Malware Analysis Report

2024-10-10 12:49

Sample ID 240603-d3tfeaba92
Target c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3
SHA256 c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3
Tags
dcrat bootkit evasion infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3

Threat Level: Known bad

The file c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3 was found to be: Known bad.

Malicious Activity Summary

dcrat bootkit evasion infostealer persistence rat spyware stealer trojan

DcRat

Process spawned unexpected child process

Detects executables containing bas64 encoded gzip files

Identifies VirtualBox via ACPI registry values (likely anti-VM)

DCRat payload

Detects executables packed with SmartAssembly

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Identifies Wine through registry keys

Reads user/profile data of web browsers

Checks whether UAC is enabled

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 03:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 03:32

Reported

2024-06-03 03:34

Platform

win7-20240215-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\IME\csrss.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\IME\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\IME\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Windows\IME\csrss.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine C:\Windows\IME\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\IME\csrss.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\IME\csrss.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Windows\IME\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\services.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files (x86)\Windows NT\c5b4cb5e9653cc C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\System.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files (x86)\Windows Mail\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files (x86)\Windows Mail\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\csrss.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Windows\IME\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Windows\Speech\Common\services.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\IME\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\IME\csrss.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\IME\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\IME\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
PID 2956 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
PID 2956 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
PID 2956 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
PID 3052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1808 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1808 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1808 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 1208 wrote to memory of 2020 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 1208 wrote to memory of 2020 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 1208 wrote to memory of 2020 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 1208 wrote to memory of 2020 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 1808 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\IME\csrss.exe
PID 1808 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\IME\csrss.exe
PID 1808 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\IME\csrss.exe
PID 1808 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\IME\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe

"C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe"

C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe

"C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lQ8ANZYlqW.bat"

C:\Windows\SysWOW64\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\IME\csrss.exe

"C:\Windows\IME\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 access.samp-loader.ru udp
US 172.67.178.91:80 access.samp-loader.ru tcp
US 172.67.178.91:80 access.samp-loader.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe

MD5 ed830fc9a7e101cb1199a44e89f05a6d
SHA1 09ecb8c22bad19d11a392fb873796cd41f4add56
SHA256 d03c84556f0693c7606a827797948d9f407e16dffa489b2a572be62aa20b7d03
SHA512 8248464f9ec60eb83ca13af0f5a6f61ac1dc5a826ed43d2432ecb56ae8fa281cfca300e37b649548cefd53fe5c96a7a949e9235efd931aa791c748513214df9a

memory/2956-17-0x0000000003EB0000-0x0000000004648000-memory.dmp

memory/2956-18-0x0000000003EB0000-0x0000000004648000-memory.dmp

memory/2956-19-0x0000000003EB0000-0x0000000004648000-memory.dmp

memory/3052-22-0x00000000012D0000-0x0000000001A68000-memory.dmp

memory/2956-21-0x0000000003EB0000-0x0000000004648000-memory.dmp

memory/3052-25-0x00000000012D0000-0x0000000001A68000-memory.dmp

memory/3052-26-0x00000000012D0000-0x0000000001A68000-memory.dmp

memory/3052-30-0x0000000000D70000-0x0000000000D82000-memory.dmp

memory/3052-29-0x0000000000D40000-0x0000000000D56000-memory.dmp

memory/3052-28-0x0000000000D20000-0x0000000000D3C000-memory.dmp

memory/3052-27-0x0000000000C60000-0x0000000000C6E000-memory.dmp

memory/3052-31-0x0000000000D90000-0x0000000000D9C000-memory.dmp

memory/3052-32-0x0000000000D80000-0x0000000000D8E000-memory.dmp

memory/3052-33-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

memory/3052-34-0x0000000000E60000-0x0000000000E6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lQ8ANZYlqW.bat

MD5 8cf96d9733ff722b471d7b24953a82cc
SHA1 63e047d7f3d6bebd0520be20fede389ac3f529f3
SHA256 94f3dbd132f7f85806d68962ac21148286fc367ddd5b9151b99b886e7955b41a
SHA512 b26e702984cc28e8f2fe31e114b56c486f8c73090d7bfbc5c3d5b88b410b2268b00c0b066921798966a81f571ce1d6b29df0a789805041a7764c900882e11f51

memory/3052-55-0x00000000012D0000-0x0000000001A68000-memory.dmp

memory/2076-61-0x0000000000DA0000-0x0000000001538000-memory.dmp

memory/1808-59-0x0000000002520000-0x0000000002CB8000-memory.dmp

C:\ProgramData\mntemp

MD5 28bb2228e8ca35ce1ad2f0c58cde84a9
SHA1 ab14c944eca3cb1f6bd89d4a298c11ec6250e4f1
SHA256 dd1263eecb58ebd53f584d6c8d509e7d30bc4dffa0837d385c1b66e7b8c27bee
SHA512 6f57897793af5c6bc4d9a21e09d23dfc128b5a1198913b93b4e9be4da9762251e01334e952eabca1b27e0b1db15d715465ec69cd99fb8171f320c6abd670d494

memory/2076-63-0x0000000000DA0000-0x0000000001538000-memory.dmp

memory/2076-64-0x0000000000DA0000-0x0000000001538000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 03:32

Reported

2024-06-03 03:34

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\5b884080fd4f94 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\smss.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\images\smss.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files (x86)\Internet Explorer\images\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Speech\csrss.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4448 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
PID 4448 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
PID 4448 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
PID 4192 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 948 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 948 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\w32tm.exe
PID 4664 wrote to memory of 1292 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 4664 wrote to memory of 1292 N/A C:\Windows\SysWOW64\w32tm.exe C:\Windows\system32\w32tm.exe
PID 948 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe
PID 948 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe
PID 948 wrote to memory of 3436 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe

"C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe"

C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe

"C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tRQxi6UI1P.bat"

C:\Windows\SysWOW64\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe

"C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 access.samp-loader.ru udp
US 172.67.178.91:80 access.samp-loader.ru tcp
US 172.67.178.91:80 access.samp-loader.ru tcp
US 8.8.8.8:53 91.178.67.172.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe

MD5 ed830fc9a7e101cb1199a44e89f05a6d
SHA1 09ecb8c22bad19d11a392fb873796cd41f4add56
SHA256 d03c84556f0693c7606a827797948d9f407e16dffa489b2a572be62aa20b7d03
SHA512 8248464f9ec60eb83ca13af0f5a6f61ac1dc5a826ed43d2432ecb56ae8fa281cfca300e37b649548cefd53fe5c96a7a949e9235efd931aa791c748513214df9a

memory/4192-12-0x00000000000B0000-0x0000000000848000-memory.dmp

memory/4192-15-0x00000000000B0000-0x0000000000848000-memory.dmp

memory/4192-14-0x00000000000B0000-0x0000000000848000-memory.dmp

memory/4192-16-0x00000000065D0000-0x0000000006B74000-memory.dmp

memory/4192-17-0x0000000006170000-0x000000000617E000-memory.dmp

memory/4192-18-0x0000000006400000-0x0000000006492000-memory.dmp

memory/4192-19-0x00000000061A0000-0x00000000061BC000-memory.dmp

memory/4192-21-0x00000000061E0000-0x00000000061F6000-memory.dmp

memory/4192-22-0x0000000006220000-0x0000000006232000-memory.dmp

memory/4192-20-0x0000000006230000-0x0000000006280000-memory.dmp

memory/4192-24-0x0000000006B80000-0x0000000006B8E000-memory.dmp

memory/4192-23-0x00000000065A0000-0x00000000065AC000-memory.dmp

memory/4192-26-0x0000000006BD0000-0x0000000006BDC000-memory.dmp

memory/4192-25-0x0000000006BB0000-0x0000000006BBC000-memory.dmp

memory/4192-29-0x0000000006C60000-0x0000000006CC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tRQxi6UI1P.bat

MD5 2ee6cb5754f44fb8475a528f46c1845b
SHA1 3863398d4f6f4f35706d6ce12e6f5d9b6f32fbef
SHA256 c06e38335471804e892e0ef8b14342448efa93f4d1f98aed15238937642331b4
SHA512 02ea76e0b2f87f6efc66d491601a531a5aba9c786f589365b77aa99e7920aaf0deabfed176046b204bd01d1aae13bac92e39b5f956d2f46da578efcbc5bcd161

memory/4192-49-0x00000000000B0000-0x0000000000848000-memory.dmp

memory/3436-53-0x0000000000FB0000-0x0000000001748000-memory.dmp

C:\ProgramData\mntemp

MD5 b84c0451280e282821e4e91adcc121f1
SHA1 56b5d0333954f8b045cb8aa49c2079a794dfc6db
SHA256 137b13ad42331f93a66ba3b5768d098256b3411ccf5bd635ad51f6e1cd625b25
SHA512 6bc57805bd935677d5a62ed5e38b1c7f4b8d4891b77a39ff0bbe557c629d8dd8ed2c8d30512ca67a2c2c1113af76d65af41e6287a5a22a0539ccd9c726099dce

memory/3436-55-0x0000000000FB0000-0x0000000001748000-memory.dmp

memory/3436-56-0x0000000000FB0000-0x0000000001748000-memory.dmp

memory/3436-57-0x0000000006F80000-0x0000000006F92000-memory.dmp

memory/3436-58-0x0000000009B50000-0x0000000009D12000-memory.dmp

memory/3436-59-0x00000000094D0000-0x00000000094DA000-memory.dmp

memory/3436-60-0x000000000AB30000-0x000000000B05C000-memory.dmp

memory/3436-101-0x0000000000FB0000-0x0000000001748000-memory.dmp