Malware Analysis Report

2024-10-10 13:01

Sample ID 240619-r94fvasdmb
Target DCRatBuild.exe
SHA256 7b612f59430f89b4a130c19c3f59e036e93cd21b8b8dd9049f453ad39aefb516
Tags
dcrat infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b612f59430f89b4a130c19c3f59e036e93cd21b8b8dd9049f453ad39aefb516

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat spyware stealer

DCRat payload

Dcrat family

DcRat

Modifies WinLogon for persistence

Process spawned unexpected child process

DCRat payload

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 14:54

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 15:04

Platform

win7-20240611-en

Max time kernel

564s

Max time network

599s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Media Player\en-US\6cb0b6c459d5d3 C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Media Player\en-US\dwm.exe C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\blockComagentCommon\\explorer.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\blockComagentCommon\\explorer.exe\", \"C:\\blockComagentCommon\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\blockComagentCommon\\explorer.exe\", \"C:\\blockComagentCommon\\cmd.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\winlogon.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\blockComagentCommon\\explorer.exe\", \"C:\\blockComagentCommon\\cmd.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\blockComagentCommon\\explorer.exe\", \"C:\\blockComagentCommon\\cmd.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\winlogon.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\", \"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\", \"C:\\blockComagentCommon\\winlogon.exe\", \"C:\\Program Files\\Microsoft Office\\services.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\blockComagentCommon\\explorer.exe\", \"C:\\blockComagentCommon\\cmd.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\winlogon.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\blockComagentCommon\\explorer.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\blockComagentCommon\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\Microsoft.Transactions.Bridge.Dtc\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Public\\Videos\\Sample Videos\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\services.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\blockComagentCommon\\explorer.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\blockComagentCommon\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\taskhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Adobe\\Updater6\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Media Player\\en-US\\dwm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\blockComagentCommon\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.151\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\wininit.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\blockComagentCommon\\winlogon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\All Users\Adobe\Updater6\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Update\1.3.36.151\cc11b995f2a76d C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Media Player\en-US\dwm.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File opened for modification C:\Program Files\Windows Media Player\en-US\dwm.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Media Player\en-US\6cb0b6c459d5d3 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Microsoft Office\services.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Microsoft Office\c5b4cb5e9653cc C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe C:\blockComagentCommon\bridgehypercom.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\schemas\TSWorkSpace\lsass.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\c5b4cb5e9653cc C:\blockComagentCommon\bridgehypercom.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\All Users\Adobe\Updater6\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\blockComagentCommon\bridgehypercom.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Adobe\Updater6\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\blockComagentCommon\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Videos\Sample Videos\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Media Player\en-US\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\blockComagentCommon\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1152 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1152 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1152 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2736 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2640 wrote to memory of 2096 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\System32\cmd.exe
PID 2640 wrote to memory of 2096 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\System32\cmd.exe
PID 2640 wrote to memory of 2096 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\System32\cmd.exe
PID 2096 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2096 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2096 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2096 wrote to memory of 2580 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Adobe\Updater6\cmd.exe
PID 2096 wrote to memory of 2580 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Adobe\Updater6\cmd.exe
PID 2096 wrote to memory of 2580 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Adobe\Updater6\cmd.exe
PID 2548 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe
PID 2548 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe
PID 2548 wrote to memory of 1908 N/A C:\Windows\system32\taskeng.exe C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe
PID 2548 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe
PID 2548 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe
PID 2548 wrote to memory of 1124 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe
PID 2548 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe
PID 2548 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe
PID 2548 wrote to memory of 1864 N/A C:\Windows\system32\taskeng.exe C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe
PID 2548 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\blockComagentCommon\cmd.exe
PID 2548 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\blockComagentCommon\cmd.exe
PID 2548 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\blockComagentCommon\cmd.exe
PID 2548 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
PID 2548 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
PID 2548 wrote to memory of 2228 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe
PID 2548 wrote to memory of 2820 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\Videos\Sample Videos\winlogon.exe
PID 2548 wrote to memory of 2820 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\Videos\Sample Videos\winlogon.exe
PID 2548 wrote to memory of 2820 N/A C:\Windows\system32\taskeng.exe C:\Users\Public\Videos\Sample Videos\winlogon.exe
PID 2548 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Default User\conhost.exe
PID 2548 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Default User\conhost.exe
PID 2548 wrote to memory of 2104 N/A C:\Windows\system32\taskeng.exe C:\Users\Default User\conhost.exe
PID 2548 wrote to memory of 892 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows Media Player\en-US\dwm.exe
PID 2548 wrote to memory of 892 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows Media Player\en-US\dwm.exe
PID 2548 wrote to memory of 892 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows Media Player\en-US\dwm.exe
PID 2548 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\blockComagentCommon\explorer.exe
PID 2548 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\blockComagentCommon\explorer.exe
PID 2548 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\blockComagentCommon\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\blockComagentCommon\XXy2W.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat" "

C:\blockComagentCommon\bridgehypercom.exe

"C:\blockComagentCommon\bridgehypercom.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Updater6\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Updater6\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\blockComagentCommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\blockComagentCommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\blockComagentCommon\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\blockComagentCommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\blockComagentCommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\blockComagentCommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\blockComagentCommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\Sample Videos\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Aee2V9JGa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Adobe\Updater6\cmd.exe

"C:\Users\All Users\Adobe\Updater6\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0CC28E0E-5AB8-4D4A-B0C5-9AF15DCA2909} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe

C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\services.exe

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe

"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2e8

C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe

C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\taskhost.exe

C:\blockComagentCommon\cmd.exe

C:\blockComagentCommon\cmd.exe

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe

"C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe"

C:\Users\Public\Videos\Sample Videos\winlogon.exe

"C:\Users\Public\Videos\Sample Videos\winlogon.exe"

C:\Users\Default User\conhost.exe

"C:\Users\Default User\conhost.exe"

C:\Program Files\Windows Media Player\en-US\dwm.exe

"C:\Program Files\Windows Media Player\en-US\dwm.exe"

C:\blockComagentCommon\explorer.exe

C:\blockComagentCommon\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp

Files

C:\blockComagentCommon\XXy2W.vbe

MD5 ee52ea71feea8207e6afa75e86438d08
SHA1 8c833feedc8ac64a1424e663eb3dbb2013ba6142
SHA256 b482dc0529de14c5771702f8b4bdcc5a256c26611a84b569e4a997b466637b0d
SHA512 b09342f5caa69c1bf9481d9fc2284379626f6d2c3131d763d3a2198ccb0ddc5caf3a4f464a150cd9b0ebfc9b9c7aa1689af9000e14eaace36fe5247152ebc1c4

C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat

MD5 ec36e67c09c4a57473bdb8237c55d18b
SHA1 03793c2750fca27259996873fb22c26ce8868cd1
SHA256 cc2d6e7836cc1772f50b3b10b0514139b5ecd5d3270607b60a1713b383f3c03f
SHA512 97bbdc60b22d2710a8b63108b544db7cb0c5da995334ad44ee347dbb84e0482e42ccee1d6881eec61cf6648e5c1e950450e828af85ffeed40b7778c26c1cf52c

\blockComagentCommon\bridgehypercom.exe

MD5 33776154d16b2ab16c0dc64063eecab0
SHA1 3a28e93ed82b8cc4081ec29abbb83fa35c25d9f4
SHA256 c093b10412252d75b8da533e378a0766d7e7db00db41d5c0f4794ed0ef95a863
SHA512 2c67ca3b79deb45ed0917390c2c226dc804ebd6548b2feff38457161312561cad8e7729796053269ce24d9f08ac25cfe6aaff82efd1c7e2766158eb732ec2869

memory/2640-13-0x00000000013B0000-0x00000000014E2000-memory.dmp

memory/2640-14-0x0000000001190000-0x00000000011AC000-memory.dmp

memory/2640-15-0x00000000011B0000-0x00000000011C6000-memory.dmp

memory/2640-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9Aee2V9JGa.bat

MD5 422d0fbfe03c3ef5bea0f0bd3a36261a
SHA1 ff62bc3ded55291fea47c59cba3d252d1d238d91
SHA256 efb63329c02bed4b95de336243f7dd3eb15d6576e587d4ff08d70854b75c30ce
SHA512 6d2f149a60b3d31dd7fa7c1f7b9bf6716ccd9672c79a648505360c71559776c0808444b7effa594b9e65a2c054f4f94fe7a6dfffc9570dff70a1718a8e2eadc7

memory/2580-62-0x00000000011A0000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rGVNaWz2W5

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\o0Wkv9Z047

MD5 9da83032394b54144d4c2a3ae7cdfbce
SHA1 b85d3a0ff5006c2c1d7270500d7849d373f597b7
SHA256 90708648aa3da58b81497a0bc395507906d89d39583d6ad8dcb4e0d417bdc084
SHA512 17cb5c7cf40433e75a6240c2eaffd22bd77f5076c1904041670dd8609769e9c970499f85fc18354782c548fc0739df954dc44a9e1ff40d427a5b4f0d278417f3

memory/1124-111-0x0000000001080000-0x00000000011B2000-memory.dmp

memory/1908-112-0x00000000012E0000-0x0000000001412000-memory.dmp

memory/2580-113-0x0000000000D60000-0x0000000000D70000-memory.dmp

memory/1984-117-0x0000000000FC0000-0x00000000010F2000-memory.dmp

memory/1864-120-0x00000000002B0000-0x00000000003E2000-memory.dmp

memory/2228-122-0x0000000000130000-0x0000000000262000-memory.dmp

memory/892-129-0x0000000000E00000-0x0000000000F32000-memory.dmp

memory/2104-131-0x0000000000D90000-0x0000000000EC2000-memory.dmp

memory/2820-127-0x0000000000FF0000-0x0000000001122000-memory.dmp

memory/2732-134-0x0000000000AE0000-0x0000000000C12000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 14:54

Reported

2024-06-19 15:04

Platform

win10v2004-20240611-en

Max time kernel

571s

Max time network

595s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\WidevineCdm\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\WidevineCdm\\OfficeClickToRun.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\blockComagentCommon\bridgehypercom.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\WidevineCdm\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Defender\\en-US\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Defender\\en-US\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Google\\Chrome\\Application\\110.0.5481.104\\WidevineCdm\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\e6c9b481da804f C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Defender\en-US\e6c9b481da804f C:\blockComagentCommon\bridgehypercom.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PrintDialog\en-US\sysmon.exe C:\blockComagentCommon\bridgehypercom.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\blockComagentCommon\bridgehypercom.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\blockComagentCommon\bridgehypercom.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4300 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4300 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4300 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 4912 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4912 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4912 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4912 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 4912 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 1832 wrote to memory of 1704 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\System32\cmd.exe
PID 1832 wrote to memory of 1704 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1704 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe
PID 1704 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\blockComagentCommon\XXy2W.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat" "

C:\blockComagentCommon\bridgehypercom.exe

"C:\blockComagentCommon\bridgehypercom.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3ob5ZjYhN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\OfficeClickToRun.exe"

C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe

"C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe"

C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe

"C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp

Files

C:\blockComagentCommon\XXy2W.vbe

MD5 ee52ea71feea8207e6afa75e86438d08
SHA1 8c833feedc8ac64a1424e663eb3dbb2013ba6142
SHA256 b482dc0529de14c5771702f8b4bdcc5a256c26611a84b569e4a997b466637b0d
SHA512 b09342f5caa69c1bf9481d9fc2284379626f6d2c3131d763d3a2198ccb0ddc5caf3a4f464a150cd9b0ebfc9b9c7aa1689af9000e14eaace36fe5247152ebc1c4

C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat

MD5 ec36e67c09c4a57473bdb8237c55d18b
SHA1 03793c2750fca27259996873fb22c26ce8868cd1
SHA256 cc2d6e7836cc1772f50b3b10b0514139b5ecd5d3270607b60a1713b383f3c03f
SHA512 97bbdc60b22d2710a8b63108b544db7cb0c5da995334ad44ee347dbb84e0482e42ccee1d6881eec61cf6648e5c1e950450e828af85ffeed40b7778c26c1cf52c

C:\blockComagentCommon\bridgehypercom.exe

MD5 33776154d16b2ab16c0dc64063eecab0
SHA1 3a28e93ed82b8cc4081ec29abbb83fa35c25d9f4
SHA256 c093b10412252d75b8da533e378a0766d7e7db00db41d5c0f4794ed0ef95a863
SHA512 2c67ca3b79deb45ed0917390c2c226dc804ebd6548b2feff38457161312561cad8e7729796053269ce24d9f08ac25cfe6aaff82efd1c7e2766158eb732ec2869

memory/1832-12-0x00007FFA4F263000-0x00007FFA4F265000-memory.dmp

memory/1832-13-0x0000000000960000-0x0000000000A92000-memory.dmp

memory/1832-14-0x0000000002B70000-0x0000000002B8C000-memory.dmp

memory/1832-15-0x000000001BDC0000-0x000000001BE10000-memory.dmp

memory/1832-16-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

memory/1832-17-0x0000000002B90000-0x0000000002B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f3ob5ZjYhN.bat

MD5 14e95beb82a00b1de22348f837ebcdc8
SHA1 45701d8b49ad2f27c9cb05a0c3366e76f53b39f1
SHA256 145283967868a5f3fe528e901db1a14cca451b24450c7e8e897a83c70ba0c673
SHA512 298a3f1ca8bf62a0bf7306e83c07b1edd13cf0c9b31fac8a32d779c0e107914bfac7a5b28c4e72662697826bce546c44fa595933439fcded04cc20622de42c59

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545