Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-3chcwstgjf
Target 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77
SHA256 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77
Tags
rat dcrat evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77

Threat Level: Known bad

The file 7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77 was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer trojan

Dcrat family

DcRat

UAC bypass

DCRat payload

Process spawned unexpected child process

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 23:21

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 23:21

Reported

2024-07-22 23:24

Platform

win7-20240705-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\componentinto\bridgeContainerRef.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\System.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\Windows Sidebar\27d1bcfc3c54e0 C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\System.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\886983d96e3d3e C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\27d1bcfc3c54e0 C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\Windows Journal\it-IT\wininit.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\Windows Journal\it-IT\56085415360792 C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\7-Zip\Lang\Idle.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\7-Zip\Lang\6ccacd8608530f C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\7a0fd90576e088 C:\componentinto\bridgeContainerRef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\BitLockerDiscoveryVolumeContents\6cb0b6c459d5d3 C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\6ccacd8608530f C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Windows\Resources\Ease of Access Themes\f2fdbaba385e06 C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe C:\componentinto\bridgeContainerRef.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\componentinto\bridgeContainerRef.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe C:\Windows\SysWOW64\WScript.exe
PID 2400 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe C:\Windows\SysWOW64\WScript.exe
PID 2400 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe C:\Windows\SysWOW64\WScript.exe
PID 2400 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe C:\Windows\SysWOW64\WScript.exe
PID 3056 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\componentinto\bridgeContainerRef.exe
PID 2980 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\componentinto\bridgeContainerRef.exe
PID 2980 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\componentinto\bridgeContainerRef.exe
PID 2980 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\componentinto\bridgeContainerRef.exe
PID 604 wrote to memory of 2968 N/A C:\componentinto\bridgeContainerRef.exe C:\Windows\System32\cmd.exe
PID 604 wrote to memory of 2968 N/A C:\componentinto\bridgeContainerRef.exe C:\Windows\System32\cmd.exe
PID 604 wrote to memory of 2968 N/A C:\componentinto\bridgeContainerRef.exe C:\Windows\System32\cmd.exe
PID 2968 wrote to memory of 1000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2968 wrote to memory of 1000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2968 wrote to memory of 1000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2968 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe
PID 2968 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe
PID 2968 wrote to memory of 1928 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe

"C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\componentinto\TyJbcivSrBus9A7UqBxYQLYLifv.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\componentinto\3EQ4MYmSGwKCrTIrueD0pw.bat" "

C:\componentinto\bridgeContainerRef.exe

"C:\componentinto\bridgeContainerRef.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\componentinto\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\componentinto\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\componentinto\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeContainerRefb" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeContainerRef" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgeContainerRefb" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\bridgeContainerRef.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\componentinto\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\componentinto\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\componentinto\System.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yZZz7yfIfQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe

"C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1006920.xsph.ru udp
RU 141.8.192.58:80 a1006920.xsph.ru tcp

Files

C:\componentinto\TyJbcivSrBus9A7UqBxYQLYLifv.vbe

MD5 8ee36dbedf71844b819755a69aef93ce
SHA1 3225ed789aec1beb07f3dbcb93101f67cc29412e
SHA256 c9edb1555caa1589010af0e3b6e3296daca37407359c12af2f54e4d04818f810
SHA512 a1cc0cad26a3cfcb52311855384b835c1537f034d86f307d2d716b41bf7825fa860e12f7a61ff0a1e50d8a43eb7d159538c4abaca24a8dbb47604fff949455f6

C:\componentinto\3EQ4MYmSGwKCrTIrueD0pw.bat

MD5 86d8de8f837ab632770008d846268bb8
SHA1 050a887f38d930985d90b52726ae698806a93776
SHA256 6f53cccfc1f99c8b3014c04b87e3cf51ad677042a47fd1a313b93571b1fc14cc
SHA512 d67f2bec91551abcf918d1ab1af634e06e7a23f9668fd6e7162ca445748a4b805215cef2c8590c2aea4769605e884225e481f79a082297f304ff0feedd7353e2

C:\componentinto\bridgeContainerRef.exe

MD5 d2284b3bcac27076acbce384ae1f90b9
SHA1 cd4f86b839e07d8df5ae1acce0db9a4438494a3e
SHA256 e402b9d1e4218a83aa63143d75c6b2e52fd53ad046d04de79f6817409e03977b
SHA512 218e20534c9789a87e75662f79f3c856c759b8df71bf770fa91cdb8c5dd5d2cc4e4abf968ae412365655bb38e151554f914117edec19f80ff5d8927d5c8a2f88

memory/604-13-0x0000000001090000-0x00000000011A6000-memory.dmp

memory/604-14-0x00000000003C0000-0x00000000003CE000-memory.dmp

memory/604-15-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/604-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/604-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/604-18-0x0000000000410000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yZZz7yfIfQ.bat

MD5 de06afdf2e2113b72b07525553e6ced0
SHA1 a043eee970b93f786c698187354c6ce25668fad8
SHA256 8df1f796e16df8ba74070d1e6e8cf3d4cb8c951e390c43b11c91147fc9a26f72
SHA512 686d89c249594e6b89d487aadb358527ab9de997eae1a4e7bedadac29e689f44d7e847e957d4eae810fed032f93718d9016c5e3f54c566402850a1bb249de988

memory/1928-50-0x0000000000320000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 23:21

Reported

2024-07-22 23:24

Platform

win10v2004-20240709-en

Max time kernel

139s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Recent\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Recent\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Recent\fontdrvhost.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\componentinto\bridgeContainerRef.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\componentinto\bridgeContainerRef.exe N/A
N/A N/A C:\Users\Default\Recent\fontdrvhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\componentinto\bridgeContainerRef.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Recent\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Recent\fontdrvhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Uninstall Information\9e8d7a4ca61bd9 C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\dotnet\cmd.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\dotnet\ebf1f9fa8afd6d C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Program Files\Uninstall Information\RuntimeBroker.exe C:\componentinto\bridgeContainerRef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemResources\Windows.UI.PrintDialog\pris\fontdrvhost.exe C:\componentinto\bridgeContainerRef.exe N/A
File created C:\Windows\SystemResources\Windows.UI.PrintDialog\pris\5b884080fd4f94 C:\componentinto\bridgeContainerRef.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\componentinto\bridgeContainerRef.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\componentinto\bridgeContainerRef.exe N/A
N/A N/A C:\componentinto\bridgeContainerRef.exe N/A
N/A N/A C:\componentinto\bridgeContainerRef.exe N/A
N/A N/A C:\Users\Default\Recent\fontdrvhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\componentinto\bridgeContainerRef.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Recent\fontdrvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe C:\Windows\SysWOW64\WScript.exe
PID 3928 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe C:\Windows\SysWOW64\WScript.exe
PID 3928 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe C:\Windows\SysWOW64\WScript.exe
PID 4900 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 2256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\componentinto\bridgeContainerRef.exe
PID 2256 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\componentinto\bridgeContainerRef.exe
PID 5056 wrote to memory of 1048 N/A C:\componentinto\bridgeContainerRef.exe C:\Windows\System32\cmd.exe
PID 5056 wrote to memory of 1048 N/A C:\componentinto\bridgeContainerRef.exe C:\Windows\System32\cmd.exe
PID 1048 wrote to memory of 3484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1048 wrote to memory of 3484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1048 wrote to memory of 3508 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\fontdrvhost.exe
PID 1048 wrote to memory of 3508 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Recent\fontdrvhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\componentinto\bridgeContainerRef.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Recent\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Recent\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Recent\fontdrvhost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe

"C:\Users\Admin\AppData\Local\Temp\7cc33f80106d0f58245fc201cd192c7914e6862738768123359bdeb4330a6c77.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\componentinto\TyJbcivSrBus9A7UqBxYQLYLifv.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\componentinto\3EQ4MYmSGwKCrTIrueD0pw.bat" "

C:\componentinto\bridgeContainerRef.exe

"C:\componentinto\bridgeContainerRef.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Setup\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Setup\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemResources\Windows.UI.PrintDialog\pris\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.PrintDialog\pris\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\Windows.UI.PrintDialog\pris\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\dotnet\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\componentinto\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\componentinto\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\componentinto\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eFgIsndvre.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Recent\fontdrvhost.exe

"C:\Users\Default\Recent\fontdrvhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 a1006920.xsph.ru udp
RU 141.8.192.58:80 a1006920.xsph.ru tcp
US 8.8.8.8:53 58.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\componentinto\TyJbcivSrBus9A7UqBxYQLYLifv.vbe

MD5 8ee36dbedf71844b819755a69aef93ce
SHA1 3225ed789aec1beb07f3dbcb93101f67cc29412e
SHA256 c9edb1555caa1589010af0e3b6e3296daca37407359c12af2f54e4d04818f810
SHA512 a1cc0cad26a3cfcb52311855384b835c1537f034d86f307d2d716b41bf7825fa860e12f7a61ff0a1e50d8a43eb7d159538c4abaca24a8dbb47604fff949455f6

C:\componentinto\3EQ4MYmSGwKCrTIrueD0pw.bat

MD5 86d8de8f837ab632770008d846268bb8
SHA1 050a887f38d930985d90b52726ae698806a93776
SHA256 6f53cccfc1f99c8b3014c04b87e3cf51ad677042a47fd1a313b93571b1fc14cc
SHA512 d67f2bec91551abcf918d1ab1af634e06e7a23f9668fd6e7162ca445748a4b805215cef2c8590c2aea4769605e884225e481f79a082297f304ff0feedd7353e2

C:\componentinto\bridgeContainerRef.exe

MD5 d2284b3bcac27076acbce384ae1f90b9
SHA1 cd4f86b839e07d8df5ae1acce0db9a4438494a3e
SHA256 e402b9d1e4218a83aa63143d75c6b2e52fd53ad046d04de79f6817409e03977b
SHA512 218e20534c9789a87e75662f79f3c856c759b8df71bf770fa91cdb8c5dd5d2cc4e4abf968ae412365655bb38e151554f914117edec19f80ff5d8927d5c8a2f88

memory/5056-12-0x00007FF90DF83000-0x00007FF90DF85000-memory.dmp

memory/5056-13-0x00000000000E0000-0x00000000001F6000-memory.dmp

memory/5056-14-0x0000000002290000-0x000000000229E000-memory.dmp

memory/5056-15-0x00000000022A0000-0x00000000022AA000-memory.dmp

memory/5056-17-0x000000001AE30000-0x000000001AE3C000-memory.dmp

memory/5056-16-0x00000000022B0000-0x00000000022BC000-memory.dmp

memory/5056-18-0x000000001AE40000-0x000000001AE4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eFgIsndvre.bat

MD5 0a482949a3ccf6c01176c3f4703f9b5e
SHA1 ad6c9063f8a15dbdadee44feec53cbae0787a780
SHA256 9b80c041e9f611895ea91c92f7bb9ff081ca84fcabae74d0d7064ecfe9a11017
SHA512 8783cea9778fe536182faf1f2188490ffba9653b1c7e3a57017e8f88efaad0c3b5b5ae594d0fa3f029a7d2d4410543ff1aab86fcb43c48e3ba371337d7c27de3