Analysis Overview
SHA256
8299f38454d692ddb4154b8beda82486d92bbcaec91139a18f70ef476d7d9727
Threat Level: Known bad
The file Dast.Hack.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
UAC bypass
DCRat payload
Process spawned unexpected child process
DCRat payload
Reads user/profile data of web browsers
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks whether UAC is enabled
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious behavior: EnumeratesProcesses
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 12:35
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 12:35
Reported
2024-07-21 12:53
Platform
win10-20240611-en
Max time kernel
598s
Max time network
603s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\refcommon\Savesruntimeperf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\refcommon\Savesruntimeperf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\refcommon\Savesruntimeperf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\sysmon.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\refcommon\Savesruntimeperf.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe | N/A |
| N/A | N/A | C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\refcommon\Savesruntimeperf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\sysmon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\refcommon\Savesruntimeperf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\microsoft shared\Triedit\121e5b5079f7c0 | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files\Google\dllhost.exe | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\f8c8f1285d826b | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\9e8d7a4ca61bd9 | C:\refcommon\Savesruntimeperf.exe | N/A |
| File opened for modification | C:\Program Files\Google\dllhost.exe | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Program Files\Google\5940a34987c991 | C:\refcommon\Savesruntimeperf.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Performance\winlogon.exe | C:\refcommon\Savesruntimeperf.exe | N/A |
| File created | C:\Windows\Performance\cc11b995f2a76d | C:\refcommon\Savesruntimeperf.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\refcommon\Savesruntimeperf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Users\Admin\sysmon.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\refcommon\Savesruntimeperf.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\sysmon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\refcommon\Savesruntimeperf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\sysmon.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\refcommon\Savesruntimeperf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\refcommon\Savesruntimeperf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\refcommon\Savesruntimeperf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\sysmon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\sysmon.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe
"C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\refcommon\a9qp8YhB09rgym.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\refcommon\o7w5u18.bat" "
C:\refcommon\Savesruntimeperf.exe
"C:\refcommon\Savesruntimeperf.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aGmV56J0l0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\sysmon.exe
"C:\Users\Admin\sysmon.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7713eddd-0f40-46c5-8e92-5d873eaf0ff6.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9339de0-b4e6-4f83-90d4-ec96ba79574d.vbs"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"
C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe
"C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe"
C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe
"C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | cf11739.tw1.ru | udp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.247.114.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| US | 8.8.8.8:53 | 152.141.79.40.in-addr.arpa | udp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cf11739.tw1.ru | tcp |
Files
C:\refcommon\a9qp8YhB09rgym.vbe
| MD5 | e30dc1038a7664ab0f9623335243517e |
| SHA1 | 9466920ec01f531bac1f482635d03015c5d9981a |
| SHA256 | 28103167be9475e1971ef47b77f1d115f814f1635060d2ce6e0d64f1ddf63300 |
| SHA512 | f02d8034d9fbb2685540179f5d79f54dff68d73c7ed838999b49a9de67efd5385d1b51f1e4f81425ad126ef587de3096988c917069dc0beb71bef999cb8b36b3 |
C:\refcommon\o7w5u18.bat
| MD5 | 23a21c6fd0af23b3a6b196ed1300a37c |
| SHA1 | 247e674129a0414018bcb7b2aa5e12d4a2005f05 |
| SHA256 | 87957d0707f5768d0e6c920bfba23d2693189131d57418e04344153332555082 |
| SHA512 | 2cbfb8549d4ae49759ef9b5caaee02609cb1496f16e58d4bb2c28001ae2ed21a4a53cc06d47d9133164dde64f2e765c5a99f4ad0cdd25cc92442cf4a9aefc95c |
C:\refcommon\Savesruntimeperf.exe
| MD5 | 17babc686738c7b611b9e9e028c8ef34 |
| SHA1 | 8c959decebcb5544528e2a76f66e73c401e19be8 |
| SHA256 | 7cef1a964acbe38f4796b9ddbbd95e3fc19215594b2f3ab74483d58fe4bb93ad |
| SHA512 | c7e2f881e6eb09e25c08c76b88b7626c768fb3e623b39b538e7b84f02fb6382bf5b4e0d66835c63cf59d1346e91b5bc3b60a6335bab90d5f185d81e5f9a52fe8 |
memory/3608-14-0x0000000000380000-0x0000000000680000-memory.dmp
memory/3608-15-0x0000000000E20000-0x0000000000E2E000-memory.dmp
memory/3608-16-0x0000000000E30000-0x0000000000E3E000-memory.dmp
memory/3608-17-0x0000000001050000-0x0000000001058000-memory.dmp
memory/3608-18-0x0000000001060000-0x000000000107C000-memory.dmp
memory/3608-19-0x000000001B9A0000-0x000000001B9F0000-memory.dmp
memory/3608-20-0x0000000002980000-0x0000000002988000-memory.dmp
memory/3608-21-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3608-22-0x0000000002B00000-0x0000000002B16000-memory.dmp
memory/3608-23-0x00000000029A0000-0x00000000029A8000-memory.dmp
memory/3608-24-0x0000000002B30000-0x0000000002B42000-memory.dmp
memory/3608-25-0x0000000002B20000-0x0000000002B30000-memory.dmp
memory/3608-26-0x0000000002B40000-0x0000000002B4A000-memory.dmp
memory/3608-27-0x000000001B9F0000-0x000000001BA46000-memory.dmp
memory/3608-28-0x0000000002AC0000-0x0000000002ACC000-memory.dmp
memory/3608-29-0x0000000002AD0000-0x0000000002AD8000-memory.dmp
memory/3608-30-0x0000000002AE0000-0x0000000002AEC000-memory.dmp
memory/3608-32-0x0000000002B50000-0x0000000002B62000-memory.dmp
memory/3608-31-0x0000000002AF0000-0x0000000002AF8000-memory.dmp
memory/3608-33-0x000000001C220000-0x000000001C746000-memory.dmp
memory/3608-34-0x000000001B350000-0x000000001B358000-memory.dmp
memory/3608-35-0x000000001B360000-0x000000001B368000-memory.dmp
memory/3608-39-0x000000001BA50000-0x000000001BA58000-memory.dmp
memory/3608-40-0x000000001BA60000-0x000000001BA6A000-memory.dmp
memory/3608-38-0x000000001BA40000-0x000000001BA48000-memory.dmp
memory/3608-37-0x000000001B380000-0x000000001B38E000-memory.dmp
memory/3608-36-0x000000001B370000-0x000000001B37A000-memory.dmp
memory/3608-41-0x000000001BA70000-0x000000001BA7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aGmV56J0l0.bat
| MD5 | 0a06dbba175d7edccc94d544bc1897d8 |
| SHA1 | 9ece6924d9a18c6977dd75f5e70eed31657ad977 |
| SHA256 | 21a7702760538d02f267ebe43f9c84e9a2ab1bda219053ec8195e4d88b2fe17e |
| SHA512 | 6d1096192a3bd5d38a67b78d4683888e4e2f20f5d796736a46ce33fcbbf8d23d1a2405ac0b59b6ea564821ad4920c33021393940ee977d7728fbb441d8c1e651 |
memory/3688-67-0x0000000002EE0000-0x0000000002EF2000-memory.dmp
memory/3688-68-0x000000001BA00000-0x000000001BA56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a9339de0-b4e6-4f83-90d4-ec96ba79574d.vbs
| MD5 | 5fecf589c3354566a4a8b4916ec517a5 |
| SHA1 | 5ee5a7da2e97e695430fe362c228da5d8f5f06af |
| SHA256 | db9059a2a2e3c96a324e9cdabd78ad0a00d4cce4ab6b3a3b209f8b49b406647f |
| SHA512 | 140f1779f1854fd0b3b9914bdbd500b7f08de305c7be72e85ad56807c33a29e4195284e5f0c1974dbfe0fa40e50b4a81d84ff9a61d91abc72e2c3a2dedcf0898 |
C:\Users\Admin\AppData\Local\Temp\7713eddd-0f40-46c5-8e92-5d873eaf0ff6.vbs
| MD5 | 1e6b4b17995bb9b5cf16640ca78a6ed5 |
| SHA1 | 0febbcf10da6c32c5d6f5d57085e724ee9a73153 |
| SHA256 | d0c56b4fcd5e99fcc3c05aaefef2f338fb3cd74ecbf8ca0893ee0019e243f947 |
| SHA512 | 5d0b085c351ccc41fc2d826217af3a7ec92ce75a14f33002effbb501cfe153de10b8617f411fd0a433f098cb897aa6bf7a391d6d2000602bab6ff3e7ce91161e |