Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-bhxwzsxcjb
Target 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe
SHA256 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892

Threat Level: Known bad

The file 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

DCRat payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:09

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:09

Reported

2024-06-17 01:12

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\comsurrogatecommon\containerbrokerSvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\Registry.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\SppExtComObj.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\OfficeClickToRun.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\e1ef82546f0b02 C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\61a52ddc9dd915 C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\e6c9b481da804f C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\Registry.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\ee2ad38f3d4382 C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\msedge.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\61a52ddc9dd915 C:\comsurrogatecommon\containerbrokerSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceState\EventLog\dllhost.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Windows\Tasks\MoUsoCoreWorker.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Windows\Tasks\1f93f77a7f4778 C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Windows\Cursors\Idle.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Windows\Cursors\6ccacd8608530f C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Windows\Logs\MeasuredBoot\msedge.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Windows\Logs\MeasuredBoot\61a52ddc9dd915 C:\comsurrogatecommon\containerbrokerSvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\comsurrogatecommon\containerbrokerSvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\comsurrogatecommon\containerbrokerSvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\AccountPictures\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1620 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 1620 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 1620 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 2908 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3744 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 1796 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\comsurrogatecommon\containerbrokerSvc.exe
PID 1796 wrote to memory of 5060 N/A C:\Windows\SysWOW64\cmd.exe C:\comsurrogatecommon\containerbrokerSvc.exe
PID 5060 wrote to memory of 2620 N/A C:\comsurrogatecommon\containerbrokerSvc.exe C:\Windows\System32\cmd.exe
PID 5060 wrote to memory of 2620 N/A C:\comsurrogatecommon\containerbrokerSvc.exe C:\Windows\System32\cmd.exe
PID 2620 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2620 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2620 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\dwm.exe
PID 2620 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Users\Public\AccountPictures\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe

"C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\comsurrogatecommon\h6khYLQAm3C9Gvan2yaD6Idxz.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\comsurrogatecommon\ndyJqdcK3gAQnUI3h5cTrzbsXo5.bat" "

C:\comsurrogatecommon\containerbrokerSvc.exe

"C:\comsurrogatecommon\containerbrokerSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\Registry.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\comsurrogatecommon\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\comsurrogatecommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\comsurrogatecommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\comsurrogatecommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comsurrogatecommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\comsurrogatecommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\Tasks\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Cursors\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\MeasuredBoot\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Logs\MeasuredBoot\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\MeasuredBoot\msedge.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WIyV3lXs7h.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Public\AccountPictures\dwm.exe

"C:\Users\Public\AccountPictures\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.185.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 i.pki.goog udp
US 8.8.8.8:53 i.pki.goog udp
DE 172.217.18.3:80 i.pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 74.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 a0986288.xsph.ru udp
RU 141.8.197.42:80 a0986288.xsph.ru tcp
RU 141.8.197.42:80 a0986288.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/1620-1-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 1b0d74d91e3556b4296fdfa8e2026027
SHA1 99a9aefc118aac03355bdb3992ca91b37bb7ecd3
SHA256 8ed1d39fa5617f5f79c94be770549a88452829b56c7a878af030baa1ae060f9b
SHA512 fcb8e958b31363e1d6b0c483ef9367a1787abc9654b3d88f9f203db7303482db1547c7f9c52d94fc15144b593b546c25fb9cee6cbe833c36bece6cdbcd86c5a0

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe

MD5 5036e609163e98f3ac06d5e82b677df8
SHA1 176db10a4cda7104f24eece2d87e1a664b7fb929
SHA256 b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21
SHA512 40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

memory/1620-19-0x0000000000400000-0x0000000000712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu2AC6.tmp\InstallOptions.dll

MD5 ece25721125d55aa26cdfe019c871476
SHA1 b87685ae482553823bf95e73e790de48dc0c11ba
SHA256 c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA512 4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

C:\Users\Admin\AppData\Local\Temp\nsu2AC6.tmp\LangDLL.dll

MD5 68b287f4067ba013e34a1339afdb1ea8
SHA1 45ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA256 18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA512 06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

C:\Users\Admin\AppData\Local\Temp\nsu2AC6.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\comsurrogatecommon\h6khYLQAm3C9Gvan2yaD6Idxz.vbe

MD5 c2cebb18805a35aa4f1dc912dc6ff0d2
SHA1 6b32588c705ef239c1ed2f024d8eba13ac1bc50f
SHA256 d178fab8fa489f9f67902f5b777145c321b6f614641c573edeb2da8f22127351
SHA512 0c4b01a735f064420916e11049a9f8b378a54d6e5cf24704e3f66f65be2696bfc88e6edf56b5887ef957991f7db1094f6283983fabc3c39c4f063e14b49dbeee

C:\comsurrogatecommon\ndyJqdcK3gAQnUI3h5cTrzbsXo5.bat

MD5 9847e6047e87392038dbd26b21c4de12
SHA1 eb898a87f645939df45449aabf80282be23ccd10
SHA256 7211497c50c8ffc77a8ef893eca0cd8a6d39a5ed7cde524a9ec503758d0c4715
SHA512 c81e3e122d22b338aed653e51748c94d936555e4c00e77074e3f445f18af7eb641dede865165c3398b50bbf6c4b0fc5baaaba8fb6119e2a79dc3230f7030c633

C:\comsurrogatecommon\containerbrokerSvc.exe

MD5 30f9e0ff5a6f1343d0828e74f8d4d442
SHA1 b248379c85738a0deb8139f739a8fa7b343d876e
SHA256 88a7db7ae820d84729ca9d9376848544bde2788f300d4303fd1b19c50c4c348d
SHA512 9d4c4e1ad1cdadb295e029f0f71abf7a7679103c16ed05158f0feb491d403ebb69d1377352a2c25671bdfa53fde4d437a6cc1110b03f83ca9e6d14b693ecbe89

memory/5060-63-0x0000000000170000-0x0000000000266000-memory.dmp

memory/5060-64-0x000000001ACD0000-0x000000001ACDE000-memory.dmp

memory/5060-65-0x000000001ACF0000-0x000000001ACF8000-memory.dmp

memory/5060-66-0x000000001B160000-0x000000001B16C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WIyV3lXs7h.bat

MD5 f9ce358c7441b986fa895c126916d233
SHA1 5c48c5f56f80e60074aad8d889541cdf2eaa421a
SHA256 d38a66b3377d76215b736b36f4fbdcda91717c062c7a994b041162f5a881c2a9
SHA512 d127e87d8d4d0d91bd020fc9ed023ff6025bc892e8159c64631d7051f839be51fbad9d8fd2d50058ee8d46d15a3d4512afa13bd8e3ca2ff3bbc41565c03d59b4

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:09

Reported

2024-06-17 01:11

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\ja-JP\6cb0b6c459d5d3 C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\containerbrokerSvc.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0779814733b46b C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\Windows NT\lsass.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files\Windows NT\6203df4a6bafc7 C:\comsurrogatecommon\containerbrokerSvc.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe C:\comsurrogatecommon\containerbrokerSvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\comsurrogatecommon\containerbrokerSvc.exe N/A
N/A N/A C:\comsurrogatecommon\containerbrokerSvc.exe N/A
N/A N/A C:\comsurrogatecommon\containerbrokerSvc.exe N/A
N/A N/A C:\MSOCache\All Users\dwm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\comsurrogatecommon\containerbrokerSvc.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3020 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3020 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3020 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 3020 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 3020 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 3020 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 3020 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 3020 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 3020 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 3020 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe
PID 2024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2024 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2708 wrote to memory of 2456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2456 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\comsurrogatecommon\containerbrokerSvc.exe
PID 2456 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\comsurrogatecommon\containerbrokerSvc.exe
PID 2456 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\comsurrogatecommon\containerbrokerSvc.exe
PID 2456 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\comsurrogatecommon\containerbrokerSvc.exe
PID 2520 wrote to memory of 1972 N/A C:\comsurrogatecommon\containerbrokerSvc.exe C:\Windows\System32\cmd.exe
PID 2520 wrote to memory of 1972 N/A C:\comsurrogatecommon\containerbrokerSvc.exe C:\Windows\System32\cmd.exe
PID 2520 wrote to memory of 1972 N/A C:\comsurrogatecommon\containerbrokerSvc.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 2248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1972 wrote to memory of 2248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1972 wrote to memory of 2248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1972 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\dwm.exe
PID 1972 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\dwm.exe
PID 1972 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\MSOCache\All Users\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe

"C:\Users\Admin\AppData\Local\Temp\581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\comsurrogatecommon\h6khYLQAm3C9Gvan2yaD6Idxz.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\comsurrogatecommon\ndyJqdcK3gAQnUI3h5cTrzbsXo5.bat" "

C:\comsurrogatecommon\containerbrokerSvc.exe

"C:\comsurrogatecommon\containerbrokerSvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\comsurrogatecommon\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\comsurrogatecommon\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\comsurrogatecommon\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\comsurrogatecommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\comsurrogatecommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\comsurrogatecommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "containerbrokerSvcc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\containerbrokerSvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "containerbrokerSvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\containerbrokerSvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "containerbrokerSvcc" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\containerbrokerSvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\comsurrogatecommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\comsurrogatecommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\comsurrogatecommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2G96hsWfk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSOCache\All Users\dwm.exe

"C:\MSOCache\All Users\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0986288.xsph.ru udp
RU 141.8.197.42:80 a0986288.xsph.ru tcp
RU 141.8.197.42:80 a0986288.xsph.ru tcp

Files

\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 1b0d74d91e3556b4296fdfa8e2026027
SHA1 99a9aefc118aac03355bdb3992ca91b37bb7ecd3
SHA256 8ed1d39fa5617f5f79c94be770549a88452829b56c7a878af030baa1ae060f9b
SHA512 fcb8e958b31363e1d6b0c483ef9367a1787abc9654b3d88f9f203db7303482db1547c7f9c52d94fc15144b593b546c25fb9cee6cbe833c36bece6cdbcd86c5a0

\Users\Admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe

MD5 5036e609163e98f3ac06d5e82b677df8
SHA1 176db10a4cda7104f24eece2d87e1a664b7fb929
SHA256 b2afe799584c913532c673f99ade45113bf5a5b605a964ce9fa837f563b6fc21
SHA512 40c4332e2e4132fc7f3a5f0738a67e7725b329c4a4b0643fbc65f5d1de3ca4b6bf7374c2a722ea05f01a5e2ddd458344289fdb39bbb092a0b64e63eb168313e4

memory/3020-13-0x0000000000400000-0x0000000000712000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy2464.tmp\InstallOptions.dll

MD5 ece25721125d55aa26cdfe019c871476
SHA1 b87685ae482553823bf95e73e790de48dc0c11ba
SHA256 c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA512 4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

\Users\Admin\AppData\Local\Temp\nsy2464.tmp\LangDLL.dll

MD5 68b287f4067ba013e34a1339afdb1ea8
SHA1 45ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA256 18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA512 06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

C:\comsurrogatecommon\h6khYLQAm3C9Gvan2yaD6Idxz.vbe

MD5 c2cebb18805a35aa4f1dc912dc6ff0d2
SHA1 6b32588c705ef239c1ed2f024d8eba13ac1bc50f
SHA256 d178fab8fa489f9f67902f5b777145c321b6f614641c573edeb2da8f22127351
SHA512 0c4b01a735f064420916e11049a9f8b378a54d6e5cf24704e3f66f65be2696bfc88e6edf56b5887ef957991f7db1094f6283983fabc3c39c4f063e14b49dbeee

C:\comsurrogatecommon\ndyJqdcK3gAQnUI3h5cTrzbsXo5.bat

MD5 9847e6047e87392038dbd26b21c4de12
SHA1 eb898a87f645939df45449aabf80282be23ccd10
SHA256 7211497c50c8ffc77a8ef893eca0cd8a6d39a5ed7cde524a9ec503758d0c4715
SHA512 c81e3e122d22b338aed653e51748c94d936555e4c00e77074e3f445f18af7eb641dede865165c3398b50bbf6c4b0fc5baaaba8fb6119e2a79dc3230f7030c633

\comsurrogatecommon\containerbrokerSvc.exe

MD5 30f9e0ff5a6f1343d0828e74f8d4d442
SHA1 b248379c85738a0deb8139f739a8fa7b343d876e
SHA256 88a7db7ae820d84729ca9d9376848544bde2788f300d4303fd1b19c50c4c348d
SHA512 9d4c4e1ad1cdadb295e029f0f71abf7a7679103c16ed05158f0feb491d403ebb69d1377352a2c25671bdfa53fde4d437a6cc1110b03f83ca9e6d14b693ecbe89

memory/2520-48-0x0000000001110000-0x0000000001206000-memory.dmp

memory/2520-49-0x00000000004D0000-0x00000000004DE000-memory.dmp

memory/2520-50-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/2520-51-0x00000000004F0000-0x00000000004FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w2G96hsWfk.bat

MD5 468d0fc1d63ea6172093c8837db1cc71
SHA1 b19a01e9729bce553cf50cc231b4f100d93be626
SHA256 9d85164bf029cb328dc4bd3fac1b46623ef5caf2a9dc17e1a0b42368d62e8fed
SHA512 e257e80fae46e3b9248ad036678ca9b629834b2e8c4071c9fa80c76b450d762f2bdc4f6554f6cd713f959195e704dd6add6cac7c72b474f821b5054d533c15b3

\Users\Admin\AppData\Local\Temp\nsy2464.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/2128-99-0x0000000000900000-0x00000000009F6000-memory.dmp