca61bd9 C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\ShellComponents\fontdrvhost.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\ShellComponents\5b884080fd4f94 C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\Cursors\unsecapp.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\Cursors\29c1c3cc0f7685 C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\Vss\Registry.exe C:\portServercrt\Comcommon.exe N/A
File created C:\Windows\Vss\ee2ad38f3d4382 C:\portServercrt\Comcommon.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\portServercrt\Comcommon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\portServercrt\Comcommon.exe N/A
N/A N/A C:\Recovery\WindowsRE\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\portServercrt\Comcommon.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe C:\Windows\SysWOW64\WScript.exe
PID 808 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe C:\Windows\SysWOW64\WScript.exe
PID 808 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 1632 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\portServercrt\Comcommon.exe
PID 1632 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\portServercrt\Comcommon.exe
PID 4132 wrote to memory of 4372 N/A C:\portServercrt\Comcommon.exe C:\Windows\System32\cmd.exe
PID 4132 wrote to memory of 4372 N/A C:\portServercrt\Comcommon.exe C:\Windows\System32\cmd.exe
PID 4372 wrote to memory of 4060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4372 wrote to memory of 4060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4372 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 4372 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe

"C:\Users\Admin\AppData\Local\Temp\d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\portServercrt\DwNQE.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\portServercrt\ZHAklq6LBoJU.bat" "

C:\portServercrt\Comcommon.exe

"C:\portServercrt\Comcommon.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\es-MX\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SysWOW64\es-MX\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\es-MX\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre8\lib\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre8\lib\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Cursors\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\portServercrt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\portServercrt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\portServercrt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\en-US\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Vss\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1s8ND1BuBa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 naratnik888.whf.bz udp
US 198.45.114.194:80 naratnik888.whf.bz tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 194.114.45.198.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\portServercrt\DwNQE.vbe

MD5 588844585deebaa15919f153bc9447f0
SHA1 6e067e41f4abea125c891cf1672d9062d771d209
SHA256 7070398fff90d278d0f5681fa9a7923eea74811856972eaf0adaa1d738a7fcd1
SHA512 dfe8093be45de5f5b9df7310b270e3e7fc26cebcb94e5146bfab85dcc954eeb8a5d8a35d9286015493df6e087b34400df92b117390816464e1698e8f9ad4635d

C:\portServercrt\ZHAklq6LBoJU.bat

MD5 db82c18bb79cfc990b4cde2874b61c10
SHA1 183605f521813b881e1a5847e569b831232c0fd1
SHA256 943267a241c1e345f7e010e95299b1af5b5cade19faddbbf46784282dbc50f13
SHA512 7cef1f08019c7bd5ed13acb8d960352acc014e88b3d2ac0708478889d117bf826346ce080e4a68bfebe10d6ffee634cd1672903ab187c60a3643f3871e72c471

C:\portServercrt\Comcommon.exe

MD5 1c3c6b206b20d18d049ed7586e330929
SHA1 aa9e8e3adb308b5a1a7d1c0495febd3ab72aacc2
SHA256 b670fb654e4d987a06482ce19145d0a487245da4e67b90175d81233e3529424e
SHA512 a81ccdfb60c92d8bd4e718fff38bae956eed71009b829d007db3975c60c361a198d94349256d558221cc90dad8215e58aa7197ae1d5c449a0c6417d027cabc53

memory/4132-12-0x00007FFADB073000-0x00007FFADB075000-memory.dmp

memory/4132-13-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/4132-14-0x00000000027C0000-0x00000000027CE000-memory.dmp

memory/4132-15-0x00000000027D0000-0x00000000027DC000-memory.dmp

memory/4132-16-0x00000000027E0000-0x00000000027EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1s8ND1BuBa.bat

MD5 6ffae3937e9d54f7626dbaf66b8a0c15
SHA1 e029ab30b157ca250e764bea953752954a34944e
SHA256 abdcf269b24dc9c8d88695b738d64c1c5a71526ed8ff92f1785c4af21ae92676
SHA512 6e59573e99aa261a8eedbefaa02254ee8f34d4d5d36e16827518548690e987262f2f4f6ff891bb1ab3cf110c909b6159ecd14d1544a0a6a04362b46c1520bb59