Malware Analysis Report

2024-10-10 13:02

Sample ID 240618-tbxlravanj
Target DCRatBuild.exe
SHA256 e52cc1ecffea7d4429688c0e46b60381b8921a187d9d6275a7c3953c902a5314
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e52cc1ecffea7d4429688c0e46b60381b8921a187d9d6275a7c3953c902a5314

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Downloads MZ/PE file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 15:53

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 15:53

Reported

2024-06-18 16:07

Platform

win7-20240419-en

Max time kernel

809s

Max time network

806s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Mail\de-DE\ebf1f9fa8afd6d C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files\GECCO.EXE C:\Program Files\Windows Mail\de-DE\cmd.exe N/A
File created C:\Program Files\Windows Mail\de-DE\cmd.exe C:\serverSvc\componentWebsession.exe N/A
File opened for modification C:\Program Files\Windows Mail\de-DE\cmd.exe C:\serverSvc\componentWebsession.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Mail\de-DE\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\serverSvc\componentWebsession.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\cmd.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\de-DE\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2444 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2444 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2444 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2872 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\serverSvc\componentWebsession.exe
PID 2816 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\serverSvc\componentWebsession.exe
PID 2816 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\serverSvc\componentWebsession.exe
PID 2816 wrote to memory of 2404 N/A C:\Windows\SysWOW64\cmd.exe C:\serverSvc\componentWebsession.exe
PID 2404 wrote to memory of 2064 N/A C:\serverSvc\componentWebsession.exe C:\Program Files\Windows Mail\de-DE\cmd.exe
PID 2404 wrote to memory of 2064 N/A C:\serverSvc\componentWebsession.exe C:\Program Files\Windows Mail\de-DE\cmd.exe
PID 2404 wrote to memory of 2064 N/A C:\serverSvc\componentWebsession.exe C:\Program Files\Windows Mail\de-DE\cmd.exe
PID 2064 wrote to memory of 2292 N/A C:\Program Files\Windows Mail\de-DE\cmd.exe C:\Program Files\GECCO.EXE
PID 2064 wrote to memory of 2292 N/A C:\Program Files\Windows Mail\de-DE\cmd.exe C:\Program Files\GECCO.EXE
PID 2064 wrote to memory of 2292 N/A C:\Program Files\Windows Mail\de-DE\cmd.exe C:\Program Files\GECCO.EXE
PID 2064 wrote to memory of 2292 N/A C:\Program Files\Windows Mail\de-DE\cmd.exe C:\Program Files\GECCO.EXE
PID 2064 wrote to memory of 808 N/A C:\Program Files\Windows Mail\de-DE\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 808 N/A C:\Program Files\Windows Mail\de-DE\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2064 wrote to memory of 808 N/A C:\Program Files\Windows Mail\de-DE\cmd.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 808 wrote to memory of 2436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 2072 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 2072 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 2072 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2436 wrote to memory of 1820 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\serverSvc\uT25KYY74sX9lN9csnPM6MC5Vn.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\serverSvc\gf2846b4dodkL0pfwMT.bat" "

C:\serverSvc\componentWebsession.exe

"C:\serverSvc\componentWebsession.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\de-DE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Program Files\Windows Mail\de-DE\cmd.exe

"C:\Program Files\Windows Mail\de-DE\cmd.exe"

C:\Program Files\GECCO.EXE

"C:\Program Files\GECCO.EXE"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc4

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.0.1665491690\1502566342" -parentBuildID 20221007134813 -prefsHandle 1256 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccd1620f-4f11-4013-be9b-e4889a700d6a} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1368 fded958 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.1.801171441\1437833296" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ff75a88-66c2-473f-8dff-fab866b93cb8} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1508 eaec258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.2.255879276\278159024" -childID 1 -isForBrowser -prefsHandle 1724 -prefMapHandle 1884 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e9baefc-2133-4506-9710-9952d3a5eb87} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 1800 19d65b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.3.1361017721\1123961448" -childID 2 -isForBrowser -prefsHandle 716 -prefMapHandle 1708 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe76da02-0b91-4a3e-9aab-950a4b0f9167} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 712 d5b258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.4.1612894604\1122407689" -childID 3 -isForBrowser -prefsHandle 2884 -prefMapHandle 2880 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a10dd881-cef0-46a8-9d91-06dd1ae8c040} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 2896 eaef558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.5.664826346\2078703933" -childID 4 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1e9ffbc-c915-42c0-a141-64e0f14c2ea6} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3860 1ed10a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.6.1382820425\55989466" -childID 5 -isForBrowser -prefsHandle 3968 -prefMapHandle 3972 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b26331e3-0600-40dc-b90f-1747baf70ea6} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 3956 1ed10d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2436.7.281601932\625725026" -childID 6 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 608 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d32a817-ebda-4b4f-87c2-0d58e48ecf2b} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" 4136 1ed11058 tab

C:\Windows\system32\taskeng.exe

taskeng.exe {5587EACD-60CC-460E-AA3C-00BEE8B65C75} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe

C:\Program Files\Windows Mail\de-DE\cmd.exe

"C:\Program Files\Windows Mail\de-DE\cmd.exe"

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0997235.xsph.ru udp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.232.194.163:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
N/A 127.0.0.1:49244 tcp
N/A 127.0.0.1:49251 tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.232.194.163:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.120.5.221:443 prod.pocket.prod.cloudops.mozgcp.net tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
NL 2.18.121.79:80 a19.dscg10.akamai.net tcp
NL 2.18.121.79:80 a19.dscg10.akamai.net tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-aigl6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-aigl6nsd.gvt1.com udp
GB 74.125.105.41:443 r4.sn-aigl6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-aigl6nsd.gvt1.com udp
GB 74.125.105.41:443 r4.sn-aigl6nsd.gvt1.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
RU 141.8.192.58:80 a0997235.xsph.ru tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp

Files

C:\serverSvc\uT25KYY74sX9lN9csnPM6MC5Vn.vbe

MD5 3eb5572f17909b56d4cee2e83ccc9a26
SHA1 cba18abc814fa5c21d2e9f443278c1eca9d8ba0c
SHA256 9854308e97720e85f5320b88e6cc61253644a96555dff1e3b4a606bbc1f85ac4
SHA512 9b2bcd8630fb199bacabffbc7e6cb7b4c7d99457a5924bb4c663c5f512aa2c22af476c7f8535f9724ea373d688fe3031c258187c245bbf680bc6b7ae70ab128f

C:\serverSvc\gf2846b4dodkL0pfwMT.bat

MD5 1754085b520951fdf3d7186ba014b9e4
SHA1 8961805788abe8d70047be180fa3356d772e2f6e
SHA256 fb1c0cae0a88c9492408e784d2c51a47dddc1a5c56207e81a4226b2ccb8f3706
SHA512 b584e30ca0c3e2405ecd0da4bcc5e289519985390d71f712943fa9fc9fd176be41361d4380929bc28c7a87a436f6518108d73eb5230e849f20464a9b1bfe8e31

\serverSvc\componentWebsession.exe

MD5 5cb0d74bd826c893d199df79425baeaf
SHA1 65e3a839cb5a2175c371cf5c326b5c6e3d60ee03
SHA256 6d47979cb580349dec635b404f75a0f30256ee1d4fd7925ce93df93e07aeb7ab
SHA512 7453b660c5ce7a4f06869fe2f0bc5b2710bb97df1026fb76e011853a8af69de40145fc531c82e6d384642fd7c46cc157c74ba989a54c061ad17672f83ef10b46

memory/2404-13-0x00000000009D0000-0x0000000000AA6000-memory.dmp

memory/2064-26-0x00000000000E0000-0x00000000001B6000-memory.dmp

C:\Program Files\GECCO.EXE

MD5 42dd94809ad0c60480690c0ae0019ee8
SHA1 d578fb2fc7c0b08a8ebb375e920d3602a70a098d
SHA256 0040cd2d77e8f81db7414c284bf9828348d7b3a5a5322177fd9e8151fc00638f
SHA512 b8ba04feb9e2a6b15b017af6d2af55756987ac33de1c0740208ac09f402218ca585bbe0e6ce91b8aa50b0653fc8999473c1ed34c3b1a0d5e87b21ce35c19470b

memory/2292-34-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2292-35-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2292-36-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2292-37-0x0000000000400000-0x000000000050F000-memory.dmp

memory/2292-38-0x0000000000400000-0x000000000050F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\pending_pings\ebc69717-e366-4b87-a607-73246a1b3c8c

MD5 3de5ceffa2c69610a61d08adf23e7950
SHA1 3ff7e0d7e8bd39e74b9e37e594caafcec3ad5dfa
SHA256 85f331e3c2e285022e70891c06bedda2e0536916afe9ee315f15d766bafc809a
SHA512 32903fceaac7bdad213e12b03bbf2f1f5395153eab3de0608952869609718a8b7b9dcdd65f989c2677d14f1d18b1929853387c925049e2bf9478953e2e414f53

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\pending_pings\823149f7-5f57-49c3-930b-1cd33214bd2f

MD5 e075bacfc7f0df018573a99d339aee13
SHA1 0a93a0f7f0d6ba8b4ceb9072f53357630b7156fa
SHA256 47a9e9fb3d68e776a43a80c1d0b98e49683f140d98ac4ff6e3d241b7367d32e8
SHA512 6ac5de4bbf37cb80ebb6a349a903f51bf932ae3733227fc1b1462cc2c5428d5607552c414ce137528fed0c7dbe9ccad1bf8aedf77ea0c0571a98bf4091948909

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\datareporting\glean\db\data.safe.bin

MD5 5595443817a6659e43447cf42a7a1598
SHA1 191611b7aada92b7404d9a22b2c3d9a02ac47aca
SHA256 c1e9ea7bd615d01316330b92ce6046a12271c943284e484004be490e304af8fa
SHA512 996443dd28ee853c364d6cdc5c1e9aec20a6af27825c69d069fc60d1a1735f70a7b20229a68c7f3f23c19dc16308e49fdd119bf2b16de6124c30be47bbba91fc

memory/2576-142-0x0000000000D90000-0x0000000000E66000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ty9peokp.default-release\activity-stream.discovery_stream.json.tmp

MD5 a95ec6c8583fb57bd98f13f960460d80
SHA1 13227a31c173ab3d8b9d5547e93ae6d34b8c9386
SHA256 701b703ed2ce3a2b19d6c6359ee21b19642bd4ab5a267c32f61c4438b1750f21
SHA512 5d1ea75fd62cc1f23d009e6a06d9d0bef84e548b3f30b421b3ad6b3ef282be555d0bc6c48a42fdf2d92efc1ed51bebe554706f40f57f863adbb81b106c8898d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c33ea2a2c88cc8bbbc5e974718f890f7
SHA1 60185e46c781a071fe8717744bc2b5c8cc2e01cd
SHA256 5d8dfc198e4b4d8ac8f6ee6472bc2bc39263ef6ba6ced4b84b458f34b339337c
SHA512 3dde53ba59272def3ea5a3546bb51a631784c862ae9f2c34fe5906744ed20fa95d0200433af230ba7f3a251acdf51b223d3768525a51aaf83ed1da352367a07e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs-1.js

MD5 b2078a538d6cac540399073acdc72cc2
SHA1 01fd6d376cc1803b830bd3bbbe2af7265a14587f
SHA256 03eaa26ebf44b30dec3daf77757a34b58ef54ec6cd8953324cd99738f311243f
SHA512 e8d96c8916743bce46f4804ff4d27635e834feab88f9fa4f2f76314c2a6adfc12d278a952d11d7e6d3be9ea6bf6cd94a01a9b0d2dc25cf297898f7cf40448572

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ty9peokp.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

MD5 03af2fc8ac8ff5c82e49586aa725d93d
SHA1 100dfc3000fac0afa02d3154239590c35db40d24
SHA256 425d221c39ef02c9977009c9c24f96c7022e35212b1d65a83621a7c3d685e22a
SHA512 10cb413162c3473423341b1bde802754fcd48c150d6404340dd3cf6d25c1f476a678a790f7a09914a38b835003b69b5263fc234c4464bd8d179909f0a2fcce78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs-1.js

MD5 e8c21d1c0ccc994ad5050f11d80058ba
SHA1 241f05f6ffc7150ed91b1dec3a060de72b024a19
SHA256 8dcb8566a9b0672bad9c6197e5071edc9fd26e47f46061f0dc7074e5e454c260
SHA512 e42601b485c99363b21d5570d10d25f0bbe7889423b47f8650c527c0a2999284ee317bec2fb1b499e30b9e22f082dce4d38fcd303d06dc4c72120e8b3b2af313

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 60c18168b1ac3985a6b2533dbd50784b
SHA1 d19978ac1d9801b3764126b2d3fc41b4aa22208a
SHA256 b92ab4de51b923f50dc1a85d544853f0e5e674ca43141900a326300b145bd3c5
SHA512 3e6b6735e402b457b36657a80474e043c1daeee150a2b1f90f30effef9b99dfa7aec9db4d8d3aec0aa1201b0e7eda779853371b00ff60c420694365d80fa1687

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 438c3af1332297479ee9ed271bb7bf39
SHA1 b3571e5e31d02b02e7d68806a254a4d290339af3
SHA256 b45630be7b3c1c80551e0a89e7bd6dbc65804fa0ca99e5f13fb317b2083ac194
SHA512 984d3b438146d1180b6c37d54793fadb383f4585e9a13f0ec695f75b27b50db72d7f5f0ef218a6313302829ba83778c348d37c4d9e811c0dba7c04ef4fb04672

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2449.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2449.0\manifest.json

MD5 6981f969f95b2a983547050ab1cb2a20
SHA1 e81c6606465b5aefcbef6637e205e9af51312ef5
SHA256 13b46a6499f31975c9cc339274600481314f22d0af364b63eeddd2686f9ab665
SHA512 9415de9ad5c8a25cee82f8fa1df2e0c3a05def89b45c4564dc4462e561f54fdcaff7aa0f286426e63da02553e9b46179a0f85c7db03d15de6d497288386b26ac

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll

MD5 54dc5ae0659fabc263d83487ae1c03e4
SHA1 c572526830da6a5a6478f54bc6edb178a4d641f4
SHA256 43cad5d5074932ad10151184bdee4a493bda0953fe8a0cbe6948dff91e3ad67e
SHA512 8e8f7b9c7c2ee54749dbc389b0e24722cec0eba7207b7a7d5a1efe99ee8261c4cf708cdbdcca4d72f9a4ada0a1c50c1a46fca2acd189a20a9968ccfdb1cf42d9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\gmp-widevinecdm\4.10.2449.0\widevinecdm.dll.sig

MD5 dea1586a0ebca332d265dc5eda3c1c19
SHA1 29e8a8962a3e934fd6a804f9f386173f1b2f9be4
SHA256 98fbbc41d2143f8131e9b18fe7521f90d306b9ba95546a513c3293916b1fce60
SHA512 0e1e5e9af0790d38a29e9f1fbda7107c52f162c1503822d8860199c90dc8430b093d09aef74ac45519fb20aedb32c70c077d74a54646730b98e026073cedd0d6

memory/1368-485-0x0000000000040000-0x0000000000116000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs-1.js

MD5 2c4bdedb75933046259382e18b0f18ab
SHA1 fc1d95aa5bfa74d8fdeefaab65f2f89a0bc0dba1
SHA256 8b5c720885ce47b4e5e097dea6b6a1d4313d43c71044644d9f1e15b2174ba255
SHA512 b6b147a05e9cee5c6c5fe3e972b4fe2ffb2e4cbf5827fa0f6c204862fb61f0b409882d786fa23514fa45d0dee37c22673d1c157d26ce64f71c91dab3d1da422f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\addonStartup.json.lz4

MD5 41b618353b4d2dcf9245fc2b705941c8
SHA1 8da3f96ab69fc7c83e43b3a0f7b04a945fc0bbbd
SHA256 c222e352ebebbcd99e31b336b837b236c9ece69607d6238bd01d40bfd07261cb
SHA512 0f05b4173827eb2e3840ef8eaa7c56f729d7623570b91b126d634a4b057505214f466268a6670602cdde0eb549bc40f367c7a74a562302d5342f5b5c749b5a8b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\broadcast-listeners.json

MD5 ac4dd3970b768ef8379983c90ff432a5
SHA1 ae38702f2a377baa7a792b4d0d16989bffd47d00
SHA256 5b590684356fb59ac9ebc2d2645f8c8347493301cdf7a4d45102877f8e47a7f2
SHA512 a203186b0e7979d24f960fd4a62c340e6aec777b4efdcca6e1cbbeed8582d848f7ec80277a0fb23004df6e49e0af73de29722bfd3a56d0e39632b6f5957967a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\targeting.snapshot.json

MD5 1b49863693a7f2971f166ff001368bf0
SHA1 6395eed4a57ee35149526bf88a7fbff654e0e91b
SHA256 3a58daef1c7ae10bc64f847e5fd54ca050d674165e839482def7fc4d49bea096
SHA512 7560b4673e9643edf4e5ba2544669c1614880d4f930bd441ec990a0b2215d03133bc0eb1cbf90a840a3aec10a84b71ad5ff5ac00816592baf1782baa7989f344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 9a4e5a8173b3c1470ec9f1d6a9a08278
SHA1 399af9930ec41a115dcd057ecdfe88b40dbdd031
SHA256 72362c892b7edb62c04e601ea67eb9a7e51f2e6afa921cd489703d94ba793ff0
SHA512 d2da6a09ce04a03c58204d90af58da2c102688a5a11759b63772e42c5bd7b2e3760029d181b0f9231b27c595a2484f070de935a11518da8a350ee20f867dbed3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\bookmarkbackups\bookmarks-2024-06-18_11_XFMTpcVzRE2otKSPvcP91A==.jsonlz4

MD5 25326fe9a484cfa2c0fb7daa04595899
SHA1 63bd3a1791b112ec4d00c2c7d97a8d40fbcb3902
SHA256 7496587881103987755ea8dcdb9b211dae5c936f6ae5027deb9c3bcaf63691c7
SHA512 6bfd2f156cb14414fb199c2acc3e534d1f07f960c9769c2878bcb14ccd8f127879f33c727a541232e601b1cf5173d4b10b86c86db036c17f69849fe7417f1463

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ty9peokp.default-release\cache2\doomed\3461

MD5 c0903d678b676f6060e8e72829030c8b
SHA1 4ec76791b22b51cd2eb300fbfcbf212080ceb813
SHA256 f3b57e45914546ce2f396a93cc589b6107b9394c21c070d6b38a379ad18458ec
SHA512 68749aa29f557012a03437315e24b580acd743f5333ca481c101d509be465c9ad9164276903d8cfd2fcc9bd519904fa5ac0803afc479a3555909b724266bade2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e5f65e158c5efc6339da7b27d48c837d
SHA1 92cd37139a1d07368aed0dec702803cf5c1dedf9
SHA256 2559ff40b6141a89703cab4b8f215e7ad48dda983b2ea897bb4b96e4644eb96e
SHA512 6be0946fd4d6ed87d05288250bca776cb5b409235c0aff5405f95a0a9b5146c0c40855e27b32f039984e6d3917ea01e72e1c994ee0c19f75f0f4d41ad528b453

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\prefs-1.js

MD5 0818770e529b0cb7fc8c58a6ff2b5198
SHA1 5eebcb77eaf94c6e62ce16006b1cd84986e3c53b
SHA256 450a5fc73a6bff426125b117666385564771ad38eef7ee63635db035e227f17b
SHA512 8030de96c0afc9f7a3c7e85aa7ab0b29845f21e26b3b51ec5cbff1b4065283a4cccfe2b6b68421db2074269e49c61c796cdb8f289b8ccb8d31f7b6f04525d27a

memory/3400-3315-0x0000000001070000-0x0000000001146000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 15:53

Reported

2024-06-18 16:02

Platform

win10v2004-20240508-en

Max time kernel

506s

Max time network

510s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\serverSvc\componentWebsession.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Multimedia Platform\56085415360792 C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe C:\serverSvc\componentWebsession.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9 C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files\MSBuild\Microsoft\dllhost.exe C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\9e8d7a4ca61bd9 C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\RuntimeBroker.exe C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\7a0fd90576e088 C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files\MSBuild\Microsoft\5940a34987c991 C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\9e8d7a4ca61bd9 C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ea1d8f6d871115 C:\serverSvc\componentWebsession.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\explorer.exe C:\serverSvc\componentWebsession.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\upfc.exe C:\serverSvc\componentWebsession.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\serverSvc\componentWebsession.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Templates\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\Microsoft\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Desktop\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\serverSvc\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\sppsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\serverSvc\uT25KYY74sX9lN9csnPM6MC5Vn.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\serverSvc\gf2846b4dodkL0pfwMT.bat" "

C:\serverSvc\componentWebsession.exe

"C:\serverSvc\componentWebsession.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Templates\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Templates\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\pt_BR\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\pt_BR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\locale\pt_BR\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\serverSvc\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\serverSvc\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\serverSvc\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\ja-JP\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe

"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\upfc.exe"

C:\Users\Admin\Templates\dwm.exe

C:\Users\Admin\Templates\dwm.exe

C:\Program Files\MSBuild\Microsoft\dllhost.exe

"C:\Program Files\MSBuild\Microsoft\dllhost.exe"

C:\Users\Default\Desktop\taskhostw.exe

C:\Users\Default\Desktop\taskhostw.exe

C:\serverSvc\backgroundTaskHost.exe

C:\serverSvc\backgroundTaskHost.exe

C:\Recovery\WindowsRE\sppsvc.exe

C:\Recovery\WindowsRE\sppsvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 a0997235.xsph.ru udp
US 8.8.8.8:53 a0997235.xsph.ru udp
US 8.8.8.8:53 a0997235.xsph.ru udp
US 8.8.8.8:53 a0997235.xsph.ru udp
US 8.8.8.8:53 a0997235.xsph.ru udp
US 8.8.8.8:53 a0997235.xsph.ru udp

Files

C:\serverSvc\uT25KYY74sX9lN9csnPM6MC5Vn.vbe

MD5 3eb5572f17909b56d4cee2e83ccc9a26
SHA1 cba18abc814fa5c21d2e9f443278c1eca9d8ba0c
SHA256 9854308e97720e85f5320b88e6cc61253644a96555dff1e3b4a606bbc1f85ac4
SHA512 9b2bcd8630fb199bacabffbc7e6cb7b4c7d99457a5924bb4c663c5f512aa2c22af476c7f8535f9724ea373d688fe3031c258187c245bbf680bc6b7ae70ab128f

C:\serverSvc\gf2846b4dodkL0pfwMT.bat

MD5 1754085b520951fdf3d7186ba014b9e4
SHA1 8961805788abe8d70047be180fa3356d772e2f6e
SHA256 fb1c0cae0a88c9492408e784d2c51a47dddc1a5c56207e81a4226b2ccb8f3706
SHA512 b584e30ca0c3e2405ecd0da4bcc5e289519985390d71f712943fa9fc9fd176be41361d4380929bc28c7a87a436f6518108d73eb5230e849f20464a9b1bfe8e31

C:\serverSvc\componentWebsession.exe

MD5 5cb0d74bd826c893d199df79425baeaf
SHA1 65e3a839cb5a2175c371cf5c326b5c6e3d60ee03
SHA256 6d47979cb580349dec635b404f75a0f30256ee1d4fd7925ce93df93e07aeb7ab
SHA512 7453b660c5ce7a4f06869fe2f0bc5b2710bb97df1026fb76e011853a8af69de40145fc531c82e6d384642fd7c46cc157c74ba989a54c061ad17672f83ef10b46

memory/2012-12-0x00007FF9F6243000-0x00007FF9F6245000-memory.dmp

memory/2012-13-0x0000000000A70000-0x0000000000B46000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545