Malware Analysis Report

2024-11-13 13:46

Sample ID 240721-jn93hawerg
Target 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe
SHA256 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0

Threat Level: Known bad

The file 371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

UAC bypass

Process spawned unexpected child process

DcRat

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 07:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 07:50

Reported

2024-07-21 07:52

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
File created C:\Windows\tracing\0a1fd5f707cd16 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Common Files\56085415360792 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\wininit.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files\Common Files\56085415360792 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\cc11b995f2a76d C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files\Common Files\wininit.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tracing\0a1fd5f707cd16 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Windows\schemas\EAPMethods\services.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Windows\tracing\sppsvc.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Token: SeDebugPrivilege N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2888 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2888 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2888 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2888 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2888 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2888 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2888 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe
PID 2888 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe
PID 2888 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe
PID 2888 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe
PID 2672 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe C:\Windows\SysWOW64\WScript.exe
PID 2672 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe C:\Windows\SysWOW64\WScript.exe
PID 2468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 2572 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 2572 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 2572 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 2464 wrote to memory of 1780 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\System32\cmd.exe
PID 2464 wrote to memory of 1780 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\System32\cmd.exe
PID 2464 wrote to memory of 1780 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\System32\cmd.exe
PID 1780 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1780 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1780 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1780 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 1780 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 1780 wrote to memory of 2072 N/A C:\Windows\System32\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 2072 wrote to memory of 1912 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 1912 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 1912 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\System32\cmd.exe
PID 1912 wrote to memory of 1648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1912 wrote to memory of 1648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1912 wrote to memory of 1648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1912 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe
PID 1912 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe
PID 1912 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe

"C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe

"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "

C:\bridgeServercomponentFontDriver\MsHostsvc.exe

"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\bridgeServercomponentFontDriver\MsHostsvc.exe

"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\MsHostsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MsHostsvc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\MsHostsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\MsHostsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cWkBSqzw3R.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\winlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1008232.xsph.ru udp
RU 141.8.197.42:80 a1008232.xsph.ru tcp
RU 141.8.197.42:80 a1008232.xsph.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 78f38e4700f08a5a56a3bd422ba8fe9f
SHA1 25993fbf617830c23592ee0adff340c3f76dc641
SHA256 0f207fe33eaa8a486a50938a7c4668f61762fbac383a9b5005af545dd18265af
SHA512 d865387fe14d7bebd6a3bacc26a34af2e3d05d1521ddc839cdbcd00413b6147a15895f9f5b40b44055a416aa55030a28f068b6c80abc698ac2179d0f69bcecbb

\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe

MD5 d80301cde99009a601e22c0f9cb3433a
SHA1 d82a05a75f31ec11ced2f6c5e0b945510dbfcd5a
SHA256 334e48543f8c2d0203135f7820116b676467ae1c1a3d6eabd8b17f96308e5574
SHA512 02b744e15834b654b1d4772d8f2ddc26ca773a9139d9d12fec12c2749e09e69c904014c8464762a7bd97aa8413971193a8c386bb2bfecc14fc8aabd78383888b

C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe

MD5 bd091f4d8a1df91d73b0c65a4ba02330
SHA1 bef757dc154e1d4a0fc91f8ce1e4072c4c12d6df
SHA256 7eeb92d6b5e2faca9ea5763051aac81b7851f4aefe76680ccb25a3aec7e05be2
SHA512 0559ece912e8d3f061e615dd55ced1ddb75c743014b99f4589421c192a4aadf58c41c5b8d72cb96ac3b40f4326e7a7c5791691d557036fb3df2df8f78ff2a98c

C:\bridgeServercomponentFontDriver\9qhNErD.bat

MD5 21b5523fa5a489444309d54f4f58ec98
SHA1 4b9f2c6c37e428a6c504d38bf404fbe7613b900c
SHA256 f3816eaf5c2710018fea5d788601d9c31d0b21d4c25f44284da0d3641eda8dd5
SHA512 ef25536cc3c27e22b2e6cb1834a8279ebb95c5a06d3c2ebab46ad2d0b88c6dc7a1f3c4069d16b747d4108b859bb3776575414e3aeefaca1cd768274b887b2738

C:\bridgeServercomponentFontDriver\MsHostsvc.exe

MD5 a7a6c9f410573c8fbd408170eab6aa33
SHA1 99354c9e2c7fc978abd47e8d2ec1a403bcc5dfd6
SHA256 9d5aaaf2551239a60ec1a383a3512be976cfaa866573e86687c59412ae167974
SHA512 f3dbb349ed88f1d9b7c6d1e0ffc2fa12b3d2f68209eaf97ff8bf4344c5a87e39ba3588584df4b656acdcf1b1526415b0a06e921f405bc836792c9b55a794d6b5

memory/2464-32-0x0000000000940000-0x0000000000C02000-memory.dmp

memory/2464-33-0x0000000000380000-0x000000000038E000-memory.dmp

memory/2464-34-0x0000000000480000-0x000000000049C000-memory.dmp

memory/2464-35-0x0000000000520000-0x0000000000528000-memory.dmp

memory/2464-37-0x0000000000550000-0x0000000000558000-memory.dmp

memory/2464-36-0x0000000000530000-0x0000000000546000-memory.dmp

memory/2464-38-0x0000000000580000-0x0000000000590000-memory.dmp

memory/2464-39-0x0000000000560000-0x000000000056A000-memory.dmp

memory/2464-40-0x00000000005B0000-0x0000000000606000-memory.dmp

memory/2464-41-0x0000000000570000-0x000000000057C000-memory.dmp

memory/2464-42-0x0000000000590000-0x0000000000598000-memory.dmp

memory/2464-43-0x0000000000600000-0x000000000060C000-memory.dmp

memory/2464-44-0x0000000000610000-0x0000000000622000-memory.dmp

memory/2464-45-0x00000000008E0000-0x00000000008EC000-memory.dmp

memory/2464-46-0x00000000008F0000-0x00000000008F8000-memory.dmp

memory/2464-47-0x0000000000900000-0x000000000090C000-memory.dmp

memory/2464-48-0x0000000000910000-0x000000000091E000-memory.dmp

memory/2464-49-0x0000000000920000-0x000000000092C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat

MD5 9f7739c37f5011ad015d0b1ed0f47949
SHA1 7f83225eeedef5ef05f13e9466ee2a7d885db0ff
SHA256 8f4ccc347c6c732766c42fe210714618212bf5d0e93c4dc8356b273a4369b114
SHA512 e59b64a47723cf64904c1b94752a8865ffa2f51c9b41801d1646f325e5729613d6678d1f3ba79d91a31a728ebccc7223f5743f16711ed196c91397f6181a8512

memory/2072-62-0x0000000001360000-0x0000000001622000-memory.dmp

memory/2072-63-0x00000000010E0000-0x0000000001136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cWkBSqzw3R.bat

MD5 97897433c5ea6e5203a6a7836df35093
SHA1 905bb79e0a51702d9c75419b0950cd15d527ed64
SHA256 bb1392c3babfb0b0a0632efecd2c1de56c62d1215574bac712cdf4791d4e21d6
SHA512 1d6facfd43260851a49c5ec1fb2eba4122831025c7af1fbc824b002e52cf1c9ad53b93d0302c0b2c4f0f9e0decd59c61f8d49bd00985446aac182e42530d97b6

memory/1592-83-0x0000000000D90000-0x0000000001052000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 07:50

Reported

2024-07-21 07:52

Platform

win10v2004-20240709-en

Max time kernel

136s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ja-JP\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ja-JP\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ja-JP\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ja-JP\WmiPrvSE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ja-JP\WmiPrvSE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\c82b8037eab33d C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\121e5b5079f7c0 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ebf1f9fa8afd6d C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\dwm.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\6cb0b6c459d5d3 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5b884080fd4f94 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ja-JP\WmiPrvSE.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Windows\ja-JP\24dbde2999530e C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Windows\bcastdvr\explorer.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Windows\bcastdvr\7a0fd90576e088 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
File created C:\Windows\InputMethod\CHT\55b276f4edf653 C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A
N/A N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ja-JP\WmiPrvSE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2852 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2852 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2852 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe
PID 2852 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe
PID 2852 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe
PID 4148 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe C:\Windows\SysWOW64\WScript.exe
PID 4148 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe C:\Windows\SysWOW64\WScript.exe
PID 4148 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe C:\Windows\SysWOW64\WScript.exe
PID 4508 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1064 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1064 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 1064 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeServercomponentFontDriver\MsHostsvc.exe
PID 1604 wrote to memory of 64 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\ja-JP\WmiPrvSE.exe
PID 1604 wrote to memory of 64 N/A C:\bridgeServercomponentFontDriver\MsHostsvc.exe C:\Windows\ja-JP\WmiPrvSE.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\ja-JP\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\ja-JP\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\ja-JP\WmiPrvSE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\bridgeServercomponentFontDriver\MsHostsvc.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe

"C:\Users\Admin\AppData\Local\Temp\371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe

"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "

C:\bridgeServercomponentFontDriver\MsHostsvc.exe

"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\bridgeServercomponentFontDriver\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\bridgeServercomponentFontDriver\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeServercomponentFontDriver\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\bridgeServercomponentFontDriver\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\features\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\CHT\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Music\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\ja-JP\WmiPrvSE.exe

"C:\Windows\ja-JP\WmiPrvSE.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 a1008232.xsph.ru udp
RU 141.8.197.42:80 a1008232.xsph.ru tcp
RU 141.8.197.42:80 a1008232.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 78f38e4700f08a5a56a3bd422ba8fe9f
SHA1 25993fbf617830c23592ee0adff340c3f76dc641
SHA256 0f207fe33eaa8a486a50938a7c4668f61762fbac383a9b5005af545dd18265af
SHA512 d865387fe14d7bebd6a3bacc26a34af2e3d05d1521ddc839cdbcd00413b6147a15895f9f5b40b44055a416aa55030a28f068b6c80abc698ac2179d0f69bcecbb

C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe

MD5 d80301cde99009a601e22c0f9cb3433a
SHA1 d82a05a75f31ec11ced2f6c5e0b945510dbfcd5a
SHA256 334e48543f8c2d0203135f7820116b676467ae1c1a3d6eabd8b17f96308e5574
SHA512 02b744e15834b654b1d4772d8f2ddc26ca773a9139d9d12fec12c2749e09e69c904014c8464762a7bd97aa8413971193a8c386bb2bfecc14fc8aabd78383888b

C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe

MD5 bd091f4d8a1df91d73b0c65a4ba02330
SHA1 bef757dc154e1d4a0fc91f8ce1e4072c4c12d6df
SHA256 7eeb92d6b5e2faca9ea5763051aac81b7851f4aefe76680ccb25a3aec7e05be2
SHA512 0559ece912e8d3f061e615dd55ced1ddb75c743014b99f4589421c192a4aadf58c41c5b8d72cb96ac3b40f4326e7a7c5791691d557036fb3df2df8f78ff2a98c

C:\bridgeServercomponentFontDriver\9qhNErD.bat

MD5 21b5523fa5a489444309d54f4f58ec98
SHA1 4b9f2c6c37e428a6c504d38bf404fbe7613b900c
SHA256 f3816eaf5c2710018fea5d788601d9c31d0b21d4c25f44284da0d3641eda8dd5
SHA512 ef25536cc3c27e22b2e6cb1834a8279ebb95c5a06d3c2ebab46ad2d0b88c6dc7a1f3c4069d16b747d4108b859bb3776575414e3aeefaca1cd768274b887b2738

C:\bridgeServercomponentFontDriver\MsHostsvc.exe

MD5 a7a6c9f410573c8fbd408170eab6aa33
SHA1 99354c9e2c7fc978abd47e8d2ec1a403bcc5dfd6
SHA256 9d5aaaf2551239a60ec1a383a3512be976cfaa866573e86687c59412ae167974
SHA512 f3dbb349ed88f1d9b7c6d1e0ffc2fa12b3d2f68209eaf97ff8bf4344c5a87e39ba3588584df4b656acdcf1b1526415b0a06e921f405bc836792c9b55a794d6b5

memory/1604-30-0x0000000000760000-0x0000000000A22000-memory.dmp

memory/1604-31-0x0000000002B40000-0x0000000002B4E000-memory.dmp

memory/1604-32-0x000000001B530000-0x000000001B54C000-memory.dmp

memory/1604-33-0x000000001B5A0000-0x000000001B5F0000-memory.dmp

memory/1604-36-0x000000001B580000-0x000000001B588000-memory.dmp

memory/1604-35-0x000000001B560000-0x000000001B576000-memory.dmp

memory/1604-34-0x000000001B550000-0x000000001B558000-memory.dmp

memory/1604-37-0x000000001B590000-0x000000001B5A0000-memory.dmp

memory/1604-38-0x000000001B5F0000-0x000000001B5FA000-memory.dmp

memory/1604-39-0x000000001B620000-0x000000001B676000-memory.dmp

memory/1604-40-0x000000001B600000-0x000000001B60C000-memory.dmp

memory/1604-41-0x000000001B670000-0x000000001B678000-memory.dmp

memory/1604-42-0x000000001B680000-0x000000001B68C000-memory.dmp

memory/1604-43-0x000000001B690000-0x000000001B6A2000-memory.dmp

memory/1604-44-0x000000001C330000-0x000000001C858000-memory.dmp

memory/1604-47-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

memory/1604-46-0x000000001B6D0000-0x000000001B6D8000-memory.dmp

memory/1604-45-0x000000001B6C0000-0x000000001B6CC000-memory.dmp

memory/1604-48-0x000000001C070000-0x000000001C07E000-memory.dmp

memory/1604-49-0x000000001C000000-0x000000001C00C000-memory.dmp