Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-jly78a1bqe
Target 0da9851aec9b55401560a80652ef22a6.exe
SHA256 0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fd55b4277f417ddcf927bc94bff8b96415b9630dfcf3e8aac3e153dc015a4a9

Threat Level: Known bad

The file 0da9851aec9b55401560a80652ef22a6.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DcRat

Process spawned unexpected child process

DCRat payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 07:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 07:46

Reported

2024-06-17 07:48

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office14\1033\69ddcba757bf72 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\69ddcba757bf72 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\101b941d020240 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\lsm.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\smss.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\smss.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\winlogon.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\cc11b995f2a76d C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\conhost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\088424020bedd6 C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\imekr8\help\NjRat 0.7D Green Edition by im523.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Windows\IME\imekr8\help\00dff9bef53269 C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsComponenthostcrt\BlockComponenthost.exe N/A
N/A N/A C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsComponenthostcrt\BlockComponenthost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2060 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2060 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2060 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2060 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2060 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2060 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2060 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 1580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 1580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 1580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 1580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2472 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2472 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2472 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2472 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 2612 wrote to memory of 1524 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 1524 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Windows\System32\cmd.exe
PID 2612 wrote to memory of 1524 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Windows\System32\cmd.exe
PID 1524 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1524 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1524 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1524 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe
PID 1524 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe
PID 1524 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe

"C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe"

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

"C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe"

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

"C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\MsComponenthostcrt\V8pyu.bat" "

C:\MsComponenthostcrt\BlockComponenthost.exe

"C:\MsComponenthostcrt\BlockComponenthost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MsComponenthostcrt\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MsComponenthostcrt\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MsComponenthostcrt\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523N" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\NjRat 0.7D Green Edition by im523.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\NjRat 0.7D Green Edition by im523.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523N" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\NjRat 0.7D Green Edition by im523.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MsComponenthostcrt\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MsComponenthostcrt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MsComponenthostcrt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523N" /sc MINUTE /mo 10 /tr "'C:\MsComponenthostcrt\NjRat 0.7D Green Edition by im523.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523" /sc ONLOGON /tr "'C:\MsComponenthostcrt\NjRat 0.7D Green Edition by im523.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523N" /sc MINUTE /mo 5 /tr "'C:\MsComponenthostcrt\NjRat 0.7D Green Edition by im523.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MsComponenthostcrt\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MsComponenthostcrt\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MsComponenthostcrt\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523N" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\imekr8\help\NjRat 0.7D Green Edition by im523.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523" /sc ONLOGON /tr "'C:\Windows\IME\imekr8\help\NjRat 0.7D Green Edition by im523.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NjRat 0.7D Green Edition by im523N" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\imekr8\help\NjRat 0.7D Green Edition by im523.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MsComponenthostcrt\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MsComponenthostcrt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MsComponenthostcrt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MsComponenthostcrt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MsComponenthostcrt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MsComponenthostcrt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Fp1aOXQCI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe

"C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\smss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0993996.xsph.ru udp
RU 141.8.192.93:80 a0993996.xsph.ru tcp

Files

memory/2060-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

memory/2060-1-0x0000000000CB0000-0x0000000000DDA000-memory.dmp

memory/2060-8-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

MD5 ffa0e2bbc82794b112a5ef66d18b27e4
SHA1 ebc81ad3542f2bdf1f7ffa9589c4703c8c59ee83
SHA256 281c5ad0809300d2067220f782074348ec5449a7fd31cae5d8a212e6f7eb5055
SHA512 4501aa78e94a7c6599fb60c744025783b5c2774d6a99d168a345d893618c087ce098141edd561a9db91326c7c4a4c627f2d91d42348c2c7a0458751c92ced152

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

MD5 1033c448810d3b507423546432e2f502
SHA1 2bf9d04f68ed15b957378fb95daa78c85d5b2b26
SHA256 f0c85722b88d1e7a1941ba17551cd5c29aef99fad86d78a5631a0f5446b3f580
SHA512 aeb964632dfad41fc383a68ace0e6beb152a7075f21a32e449624a27da5d2a5ccda0665fbd90597d65d74b0790877baf6f81336660b1df4bf38b41cd0bc6cd44

memory/2060-16-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe

MD5 c05a26a0f85d0f422df97128fef29cd3
SHA1 c187a0cfb88c4beae723a173957181bb61908811
SHA256 78c756b19d29b70c47f908a98e8029b192329c571a792a16df1b6dc089858515
SHA512 5adfa06b02514375e14d370976ec7ec9c13890fb67d6904fa103e16f5d212afe34878a8a5891759da1a47562662545249fe3d7f213b52cb2ad3d1eb0ea1fabd9

C:\MsComponenthostcrt\V8pyu.bat

MD5 169e51661baeb41549847d1069e779f6
SHA1 b0f7c9ba64f8338312715e26741674c17d7c6dd6
SHA256 f1b2daf2c4f636fcf9994263066dd63d4df27ae090138939bc3e93f4bbb50338
SHA512 f00f9ac8fb8a4d7fefbf7cf008a9c26019d7dabe7984cb763ff5563d33c7dd8ee58872646f9c48f651f613967c5fcdd3cad83c2eb57cf476632b1503d3674c74

\MsComponenthostcrt\BlockComponenthost.exe

MD5 68866acdadaec4fe950d5648386e8d1f
SHA1 71332e0c4ed5f9117446d6735a946ebea6c90747
SHA256 311763efffec17158382ebb545b5e34116ff3ed5f4ccdbd2f00db805992d928c
SHA512 c2af0b8df821712116d5d9a1084c5441cf5a8d3f3cfdf2afbe000e4d457f47ceb9c6902f8343758e96bd6a3d314e06e94ff6dbd20158af23604ec0e99e604393

memory/2612-30-0x00000000003B0000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7Fp1aOXQCI.bat

MD5 1b9a3a0bacf203fdac9c082186795bec
SHA1 e45bc293c445390398edb7bd63158f8af03b215e
SHA256 278a7717503416d27f6605402b6cc927cb8e4e20c2b8ca85969109832394c434
SHA512 0c5aa9108c8faa56bb332e33e8ea25ef660159ab78191d017d33adfa348fab83a13a8d06639f2bddcda9778c30c0d360a14ba45841e31ebbb8e7b6dfefb0107b

memory/2764-76-0x00000000001F0000-0x00000000002C6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 07:46

Reported

2024-06-17 07:48

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\MsComponenthostcrt\BlockComponenthost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Photo Viewer\it-IT\fontdrvhost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Microsoft Office\Office16\sysmon.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\7-Zip\Lang\ea9f0e6c9e2dcd C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\fontdrvhost.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\29c1c3cc0f7685 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Windows Defender\System.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\7-Zip\Lang\taskhostw.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\services.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\c5b4cb5e9653cc C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\upfc.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Windows Photo Viewer\it-IT\5b884080fd4f94 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files\Microsoft Office\Office16\121e5b5079f7c0 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0 C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\ea1d8f6d871115 C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\it-IT\RuntimeBroker.exe C:\MsComponenthostcrt\BlockComponenthost.exe N/A
File created C:\Windows\it-IT\9e8d7a4ca61bd9 C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\MsComponenthostcrt\BlockComponenthost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsComponenthostcrt\BlockComponenthost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Office16\sysmon.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2156 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2156 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe
PID 2156 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2156 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 2156 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe
PID 4100 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 4100 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 4100 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe C:\Windows\SysWOW64\WScript.exe
PID 2076 wrote to memory of 1552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 1552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 1552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 1552 wrote to memory of 4924 N/A C:\Windows\SysWOW64\cmd.exe C:\MsComponenthostcrt\BlockComponenthost.exe
PID 4924 wrote to memory of 712 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Windows\System32\cmd.exe
PID 4924 wrote to memory of 712 N/A C:\MsComponenthostcrt\BlockComponenthost.exe C:\Windows\System32\cmd.exe
PID 712 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 712 wrote to memory of 1992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 712 wrote to memory of 100 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Office16\sysmon.exe
PID 712 wrote to memory of 100 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Office16\sysmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe

"C:\Users\Admin\AppData\Local\Temp\0da9851aec9b55401560a80652ef22a6.exe"

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

"C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe"

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

"C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsComponenthostcrt\V8pyu.bat" "

C:\MsComponenthostcrt\BlockComponenthost.exe

"C:\MsComponenthostcrt\BlockComponenthost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\MsComponenthostcrt\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\MsComponenthostcrt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\MsComponenthostcrt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\MsComponenthostcrt\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\MsComponenthostcrt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\MsComponenthostcrt\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\MsComponenthostcrt\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\MsComponenthostcrt\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\MsComponenthostcrt\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MsComponenthostcrt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MsComponenthostcrt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MsComponenthostcrt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\upfc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\COvVUgQEFW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office\Office16\sysmon.exe

"C:\Program Files\Microsoft Office\Office16\sysmon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 a0993996.xsph.ru udp
RU 141.8.192.93:80 a0993996.xsph.ru tcp
US 8.8.8.8:53 93.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/2156-0-0x00007FF8FF3D3000-0x00007FF8FF3D5000-memory.dmp

memory/2156-1-0x0000000000F40000-0x000000000106A000-memory.dmp

memory/2156-4-0x00007FF8FF3D0000-0x00007FF8FFE91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Njrat Green Edition.exe

MD5 ffa0e2bbc82794b112a5ef66d18b27e4
SHA1 ebc81ad3542f2bdf1f7ffa9589c4703c8c59ee83
SHA256 281c5ad0809300d2067220f782074348ec5449a7fd31cae5d8a212e6f7eb5055
SHA512 4501aa78e94a7c6599fb60c744025783b5c2774d6a99d168a345d893618c087ce098141edd561a9db91326c7c4a4c627f2d91d42348c2c7a0458751c92ced152

C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe

MD5 1033c448810d3b507423546432e2f502
SHA1 2bf9d04f68ed15b957378fb95daa78c85d5b2b26
SHA256 f0c85722b88d1e7a1941ba17551cd5c29aef99fad86d78a5631a0f5446b3f580
SHA512 aeb964632dfad41fc383a68ace0e6beb152a7075f21a32e449624a27da5d2a5ccda0665fbd90597d65d74b0790877baf6f81336660b1df4bf38b41cd0bc6cd44

memory/1884-24-0x00000000746A2000-0x00000000746A3000-memory.dmp

memory/1884-25-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/1884-33-0x00000000746A0000-0x0000000074C51000-memory.dmp

memory/2156-32-0x00007FF8FF3D0000-0x00007FF8FFE91000-memory.dmp

C:\MsComponenthostcrt\2Vu14n0daYiirI7IYNRFt9WqzFCZZ.vbe

MD5 c05a26a0f85d0f422df97128fef29cd3
SHA1 c187a0cfb88c4beae723a173957181bb61908811
SHA256 78c756b19d29b70c47f908a98e8029b192329c571a792a16df1b6dc089858515
SHA512 5adfa06b02514375e14d370976ec7ec9c13890fb67d6904fa103e16f5d212afe34878a8a5891759da1a47562662545249fe3d7f213b52cb2ad3d1eb0ea1fabd9

C:\MsComponenthostcrt\V8pyu.bat

MD5 169e51661baeb41549847d1069e779f6
SHA1 b0f7c9ba64f8338312715e26741674c17d7c6dd6
SHA256 f1b2daf2c4f636fcf9994263066dd63d4df27ae090138939bc3e93f4bbb50338
SHA512 f00f9ac8fb8a4d7fefbf7cf008a9c26019d7dabe7984cb763ff5563d33c7dd8ee58872646f9c48f651f613967c5fcdd3cad83c2eb57cf476632b1503d3674c74

C:\MsComponenthostcrt\BlockComponenthost.exe

MD5 68866acdadaec4fe950d5648386e8d1f
SHA1 71332e0c4ed5f9117446d6735a946ebea6c90747
SHA256 311763efffec17158382ebb545b5e34116ff3ed5f4ccdbd2f00db805992d928c
SHA512 c2af0b8df821712116d5d9a1084c5441cf5a8d3f3cfdf2afbe000e4d457f47ceb9c6902f8343758e96bd6a3d314e06e94ff6dbd20158af23604ec0e99e604393

memory/4924-40-0x0000000000EB0000-0x0000000000F86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\COvVUgQEFW.bat

MD5 4a3009f7f40b56cf2c9f2b7277b0308a
SHA1 5d7e6d93dcaf27637a857f1f768acaadd261ce5a
SHA256 484b34fb8e18612b6312442ec94ec36a729d50831b232f27eef14412eeb1be5a
SHA512 2a2379c78441bf111dc319514cf6b288d8823ef0d1fb707a4e4dfb354c643ca7ee1367f3412b4a00ac5147b00fb37d21d44f0ea8d12230bc54d28ca7abf4a4e7

memory/1884-79-0x00000000746A2000-0x00000000746A3000-memory.dmp

memory/1884-80-0x00000000746A0000-0x0000000074C51000-memory.dmp