Analysis Overview
SHA256
c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3
Threat Level: Known bad
The file c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3 was found to be: Known bad.
Malicious Activity Summary
DcRat
Process spawned unexpected child process
Detects executables containing bas64 encoded gzip files
Identifies VirtualBox via ACPI registry values (likely anti-VM)
DCRat payload
Detects executables packed with SmartAssembly
Checks BIOS information in registry
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Identifies Wine through registry keys
Reads user/profile data of web browsers
Checks whether UAC is enabled
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 03:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 03:32
Reported
2024-06-03 03:34
Platform
win7-20240215-en
Max time kernel
148s
Max time network
146s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing bas64 encoded gzip files
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\IME\csrss.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\IME\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\IME\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine | C:\Windows\IME\csrss.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\IME\csrss.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\IME\csrss.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows NT\services.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\c5b4cb5e9653cc | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\System.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\spoolsv.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\f3b6ecef712a24 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IME\csrss.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Windows\IME\886983d96e3d3e | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Windows\Speech\Common\services.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\IME\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\IME\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IME\csrss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\IME\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe
"C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe"
C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
"C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lQ8ANZYlqW.bat"
C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\IME\csrss.exe
"C:\Windows\IME\csrss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | access.samp-loader.ru | udp |
| US | 172.67.178.91:80 | access.samp-loader.ru | tcp |
| US | 172.67.178.91:80 | access.samp-loader.ru | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
| MD5 | ed830fc9a7e101cb1199a44e89f05a6d |
| SHA1 | 09ecb8c22bad19d11a392fb873796cd41f4add56 |
| SHA256 | d03c84556f0693c7606a827797948d9f407e16dffa489b2a572be62aa20b7d03 |
| SHA512 | 8248464f9ec60eb83ca13af0f5a6f61ac1dc5a826ed43d2432ecb56ae8fa281cfca300e37b649548cefd53fe5c96a7a949e9235efd931aa791c748513214df9a |
memory/2956-17-0x0000000003EB0000-0x0000000004648000-memory.dmp
memory/2956-18-0x0000000003EB0000-0x0000000004648000-memory.dmp
memory/2956-19-0x0000000003EB0000-0x0000000004648000-memory.dmp
memory/3052-22-0x00000000012D0000-0x0000000001A68000-memory.dmp
memory/2956-21-0x0000000003EB0000-0x0000000004648000-memory.dmp
memory/3052-25-0x00000000012D0000-0x0000000001A68000-memory.dmp
memory/3052-26-0x00000000012D0000-0x0000000001A68000-memory.dmp
memory/3052-30-0x0000000000D70000-0x0000000000D82000-memory.dmp
memory/3052-29-0x0000000000D40000-0x0000000000D56000-memory.dmp
memory/3052-28-0x0000000000D20000-0x0000000000D3C000-memory.dmp
memory/3052-27-0x0000000000C60000-0x0000000000C6E000-memory.dmp
memory/3052-31-0x0000000000D90000-0x0000000000D9C000-memory.dmp
memory/3052-32-0x0000000000D80000-0x0000000000D8E000-memory.dmp
memory/3052-33-0x0000000000DD0000-0x0000000000DDC000-memory.dmp
memory/3052-34-0x0000000000E60000-0x0000000000E6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lQ8ANZYlqW.bat
| MD5 | 8cf96d9733ff722b471d7b24953a82cc |
| SHA1 | 63e047d7f3d6bebd0520be20fede389ac3f529f3 |
| SHA256 | 94f3dbd132f7f85806d68962ac21148286fc367ddd5b9151b99b886e7955b41a |
| SHA512 | b26e702984cc28e8f2fe31e114b56c486f8c73090d7bfbc5c3d5b88b410b2268b00c0b066921798966a81f571ce1d6b29df0a789805041a7764c900882e11f51 |
memory/3052-55-0x00000000012D0000-0x0000000001A68000-memory.dmp
memory/2076-61-0x0000000000DA0000-0x0000000001538000-memory.dmp
memory/1808-59-0x0000000002520000-0x0000000002CB8000-memory.dmp
C:\ProgramData\mntemp
| MD5 | 28bb2228e8ca35ce1ad2f0c58cde84a9 |
| SHA1 | ab14c944eca3cb1f6bd89d4a298c11ec6250e4f1 |
| SHA256 | dd1263eecb58ebd53f584d6c8d509e7d30bc4dffa0837d385c1b66e7b8c27bee |
| SHA512 | 6f57897793af5c6bc4d9a21e09d23dfc128b5a1198913b93b4e9be4da9762251e01334e952eabca1b27e0b1db15d715465ec69cd99fb8171f320c6abd670d494 |
memory/2076-63-0x0000000000DA0000-0x0000000001538000-memory.dmp
memory/2076-64-0x0000000000DA0000-0x0000000001538000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 03:32
Reported
2024-06-03 03:34
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing bas64 encoded gzip files
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with SmartAssembly
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\images\smss.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\images\smss.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\images\69ddcba757bf72 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System\Speech\csrss.exe | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe
"C:\Users\Admin\AppData\Local\Temp\c642f9a142a0c2f9c34ba9b302dc88af2df41db5b9c875e26d39572a67f61cf3.exe"
C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
"C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\images\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tRQxi6UI1P.bat"
C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe
"C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | access.samp-loader.ru | udp |
| US | 172.67.178.91:80 | access.samp-loader.ru | tcp |
| US | 172.67.178.91:80 | access.samp-loader.ru | tcp |
| US | 8.8.8.8:53 | 91.178.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ReviewdriversavesBrokercrtwinDhcp1.exe
| MD5 | ed830fc9a7e101cb1199a44e89f05a6d |
| SHA1 | 09ecb8c22bad19d11a392fb873796cd41f4add56 |
| SHA256 | d03c84556f0693c7606a827797948d9f407e16dffa489b2a572be62aa20b7d03 |
| SHA512 | 8248464f9ec60eb83ca13af0f5a6f61ac1dc5a826ed43d2432ecb56ae8fa281cfca300e37b649548cefd53fe5c96a7a949e9235efd931aa791c748513214df9a |
memory/4192-12-0x00000000000B0000-0x0000000000848000-memory.dmp
memory/4192-15-0x00000000000B0000-0x0000000000848000-memory.dmp
memory/4192-14-0x00000000000B0000-0x0000000000848000-memory.dmp
memory/4192-16-0x00000000065D0000-0x0000000006B74000-memory.dmp
memory/4192-17-0x0000000006170000-0x000000000617E000-memory.dmp
memory/4192-18-0x0000000006400000-0x0000000006492000-memory.dmp
memory/4192-19-0x00000000061A0000-0x00000000061BC000-memory.dmp
memory/4192-21-0x00000000061E0000-0x00000000061F6000-memory.dmp
memory/4192-22-0x0000000006220000-0x0000000006232000-memory.dmp
memory/4192-20-0x0000000006230000-0x0000000006280000-memory.dmp
memory/4192-24-0x0000000006B80000-0x0000000006B8E000-memory.dmp
memory/4192-23-0x00000000065A0000-0x00000000065AC000-memory.dmp
memory/4192-26-0x0000000006BD0000-0x0000000006BDC000-memory.dmp
memory/4192-25-0x0000000006BB0000-0x0000000006BBC000-memory.dmp
memory/4192-29-0x0000000006C60000-0x0000000006CC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tRQxi6UI1P.bat
| MD5 | 2ee6cb5754f44fb8475a528f46c1845b |
| SHA1 | 3863398d4f6f4f35706d6ce12e6f5d9b6f32fbef |
| SHA256 | c06e38335471804e892e0ef8b14342448efa93f4d1f98aed15238937642331b4 |
| SHA512 | 02ea76e0b2f87f6efc66d491601a531a5aba9c786f589365b77aa99e7920aaf0deabfed176046b204bd01d1aae13bac92e39b5f956d2f46da578efcbc5bcd161 |
memory/4192-49-0x00000000000B0000-0x0000000000848000-memory.dmp
memory/3436-53-0x0000000000FB0000-0x0000000001748000-memory.dmp
C:\ProgramData\mntemp
| MD5 | b84c0451280e282821e4e91adcc121f1 |
| SHA1 | 56b5d0333954f8b045cb8aa49c2079a794dfc6db |
| SHA256 | 137b13ad42331f93a66ba3b5768d098256b3411ccf5bd635ad51f6e1cd625b25 |
| SHA512 | 6bc57805bd935677d5a62ed5e38b1c7f4b8d4891b77a39ff0bbe557c629d8dd8ed2c8d30512ca67a2c2c1113af76d65af41e6287a5a22a0539ccd9c726099dce |
memory/3436-55-0x0000000000FB0000-0x0000000001748000-memory.dmp
memory/3436-56-0x0000000000FB0000-0x0000000001748000-memory.dmp
memory/3436-57-0x0000000006F80000-0x0000000006F92000-memory.dmp
memory/3436-58-0x0000000009B50000-0x0000000009D12000-memory.dmp
memory/3436-59-0x00000000094D0000-0x00000000094DA000-memory.dmp
memory/3436-60-0x000000000AB30000-0x000000000B05C000-memory.dmp
memory/3436-101-0x0000000000FB0000-0x0000000001748000-memory.dmp