Malware Analysis Report

2024-10-10 13:01

Sample ID 240619-t51v9stdrf
Target DCRatBuild_protected.sfx.exe
SHA256 3c2e56fa690da037a3fa6e5aca8864a15c9a402103f7db8387dff08d5ebeb217
Tags
dcrat infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c2e56fa690da037a3fa6e5aca8864a15c9a402103f7db8387dff08d5ebeb217

Threat Level: Known bad

The file DCRatBuild_protected.sfx.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat spyware stealer

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

DCRat payload

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 16:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 16:39

Reported

2024-06-19 16:49

Platform

win7-20240611-en

Max time kernel

358s

Max time network

364s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\", \"C:\\Users\\Default\\NetHood\\System.exe\", \"C:\\blockComagentCommon\\spoolsv.exe\", \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\audiodg.exe\", \"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\", \"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\", \"C:\\Windows\\Cursors\\cmd.exe\", \"C:\\Windows\\en-US\\lsm.exe\", \"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\Windows\en-US\lsm.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A
N/A N/A C:\blockComagentCommon\bridgehypercom.exe N/A
N/A N/A C:\Windows\en-US\lsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Cursors\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\en-US\\lsm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\NetHood\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\blockComagentCommon\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\blockComagentCommon\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\blockComagentCommon\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\smss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Portable Devices\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\NetHood\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Media Player\\Network Sharing\\wininit.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\Cursors\\cmd.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\en-US\\lsm.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\lsass.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\0f2bee02-28a9-11ef-983f-46d84c032646\\audiodg.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\blockComagentCommon\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Portable Devices\spoolsv.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Portable Devices\f3b6ecef712a24 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wininit.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\56085415360792 C:\blockComagentCommon\bridgehypercom.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\en-US\lsm.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\en-US\101b941d020240 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\servicing\fr-FR\cmd.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Cursors\cmd.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Cursors\ebf1f9fa8afd6d C:\blockComagentCommon\bridgehypercom.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\blockComagentCommon\bridgehypercom.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\lsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2040 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2040 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2040 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2068 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2744 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2740 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2740 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2740 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2740 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 2924 wrote to memory of 1784 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\en-US\lsm.exe
PID 2924 wrote to memory of 1784 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\en-US\lsm.exe
PID 2924 wrote to memory of 1784 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\en-US\lsm.exe
PID 1784 wrote to memory of 2460 N/A C:\Windows\en-US\lsm.exe C:\Windows\system32\cmd.exe
PID 1784 wrote to memory of 2460 N/A C:\Windows\en-US\lsm.exe C:\Windows\system32\cmd.exe
PID 1784 wrote to memory of 2460 N/A C:\Windows\en-US\lsm.exe C:\Windows\system32\cmd.exe
PID 2460 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2460 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2460 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\blockComagentCommon\XXy2W.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat" "

C:\blockComagentCommon\bridgehypercom.exe

"C:\blockComagentCommon\bridgehypercom.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\blockComagentCommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\blockComagentCommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\blockComagentCommon\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\blockComagentCommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\blockComagentCommon\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Cursors\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\en-US\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\wininit.exe'" /rl HIGHEST /f

C:\Windows\en-US\lsm.exe

"C:\Windows\en-US\lsm.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "bridgehypercom" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "bridgehypercomb" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsass" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsassl" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodg" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodga" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "System" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "SystemS" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsv" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsvs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodg" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodga" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "smss" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "smsss" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsv" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsvs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "cmd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "cmdc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsm" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsml" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininit" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininitw" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsm" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "lsml" /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\WV8mKyMrHT.bat" "

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp

Files

\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

MD5 9ca5c1afa78261d0666a0182c6749517
SHA1 6eb3162ed05bc0fddae625682cf14606d53bc2ec
SHA256 5fe6e35645bffadcc493be5c9a70779d3b688678c2a944099eabf86c66deb8a3
SHA512 d4e6ee59f2ade7fba1a93a80afcaf1017e2beaa72e39b2ae15c386e44dfd1dcc2594364b0379a4c615a5a554200493dd163ca02b43e37a1c4a0c34694f0e3d2e

memory/2040-6-0x0000000003660000-0x0000000003A66000-memory.dmp

memory/2068-14-0x0000000000E00000-0x0000000001206000-memory.dmp

memory/2068-23-0x0000000000E00000-0x0000000001206000-memory.dmp

C:\blockComagentCommon\XXy2W.vbe

MD5 ee52ea71feea8207e6afa75e86438d08
SHA1 8c833feedc8ac64a1424e663eb3dbb2013ba6142
SHA256 b482dc0529de14c5771702f8b4bdcc5a256c26611a84b569e4a997b466637b0d
SHA512 b09342f5caa69c1bf9481d9fc2284379626f6d2c3131d763d3a2198ccb0ddc5caf3a4f464a150cd9b0ebfc9b9c7aa1689af9000e14eaace36fe5247152ebc1c4

C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat

MD5 ec36e67c09c4a57473bdb8237c55d18b
SHA1 03793c2750fca27259996873fb22c26ce8868cd1
SHA256 cc2d6e7836cc1772f50b3b10b0514139b5ecd5d3270607b60a1713b383f3c03f
SHA512 97bbdc60b22d2710a8b63108b544db7cb0c5da995334ad44ee347dbb84e0482e42ccee1d6881eec61cf6648e5c1e950450e828af85ffeed40b7778c26c1cf52c

\blockComagentCommon\bridgehypercom.exe

MD5 33776154d16b2ab16c0dc64063eecab0
SHA1 3a28e93ed82b8cc4081ec29abbb83fa35c25d9f4
SHA256 c093b10412252d75b8da533e378a0766d7e7db00db41d5c0f4794ed0ef95a863
SHA512 2c67ca3b79deb45ed0917390c2c226dc804ebd6548b2feff38457161312561cad8e7729796053269ce24d9f08ac25cfe6aaff82efd1c7e2766158eb732ec2869

memory/2924-30-0x0000000000120000-0x0000000000252000-memory.dmp

memory/2924-31-0x0000000000280000-0x000000000029C000-memory.dmp

memory/2924-32-0x0000000000440000-0x0000000000456000-memory.dmp

memory/2924-33-0x0000000000420000-0x000000000042C000-memory.dmp

memory/1784-60-0x0000000000FA0000-0x00000000010D2000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\6203df4a6bafc7

MD5 85f9966b20c09ecb445b07beb0e38672
SHA1 6a2fd7854bdbeaa0ed7ad95c037876eb68684c92
SHA256 fd2542718f54ef77a2f28b240896aa4be5f02493a9f1852d626afcb13bb38cb6
SHA512 c6fdffb3664c571e88728fba4b8e727f2e2e72a846557403647b4d1c4cd98793b0bc5dbf6dc66986fac781a22e2f47a7ea303d1cfed804d3b0e538f5f9afa67e

C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\42af1c969fbb7b

MD5 9a31e6b5640ef20d6f0faafee5b076d0
SHA1 472223fb7a7fec3133607375407b86d1f4ae3a8f
SHA256 ca1e0c11ccb92bd96cdf137c8a71fe5b5d4522c3ca3cb7f1ff5a6796c18b493b
SHA512 7cb2a9f21c07e594f1c19c4f75e28bd024d57620f5e22352a0f6e6a2a9e49cf146ea92b8eae561fb43392d68c3cd589a3f4c4beb68cb13a3b3c4460038f18d8f

C:\Users\Default\NetHood\27d1bcfc3c54e0

MD5 e034c8c4311b29e0853cfa111db0dbbb
SHA1 97ce68950a266751fcc4d7239c26f6f65ceccbff
SHA256 fea5a87bfb04b7776335740d7dc27b0ad82c88130d11e48a0427608382eb694f
SHA512 01cba7ab819dbd21bf034134c07892978186d67ff3d9cfd4ffebbe30771ac1a5dfbaf8148d9ed5000ac0687a8e874175104099847f4b513d4626d2f4654a3bb3

C:\blockComagentCommon\f3b6ecef712a24

MD5 df0769f32100aa0068496f360c1afaf5
SHA1 806bd09697f238474737e1acff05d5104a82b302
SHA256 5449f84ddefb0d169a1b4f96d7aa38cbdb3ef201081d6d6f281a216e719505ec
SHA512 f2ab75df54b2c1850caecd06da969dc459faa425554816077bfea84d3c52793e5936a101943dd0a3d244b3eeb93b763a9177a40ed718c27ee76370c78cb80bed

C:\blockComagentCommon\42af1c969fbb7b

MD5 65d985f36464ecec6ddbc71f5c901707
SHA1 fe9381ee1f4d01ccb689c7651212913f07f889db
SHA256 4dfd2d1dfbdf761bde74300b7b6c293fd8feac0aaad0a97646cc4850868ccead
SHA512 16594065e2f3fce0abb1e0307a1dcd267253d930b707a8167faa2284cca732ad10a6d02bf50b36e28ea23dd234297276b55e5da7f0d02e942716128189c5a777

C:\Recovery\0f2bee02-28a9-11ef-983f-46d84c032646\69ddcba757bf72

MD5 86b30d5fbbd54925b0c3e22c352d0dc0
SHA1 d4cf8b62e1fa44c7428f5430f23512ce991b514d
SHA256 a61417abc00fc17c91e77c923e402030ff10c7ef42a2b2dfd6efac8baa70dcd4
SHA512 6b54b4bed4501d0614ba531a6467e7b388fa55a8305b0dcfbdd3a221ec810ddfda72c048d9987ca128a35554ad3df3e2171c8ef14d1fb89c2729652b09e86205

C:\Program Files\Windows Portable Devices\f3b6ecef712a24

MD5 f91574a15832a5e5f39b269794c22439
SHA1 b53d30c809ae36bdf7ec499582a8d267ae3e2ead
SHA256 1a78f712775241dfc0b344fb28ababed920c169237bd9a9072cf47296cae2034
SHA512 f899939acbe47b1d0b89042040e1a496ef2efb16d24ff63bba7d6ca9e79097ed2079d5ebd2ba06f9fd164764895870fe296087b616699655acdf93ab2157c0c1

C:\Windows\Cursors\ebf1f9fa8afd6d

MD5 216025b0d007b5c6dc2646823cbbe26a
SHA1 39a9e8c89a310fb14d358ad60f443f279736f0aa
SHA256 5e16cdc808970819ba2b5e7d5716b6f8d0d8ff680e1fd43f7c4b5bb72ca7a345
SHA512 82c3c08183f31764517fcfab1d85dbec21ad55b42d9172450fdd1ff7fff5e12f231436ad9aea84b282194c0632370c0a18fad6f56d20791a921bf941d22ea296

C:\Program Files\Windows Media Player\Network Sharing\56085415360792

MD5 a538abd975a0965721a9793a768cf9c4
SHA1 cf2e3e7259ea1032d0a62c18ee0da9e63211b771
SHA256 465107873eeb11f25129f8cf374d129b59ab6061f3a58c095c3264f93a168ecc
SHA512 6172bde381749762d9e0e033e1d08221d7d379a6aa6ad70e3c22890175ec692feb969e54d54bbdbaab51c14efd50424fc9dc9a9057d74d0253c9bfaf2a2569b6

C:\Users\Admin\AppData\Local\Temp\WV8mKyMrHT.bat

MD5 c0423a46395ffe7bf9cacf0666548a62
SHA1 8dd6e583dad5feadeb978d3b40b7a68bff33b965
SHA256 505f6f7cfeb1da6e649cc658035a7a34685e1dc55bafade27a26899dfcfc6906
SHA512 74a563755b79fe0c8d4450ca390b93c73ebd1481d693acc8f1d8aee0091edb68608de5c8a07f3b3af120f308b7f7e36fecb5335dabd4171ec2fa34f5c9243817

C:\Windows\en-US\101b941d020240

MD5 3d8e43348818c18d7b63d1f9b80a6434
SHA1 89572b17a77b5edcc458e503ffdfa720d4b4bcd6
SHA256 36059e34c04934333de20ffc320548951bda29ad723fabf5058c5ed3d81cf5ad
SHA512 e243273422d205017a1b6525ef4a2d7139bee7aca76e07569c9af552ff2183f872756a4b1ab2bfce9e48f0163348330578e6cdee22371eaf93fd3de0d66aecb0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 16:39

Reported

2024-06-19 16:49

Platform

win10v2004-20240508-en

Max time kernel

594s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\blockComagentCommon\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\blockComagentCommon\\conhost.exe\", \"C:\\blockComagentCommon\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\blockComagentCommon\\conhost.exe\", \"C:\\blockComagentCommon\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\blockComagentCommon\\conhost.exe\", \"C:\\blockComagentCommon\\RuntimeBroker.exe\", \"C:\\Windows\\tracing\\spoolsv.exe\", \"C:\\Program Files\\Common Files\\Services\\sihost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockComagentCommon\\System.exe\", \"C:\\Users\\All Users\\System.exe\", \"C:\\blockComagentCommon\\csrss.exe\", \"C:\\Windows\\en-US\\sysmon.exe\", \"C:\\Users\\Default User\\bridgehypercom.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\", \"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\blockComagentCommon\bridgehypercom.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\tracing\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\blockComagentCommon\\csrss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\en-US\\sysmon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\blockComagentCommon\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\tracing\\spoolsv.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\OfficeClickToRun.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Common Files\\Services\\sihost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Common Files\\Services\\sihost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\blockComagentCommon\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgehypercom = "\"C:\\Users\\Default User\\bridgehypercom.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgehypercom = "\"C:\\Users\\Default User\\bridgehypercom.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\blockComagentCommon\\conhost.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\blockComagentCommon\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\blockComagentCommon\\System.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\blockComagentCommon\\csrss.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\en-US\\sysmon.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\Prefetch\\WaaSMedicAgent.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\blockComagentCommon\\RuntimeBroker.exe\"" C:\blockComagentCommon\bridgehypercom.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Services\66fc9ff0ee96c2 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\OfficeClickToRun.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\e6c9b481da804f C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Program Files\Common Files\Services\sihost.exe C:\blockComagentCommon\bridgehypercom.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Prefetch\WaaSMedicAgent.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\Prefetch\c82b8037eab33d C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\tracing\spoolsv.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\tracing\f3b6ecef712a24 C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\en-US\sysmon.exe C:\blockComagentCommon\bridgehypercom.exe N/A
File created C:\Windows\en-US\121e5b5079f7c0 C:\blockComagentCommon\bridgehypercom.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\blockComagentCommon\bridgehypercom.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Prefetch\WaaSMedicAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\blockComagentCommon\bridgehypercom.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Prefetch\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Prefetch\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\blockComagentCommon\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\Services\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Prefetch\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\System.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\Gadgets\OfficeClickToRun.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 920 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 920 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 4072 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 4072 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 4072 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 1944 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 1716 wrote to memory of 3096 N/A C:\Windows\SysWOW64\cmd.exe C:\blockComagentCommon\bridgehypercom.exe
PID 3096 wrote to memory of 3352 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\System32\cmd.exe
PID 3096 wrote to memory of 3352 N/A C:\blockComagentCommon\bridgehypercom.exe C:\Windows\System32\cmd.exe
PID 3352 wrote to memory of 4204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3352 wrote to memory of 4204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3352 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\Prefetch\WaaSMedicAgent.exe
PID 3352 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\Prefetch\WaaSMedicAgent.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild_protected.sfx.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\blockComagentCommon\XXy2W.vbe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat" "

C:\blockComagentCommon\bridgehypercom.exe

"C:\blockComagentCommon\bridgehypercom.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\blockComagentCommon\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\blockComagentCommon\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\blockComagentCommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\blockComagentCommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\en-US\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgehypercomb" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\bridgehypercom.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgehypercom" /sc ONLOGON /tr "'C:\Users\Default User\bridgehypercom.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgehypercomb" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\bridgehypercom.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Prefetch\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\blockComagentCommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\blockComagentCommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\blockComagentCommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\blockComagentCommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\blockComagentCommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\blockComagentCommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uj23sfdAOt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Prefetch\WaaSMedicAgent.exe

"C:\Windows\Prefetch\WaaSMedicAgent.exe"

C:\Windows\Prefetch\WaaSMedicAgent.exe

C:\Windows\Prefetch\WaaSMedicAgent.exe

C:\Windows\en-US\sysmon.exe

C:\Windows\en-US\sysmon.exe

C:\blockComagentCommon\RuntimeBroker.exe

C:\blockComagentCommon\RuntimeBroker.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8

C:\Program Files\Common Files\Services\sihost.exe

"C:\Program Files\Common Files\Services\sihost.exe"

C:\Windows\Prefetch\WaaSMedicAgent.exe

C:\Windows\Prefetch\WaaSMedicAgent.exe

C:\Users\All Users\System.exe

"C:\Users\All Users\System.exe"

C:\Program Files (x86)\Windows Sidebar\Gadgets\OfficeClickToRun.exe

"C:\Program Files (x86)\Windows Sidebar\Gadgets\OfficeClickToRun.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 206.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

MD5 9ca5c1afa78261d0666a0182c6749517
SHA1 6eb3162ed05bc0fddae625682cf14606d53bc2ec
SHA256 5fe6e35645bffadcc493be5c9a70779d3b688678c2a944099eabf86c66deb8a3
SHA512 d4e6ee59f2ade7fba1a93a80afcaf1017e2beaa72e39b2ae15c386e44dfd1dcc2594364b0379a4c615a5a554200493dd163ca02b43e37a1c4a0c34694f0e3d2e

memory/4072-9-0x00000000006A0000-0x0000000000AA6000-memory.dmp

memory/4072-18-0x00000000006A0000-0x0000000000AA6000-memory.dmp

C:\blockComagentCommon\XXy2W.vbe

MD5 ee52ea71feea8207e6afa75e86438d08
SHA1 8c833feedc8ac64a1424e663eb3dbb2013ba6142
SHA256 b482dc0529de14c5771702f8b4bdcc5a256c26611a84b569e4a997b466637b0d
SHA512 b09342f5caa69c1bf9481d9fc2284379626f6d2c3131d763d3a2198ccb0ddc5caf3a4f464a150cd9b0ebfc9b9c7aa1689af9000e14eaace36fe5247152ebc1c4

C:\blockComagentCommon\0xQrS65tkQIWur3PmtNOw.bat

MD5 ec36e67c09c4a57473bdb8237c55d18b
SHA1 03793c2750fca27259996873fb22c26ce8868cd1
SHA256 cc2d6e7836cc1772f50b3b10b0514139b5ecd5d3270607b60a1713b383f3c03f
SHA512 97bbdc60b22d2710a8b63108b544db7cb0c5da995334ad44ee347dbb84e0482e42ccee1d6881eec61cf6648e5c1e950450e828af85ffeed40b7778c26c1cf52c

C:\blockComagentCommon\bridgehypercom.exe

MD5 33776154d16b2ab16c0dc64063eecab0
SHA1 3a28e93ed82b8cc4081ec29abbb83fa35c25d9f4
SHA256 c093b10412252d75b8da533e378a0766d7e7db00db41d5c0f4794ed0ef95a863
SHA512 2c67ca3b79deb45ed0917390c2c226dc804ebd6548b2feff38457161312561cad8e7729796053269ce24d9f08ac25cfe6aaff82efd1c7e2766158eb732ec2869

memory/3096-24-0x0000000000430000-0x0000000000562000-memory.dmp

memory/3096-25-0x0000000000D40000-0x0000000000D5C000-memory.dmp

memory/3096-26-0x000000001B870000-0x000000001B8C0000-memory.dmp

memory/3096-27-0x00000000026C0000-0x00000000026D6000-memory.dmp

memory/3096-28-0x0000000000D70000-0x0000000000D7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uj23sfdAOt.bat

MD5 4d532f2f98a308cdca8090cd93d0add4
SHA1 3ea1813d91368863b7f39573e78bedc8dc6c9b89
SHA256 c90f135fb1bf8c8dc35fe6722a5f7bf098cd96960f3601e7aad9d9c918b27501
SHA512 6debd4102634ddec8bccaf66c3a88254ab1ec4be51544b7e5d45fb8420a4fc6f211d139ca081775e8474bf8169c637a0bc99eeb9363e21d1b46fe19e85fdd160

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WaaSMedicAgent.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545