Malware Analysis Report

2024-11-15 05:53

Sample ID 240721-psk7tstapk
Target Dast.Hack.exe
SHA256 8299f38454d692ddb4154b8beda82486d92bbcaec91139a18f70ef476d7d9727
Tags
rat dcrat evasion infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8299f38454d692ddb4154b8beda82486d92bbcaec91139a18f70ef476d7d9727

Threat Level: Known bad

The file Dast.Hack.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer spyware stealer trojan

DcRat

Dcrat family

UAC bypass

DCRat payload

Process spawned unexpected child process

DCRat payload

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious behavior: EnumeratesProcesses

System policy modification

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 12:35

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 12:35

Reported

2024-07-21 12:53

Platform

win10-20240611-en

Max time kernel

598s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\refcommon\Savesruntimeperf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\refcommon\Savesruntimeperf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\refcommon\Savesruntimeperf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\sysmon.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\refcommon\Savesruntimeperf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\sysmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\refcommon\Savesruntimeperf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\Triedit\121e5b5079f7c0 C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files\Google\dllhost.exe C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files\Windows Mail\en-US\f8c8f1285d826b C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088 C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\9e8d7a4ca61bd9 C:\refcommon\Savesruntimeperf.exe N/A
File opened for modification C:\Program Files\Google\dllhost.exe C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Program Files\Google\5940a34987c991 C:\refcommon\Savesruntimeperf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Performance\winlogon.exe C:\refcommon\Savesruntimeperf.exe N/A
File created C:\Windows\Performance\cc11b995f2a76d C:\refcommon\Savesruntimeperf.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\refcommon\Savesruntimeperf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\sysmon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\sysmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\refcommon\Savesruntimeperf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\sysmon.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe C:\Windows\SysWOW64\WScript.exe
PID 4676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe C:\Windows\SysWOW64\WScript.exe
PID 4676 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe C:\Windows\SysWOW64\WScript.exe
PID 1232 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\refcommon\Savesruntimeperf.exe
PID 2372 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\refcommon\Savesruntimeperf.exe
PID 3608 wrote to memory of 3192 N/A C:\refcommon\Savesruntimeperf.exe C:\Windows\System32\cmd.exe
PID 3608 wrote to memory of 3192 N/A C:\refcommon\Savesruntimeperf.exe C:\Windows\System32\cmd.exe
PID 3192 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3192 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3192 wrote to memory of 3688 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\sysmon.exe
PID 3192 wrote to memory of 3688 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\sysmon.exe
PID 3688 wrote to memory of 2264 N/A C:\Users\Admin\sysmon.exe C:\Windows\System32\WScript.exe
PID 3688 wrote to memory of 2264 N/A C:\Users\Admin\sysmon.exe C:\Windows\System32\WScript.exe
PID 3688 wrote to memory of 4744 N/A C:\Users\Admin\sysmon.exe C:\Windows\System32\WScript.exe
PID 3688 wrote to memory of 4744 N/A C:\Users\Admin\sysmon.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\refcommon\Savesruntimeperf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\refcommon\Savesruntimeperf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\refcommon\Savesruntimeperf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\sysmon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\sysmon.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe

"C:\Users\Admin\AppData\Local\Temp\Dast.Hack.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\refcommon\a9qp8YhB09rgym.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\refcommon\o7w5u18.bat" "

C:\refcommon\Savesruntimeperf.exe

"C:\refcommon\Savesruntimeperf.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aGmV56J0l0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\sysmon.exe

"C:\Users\Admin\sysmon.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7713eddd-0f40-46c5-8e92-5d873eaf0ff6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9339de0-b4e6-4f83-90d4-ec96ba79574d.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe"

C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe

"C:\Program Files\Common Files\microsoft shared\Triedit\sysmon.exe"

C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe

"C:\Program Files\Windows Mail\en-US\ShellExperienceHost.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 cf11739.tw1.ru udp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 170.247.114.185.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp
RU 185.114.247.170:80 cf11739.tw1.ru tcp

Files

C:\refcommon\a9qp8YhB09rgym.vbe

MD5 e30dc1038a7664ab0f9623335243517e
SHA1 9466920ec01f531bac1f482635d03015c5d9981a
SHA256 28103167be9475e1971ef47b77f1d115f814f1635060d2ce6e0d64f1ddf63300
SHA512 f02d8034d9fbb2685540179f5d79f54dff68d73c7ed838999b49a9de67efd5385d1b51f1e4f81425ad126ef587de3096988c917069dc0beb71bef999cb8b36b3

C:\refcommon\o7w5u18.bat

MD5 23a21c6fd0af23b3a6b196ed1300a37c
SHA1 247e674129a0414018bcb7b2aa5e12d4a2005f05
SHA256 87957d0707f5768d0e6c920bfba23d2693189131d57418e04344153332555082
SHA512 2cbfb8549d4ae49759ef9b5caaee02609cb1496f16e58d4bb2c28001ae2ed21a4a53cc06d47d9133164dde64f2e765c5a99f4ad0cdd25cc92442cf4a9aefc95c

C:\refcommon\Savesruntimeperf.exe

MD5 17babc686738c7b611b9e9e028c8ef34
SHA1 8c959decebcb5544528e2a76f66e73c401e19be8
SHA256 7cef1a964acbe38f4796b9ddbbd95e3fc19215594b2f3ab74483d58fe4bb93ad
SHA512 c7e2f881e6eb09e25c08c76b88b7626c768fb3e623b39b538e7b84f02fb6382bf5b4e0d66835c63cf59d1346e91b5bc3b60a6335bab90d5f185d81e5f9a52fe8

memory/3608-14-0x0000000000380000-0x0000000000680000-memory.dmp

memory/3608-15-0x0000000000E20000-0x0000000000E2E000-memory.dmp

memory/3608-16-0x0000000000E30000-0x0000000000E3E000-memory.dmp

memory/3608-17-0x0000000001050000-0x0000000001058000-memory.dmp

memory/3608-18-0x0000000001060000-0x000000000107C000-memory.dmp

memory/3608-19-0x000000001B9A0000-0x000000001B9F0000-memory.dmp

memory/3608-20-0x0000000002980000-0x0000000002988000-memory.dmp

memory/3608-21-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/3608-22-0x0000000002B00000-0x0000000002B16000-memory.dmp

memory/3608-23-0x00000000029A0000-0x00000000029A8000-memory.dmp

memory/3608-24-0x0000000002B30000-0x0000000002B42000-memory.dmp

memory/3608-25-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/3608-26-0x0000000002B40000-0x0000000002B4A000-memory.dmp

memory/3608-27-0x000000001B9F0000-0x000000001BA46000-memory.dmp

memory/3608-28-0x0000000002AC0000-0x0000000002ACC000-memory.dmp

memory/3608-29-0x0000000002AD0000-0x0000000002AD8000-memory.dmp

memory/3608-30-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

memory/3608-32-0x0000000002B50000-0x0000000002B62000-memory.dmp

memory/3608-31-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

memory/3608-33-0x000000001C220000-0x000000001C746000-memory.dmp

memory/3608-34-0x000000001B350000-0x000000001B358000-memory.dmp

memory/3608-35-0x000000001B360000-0x000000001B368000-memory.dmp

memory/3608-39-0x000000001BA50000-0x000000001BA58000-memory.dmp

memory/3608-40-0x000000001BA60000-0x000000001BA6A000-memory.dmp

memory/3608-38-0x000000001BA40000-0x000000001BA48000-memory.dmp

memory/3608-37-0x000000001B380000-0x000000001B38E000-memory.dmp

memory/3608-36-0x000000001B370000-0x000000001B37A000-memory.dmp

memory/3608-41-0x000000001BA70000-0x000000001BA7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aGmV56J0l0.bat

MD5 0a06dbba175d7edccc94d544bc1897d8
SHA1 9ece6924d9a18c6977dd75f5e70eed31657ad977
SHA256 21a7702760538d02f267ebe43f9c84e9a2ab1bda219053ec8195e4d88b2fe17e
SHA512 6d1096192a3bd5d38a67b78d4683888e4e2f20f5d796736a46ce33fcbbf8d23d1a2405ac0b59b6ea564821ad4920c33021393940ee977d7728fbb441d8c1e651

memory/3688-67-0x0000000002EE0000-0x0000000002EF2000-memory.dmp

memory/3688-68-0x000000001BA00000-0x000000001BA56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a9339de0-b4e6-4f83-90d4-ec96ba79574d.vbs

MD5 5fecf589c3354566a4a8b4916ec517a5
SHA1 5ee5a7da2e97e695430fe362c228da5d8f5f06af
SHA256 db9059a2a2e3c96a324e9cdabd78ad0a00d4cce4ab6b3a3b209f8b49b406647f
SHA512 140f1779f1854fd0b3b9914bdbd500b7f08de305c7be72e85ad56807c33a29e4195284e5f0c1974dbfe0fa40e50b4a81d84ff9a61d91abc72e2c3a2dedcf0898

C:\Users\Admin\AppData\Local\Temp\7713eddd-0f40-46c5-8e92-5d873eaf0ff6.vbs

MD5 1e6b4b17995bb9b5cf16640ca78a6ed5
SHA1 0febbcf10da6c32c5d6f5d57085e724ee9a73153
SHA256 d0c56b4fcd5e99fcc3c05aaefef2f338fb3cd74ecbf8ca0893ee0019e243f947
SHA512 5d0b085c351ccc41fc2d826217af3a7ec92ce75a14f33002effbb501cfe153de10b8617f411fd0a433f098cb897aa6bf7a391d6d2000602bab6ff3e7ce91161e