Malware Analysis Report

2024-10-10 12:49

Sample ID 240602-13rcdagg71
Target WaveUI.exe
SHA256 ed38f93edbbb98d6f5530d28a3410932680e4c053824fc4af682355594f60da4
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed38f93edbbb98d6f5530d28a3410932680e4c053824fc4af682355594f60da4

Threat Level: Known bad

The file WaveUI.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Process spawned unexpected child process

DcRat

DCRat payload

Downloads MZ/PE file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:10

Reported

2024-06-02 22:11

Platform

win10-20240404-en

Max time kernel

11s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WaveUI.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\29c1c3cc0f7685 C:\intodll\agentSaves.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\csrss.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\886983d96e3d3e C:\intodll\agentSaves.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\dllhost.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\5940a34987c991 C:\intodll\agentSaves.exe N/A
File created C:\Program Files\Windows Defender\it-IT\taskhostw.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files\Windows Defender\it-IT\ea9f0e6c9e2dcd C:\intodll\agentSaves.exe N/A
File created C:\Program Files\VideoLAN\VLC\unsecapp.exe C:\intodll\agentSaves.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\HomeGroup\agentSaves.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\Logs\HomeGroup\a21309417955a6 C:\intodll\agentSaves.exe N/A
File created C:\Windows\tracing\explorer.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\tracing\7a0fd90576e088 C:\intodll\agentSaves.exe N/A
File created C:\Windows\SoftwareDistribution\spoolsv.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\SoftwareDistribution\f3b6ecef712a24 C:\intodll\agentSaves.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WaveUI.exe N/A
Token: SeDebugPrivilege N/A C:\intodll\agentSaves.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\WaveUI.exe

"C:\Users\Admin\AppData\Local\Temp\WaveUI.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\intodll\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\intodll\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\intodll\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\InstallAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\intodll\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\intodll\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\intodll\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\it-IT\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentSavesa" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\HomeGroup\agentSaves.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentSaves" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\agentSaves.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentSavesa" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\agentSaves.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qyiLcYswlD.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

"C:\Users\Admin\AppData\Local\Temp\KrampUI.exe"

C:\Windows\Logs\HomeGroup\agentSaves.exe

"C:\Windows\Logs\HomeGroup\agentSaves.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 wojownicy.cloud udp
PL 46.242.248.114:80 wojownicy.cloud tcp
PL 46.242.248.114:80 wojownicy.cloud tcp

Files

memory/512-0-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp

memory/512-1-0x00000000009E0000-0x00000000009F8000-memory.dmp

memory/512-2-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wave.exe

MD5 685ff3fd7d167e37b45bda7c65fe191e
SHA1 b01fd735f75f2ac70fe78c30488cc19c0730378a
SHA256 b93a75b91fc959841d58f93830d4759f52e48ad15c16af9a18dd4d015623427f
SHA512 ae1389e64b5bf4ca6ced8a6ac1e17878684cd84ca8f342d8b3d2880129397d330838761c28e14327784fa627cedd1145036840af38dfe113e28208673d40a8b2

C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe

MD5 f1f4878ad9b863a501dc67c5abf778d8
SHA1 4e4bc06616ac50f2a213cb110db76a48726d1f8d
SHA256 05293f26bbcaf3bcc4047490be599c8e3663cf06be1422651ea2a42291cf6218
SHA512 a84fcfa4947c52531a9ae500e81ef69bed6fabb714190e9328e328bec23ca9b30c562d565aaccd3085ca086ae0814802ed54634c51bccbc6d5b84d3c8a75fb2c

C:\intodll\SNnEeg5Q2Cv9CjuPi.bat

MD5 3bcbf28bfcd7d6834260c1bfe587f748
SHA1 5903cf4f9af2c0fb7758d610cf55fca400681f31
SHA256 2c3da80e897eeac43a7af3256ff0d7ace9f47409eb807d3ea927386a18bb50b0
SHA512 1f3c27dfe1c4207a8e504e1e9fe05a00e411bf9391725d9606b189135d52896c6116d514ff339f1f825a27c283b19103725d8ada7ec3bd7337dd8ab8d1d004c4

C:\intodll\agentSaves.exe

MD5 8ee83bf5811c7d6dfc440def46698e1b
SHA1 ba308e644aa6da9c49b30cde55250bd21b46311d
SHA256 0829cf36a0c20e61d3b17d7567285d8c781956f11bcf5dfdf01bf7eec55639ee
SHA512 3b85bb9588e00962a3c6b7943682ea854dd07eb147328613a76ee12495182f293f8c9ca4e893a35998257308404d312dddeff5a2eb233f76d7360f86c0d9c61b

memory/3304-22-0x0000000000FB0000-0x0000000001086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qyiLcYswlD.bat

MD5 4fa4966ec4d42b3a3ded774e3a943fd6
SHA1 23bb91035db256dd449a002ab4fc0458d70268f8
SHA256 dbf3f5ddf3bf48c04e5515c1df58e3bdd5fa56e78886f17def556dc9b8670bcb
SHA512 9163bb288c8f9069f428b164f5d896fd5f3a567735c0e9e64db07651dd9ccd4b905688970921b81dc5e7567d4f3e990358122496c6836cfbf2775b78cbbe872e

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

MD5 cacea639f59777d6d8e4910eba412d33
SHA1 17b7470e8dde8307c54ddabd62631551e7070a8d
SHA256 c20633c97aa92391c806c7452e3cc5f9488cd8e720a8843fd48fe7962e982955
SHA512 49e8f25433d4deb7d44dc2d5c98942728e2b65f4beb49c5e8daff53ecfd1e7693ea8e863144312bf1139fc6b93cf86032fedb4244923d452cd7f7d6f57fd8bd4

C:\Users\Admin\AppData\Local\Temp\KrampUI.exe

MD5 e6387d5d8eca42683859b0f5172f6f79
SHA1 dc84f67dc219ee202cbabded44f1853294b22889
SHA256 c37bc1f802fe95d15fb4ce549e80db283579ff2abb9e7c0e4224625f7347a79b
SHA512 2619cbd439da2ccd8c785867d8359440f85e57e35bb4e05e9b75c6d58007aabd80528a23dab0fd9dccf21eaae48d47ed047f9ebde3095d2b182736fbe58d1d7c

memory/512-61-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentSaves.exe.log

MD5 b4268d8ae66fdd920476b97a1776bf85
SHA1 f920de54f7467f0970eccc053d3c6c8dd181d49a
SHA256 61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879
SHA512 03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516