Malware Analysis Report

2024-10-10 13:06

Sample ID 240620-xbmnbssarg
Target DCRatBuild.exe
SHA256 3e1e599e07cd53bc658e035ebbb7a18948d43c246c6fdcbc72f834f57d94ab7e
Tags
rat dcrat execution infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e1e599e07cd53bc658e035ebbb7a18948d43c246c6fdcbc72f834f57d94ab7e

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence

DcRat

Dcrat family

Modifies WinLogon for persistence

DCRat payload

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Enumerates system info in registry

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 18:40

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 18:40

Reported

2024-06-20 18:43

Platform

win11-20240611-en

Max time kernel

102s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\", \"C:/Users/Admin/AppData/Local/\\unsecapp.exe\", \"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\", \"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\", \"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\", \"C:/Users/Admin/AppData/Local/\\unsecapp.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agentrefNet = "\"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:/Users/Admin/AppData/Local/\\unsecapp.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\agentrefNet = "\"C:/Users/Admin/AppData/Local/\\agentrefNet.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:/Users/Admin/AppData/Local/\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:/Users/Admin/AppData/Local/\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:/Users/Admin/AppData/Local/\\unsecapp.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:/Users/Admin/AppData/Local/\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4568 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4568 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2364 wrote to memory of 2272 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2272 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2272 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
PID 2272 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
PID 4524 wrote to memory of 896 N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 896 N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe C:\Windows\System32\cmd.exe
PID 4524 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe C:\Windows\System32\cmd.exe
PID 2752 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2752 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2176 wrote to memory of 544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 5084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentrefNeta" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentrefNet" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentrefNeta" /sc MINUTE /mo 5 /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\agentrefNet.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NkfdZ2sUBf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff71ce3cb8,0x7fff71ce3cc8,0x7fff71ce3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\unsecapp.exe'

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'

C:\Users\Admin\AppData\Local\OfficeClickToRun.exe

"C:\Users\Admin\AppData\Local\OfficeClickToRun.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

"C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
RU 141.8.192.58:80 a0998415.xsph.ru tcp
RU 141.8.192.58:80 a0998415.xsph.ru tcp
RU 141.8.192.58:80 a0998415.xsph.ru tcp
RU 141.8.192.58:80 a0998415.xsph.ru tcp
RU 141.8.192.58:80 a0998415.xsph.ru tcp
RU 141.8.192.58:80 a0998415.xsph.ru tcp
RU 141.8.192.58:80 a0998415.xsph.ru tcp

Files

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe

MD5 075e93b781fb11ad83e20a08f3bf47d5
SHA1 6cfa7422a59ee90266d454e8f31814ed7c2c50e4
SHA256 39e13b9cae5ee397eadd2c65f7f587da89f7f2c3e113a914ffc08d6463d8afd0
SHA512 1876cb1d7ca0b25f0e4b3f664d83c19635fc16d99a21408e85a7f22791483850a94c721beb11e7fb32ef1fe048169548ac3ef7e8eb04256683b34b0687ba5a38

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat

MD5 a0c7b9d5468ff24c5ea978a787696f1b
SHA1 b73256c51fa5fc886f28b6f1193c6fe543d0d176
SHA256 7309215c384623f6224c82c86e2138e05f68853db94d0051ad8f2981a37ef7ac
SHA512 2e8c66c2774c6c0672c29ebc994f5d948592930efb779d3a278a4ca7480ffed45b459540f606e00bf697a5d800eb9daff545d522bca0c606e0fe4831e864c374

C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe

MD5 db30e8a595616d8f8bd597700cdfdf7b
SHA1 8a80a3e7744d57dff703f2ea5dc809725cf72f3e
SHA256 edaf46b5f4a8014a979f695fb6282131a5c31a5976827a263ea89b2bab44374c
SHA512 a51ff764fa4dbc347f379247896440e4eb1e2601386fa44a1a197ab620584d5baa02ad020298be5c79c0a4b530828b3e41d174b9518aa28ddd065857c6450f94

memory/4524-12-0x00007FFF5FEF3000-0x00007FFF5FEF5000-memory.dmp

memory/4524-13-0x0000000000260000-0x0000000000356000-memory.dmp

memory/4524-14-0x00000000026F0000-0x00000000026F8000-memory.dmp

memory/4524-15-0x0000000002700000-0x000000000270E000-memory.dmp

memory/4524-16-0x0000000002710000-0x000000000271C000-memory.dmp

memory/4748-28-0x00000213F8670000-0x00000213F8692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssu2x5r0.5rm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\NkfdZ2sUBf.bat

MD5 40a3ffae092138ca6e9e3774cd3f7034
SHA1 2ce950a91eab477a604411b3414d8b0bd3fcf16d
SHA256 994e933d75a5ffb6ed0a4f55491d6d75b65e447b228a1db35f6a46a86fc61608
SHA512 cb360c62a3eb6c48407e3676e9c757a6f865fb627fa90c9c810ec5b39ba26115f2311c3330536d21e763c8313bfa3f21b07b7880e99f94a7d68efd0f958516d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a74887034b3a720c50e557d5b1c790bf
SHA1 fb245478258648a65aa189b967590eef6fb167be
SHA256 f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512 888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 64f055a833e60505264595e7edbf62f6
SHA1 dad32ce325006c1d094b7c07550aca28a8dac890
SHA256 7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA512 86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

\??\pipe\LOCAL\crashpad_2176_HTYZHXSOQQXCGZUH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 95cb61d0d9dfc51efef505e228a90e09
SHA1 6d72a0daf995b0828c04e425c4cd0aca1f98ee20
SHA256 bd29fea6831484c6d1f02b7c505b5664cbbea4123d7e648bdadb6e2db6e2f8c9
SHA512 48e729cfcd8232ab2952f824887acd643f3b87a150973d6109bebc81d833d8c50997865a8a2c2e2ccef786ddd63d75a21050e2c13d200d185ef5d964cb463ff2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentrefNet.exe.log

MD5 400b532c938aca538f01c5616cf318cd
SHA1 598a59a9434e51a6416f91a4c83bd02505ecb846
SHA256 28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d
SHA512 b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f0e62045515b66d0a0105abc22dbf19
SHA1 894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512 f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9d0810010298365a363449d20b60d776
SHA1 6da75acccf66f2d154fbc99c1428e4e8b4133755
SHA256 632e1c862997c0ab530441a83b76320120a58945d9a598f5be8c4296ae46c6aa
SHA512 010ed4fc685814bcf46757aad7e860758c6fe8c41f8532693d4b85ff803a9ece98267584a1a4ee9cee976216554f972fd390c24e246909b61e17726cceb06bb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9722286a8dfaab8ad9d004d4726802ba
SHA1 50eb845681df413a613a39e536a1b1e1763c52cc
SHA256 f421d9c15e564799e655ba14f56a2993bfc08b36a1a76a3f26586b1a0f841974
SHA512 183b088cabccf60cdc95df768724311d5987a7569c622036055e775fb4d8e05b1fa241bf7e5fae5f541eb74c948847b327525936e7b901ecd3fb6a150ff18328

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cef328ddb1ee8916e7a658919323edd8
SHA1 a676234d426917535e174f85eabe4ef8b88256a5
SHA256 a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e2a31e1252ec9fb5e5070e76e8382730
SHA1 29d9f01cd687fc8f80ff5126cddd7cf5a8d288e4
SHA256 49b6791b42702b8590eb28190ad1bc5c74c1c106bf17a1807276f09912d43b2b
SHA512 098c9d26d3745ac9b34099c47a7189adcdb01777196244dd5bf35ebb67e33cc31cc2357089f50c6fec512eddaa55bfda2cb4b30f4a5d0ed44df2933a0fbbf1c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58