Edit tour

Windows Analysis Report
leFhB1aYaW.exe

Overview

General Information

Sample name:	leFhB1aYaW.exe renamed because original name is a hash value
Original sample name:	062530f98f8bcd26c81bcf494d40b24e.exe
Analysis ID:	1628684
MD5:	062530f98f8bcd26c81bcf494d40b24e
SHA1:	6b1e92c5fb0d38a64c2ade8e89e8531a05e162a1
SHA256:	62fd565b17f0870b397767045b25ffcac9ee87c2f64048c5fa486cdba2f301a0
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Creates processes via WMI

Drops executable to a common third party application directory

Joe Sandbox ML detected suspicious sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Sigma detected: Files With System Process Name In Unsuspected Locations

Switches to a custom stack to bypass stack traces

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

leFhB1aYaW.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\leFhB1aYaW.exe" MD5: 062530F98F8BCD26C81BCF494D40B24E)

DCRatBuild.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" MD5: C99CFB2E9AC8BF2137F16ADED6D2EE74)

wscript.exe (PID: 7548 cmdline: "C:\Windows\System32\WScript.exe" "C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7748 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Portcontaineragentmonitor\AQ3gfQ1W.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

portReview.exe (PID: 7808 cmdline: "C:\Portcontaineragentmonitor\portReview.exe" MD5: 0674C9FEDE7F71533E5ED926097B4491)

schtasks.exe (PID: 7928 cmdline: schtasks.exe /create /tn "O22dzei3IuO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7944 cmdline: schtasks.exe /create /tn "O22dzei3Iu" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7964 cmdline: schtasks.exe /create /tn "O22dzei3IuO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7980 cmdline: schtasks.exe /create /tn "FyQepTQ2XQtF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FyQepTQ2XQt.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7996 cmdline: schtasks.exe /create /tn "FyQepTQ2XQt" /sc ONLOGON /tr "'C:\Recovery\FyQepTQ2XQt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8012 cmdline: schtasks.exe /create /tn "FyQepTQ2XQtF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FyQepTQ2XQt.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8028 cmdline: schtasks.exe /create /tn "5EE314FAEE8C5" /sc MINUTE /mo 13 /tr "'C:\Portcontaineragentmonitor\5EE314FAEE8C.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8048 cmdline: schtasks.exe /create /tn "5EE314FAEE8C" /sc ONLOGON /tr "'C:\Portcontaineragentmonitor\5EE314FAEE8C.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8068 cmdline: schtasks.exe /create /tn "5EE314FAEE8C5" /sc MINUTE /mo 9 /tr "'C:\Portcontaineragentmonitor\5EE314FAEE8C.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8088 cmdline: schtasks.exe /create /tn "7IAGP0ksz77" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8104 cmdline: schtasks.exe /create /tn "7IAGP0ksz7" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8128 cmdline: schtasks.exe /create /tn "7IAGP0ksz77" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 8160 cmdline: schtasks.exe /create /tn "SGPiNAyrVbS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OneDrive\SGPiNAyrVb.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6304 cmdline: schtasks.exe /create /tn "SGPiNAyrVb" /sc ONLOGON /tr "'C:\Users\Default User\OneDrive\SGPiNAyrVb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7116 cmdline: schtasks.exe /create /tn "SGPiNAyrVbS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OneDrive\SGPiNAyrVb.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "TjX1QjrI08PnT" /sc MINUTE /mo 8 /tr "'C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4588 cmdline: schtasks.exe /create /tn "TjX1QjrI08Pn" /sc ONLOGON /tr "'C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7308 cmdline: schtasks.exe /create /tn "TjX1QjrI08PnT" /sc MINUTE /mo 7 /tr "'C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7332 cmdline: schtasks.exe /create /tn "portReviewp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\portReview.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3868 cmdline: schtasks.exe /create /tn "portReview" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\portReview.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5544 cmdline: schtasks.exe /create /tn "portReviewp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\portReview.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3740 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Portcontaineragentmonitor\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1848 cmdline: schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Portcontaineragentmonitor\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2148 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Portcontaineragentmonitor\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5768 cmdline: schtasks.exe /create /tn "HBqubJhnqe6r5WH" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows portable devices\HBqubJhnqe6r5W.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5764 cmdline: schtasks.exe /create /tn "HBqubJhnqe6r5W" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\HBqubJhnqe6r5W.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2120 cmdline: schtasks.exe /create /tn "HBqubJhnqe6r5WH" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows portable devices\HBqubJhnqe6r5W.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5296 cmdline: schtasks.exe /create /tn "xbTEghU2zpROdlx" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\xbTEghU2zpROdl.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

5EE314FAEE8C.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe" MD5: 5A5C7847D674AEAA7D53E775E96BFD28)

5EE314FAEE8C.exe (PID: 8120 cmdline: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe MD5: 0674C9FEDE7F71533E5ED926097B4491)

5EE314FAEE8C.exe (PID: 8144 cmdline: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe MD5: 0674C9FEDE7F71533E5ED926097B4491)

FyQepTQ2XQt.exe (PID: 8184 cmdline: C:\Recovery\FyQepTQ2XQt.exe MD5: 0674C9FEDE7F71533E5ED926097B4491)

FyQepTQ2XQt.exe (PID: 7264 cmdline: C:\Recovery\FyQepTQ2XQt.exe MD5: 0674C9FEDE7F71533E5ED926097B4491)

O22dzei3Iu.exe (PID: 4520 cmdline: "C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe" MD5: 0674C9FEDE7F71533E5ED926097B4491)

O22dzei3Iu.exe (PID: 7312 cmdline: "C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe" MD5: 0674C9FEDE7F71533E5ED926097B4491)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"0\":\" \",\"L\":\"|\",\"S\":\"-\",\"6\":\",\",\"9\":\"_\",\"h\":\">\",\"W\":\"$\",\"J\":\";\",\"A\":\"#\",\"n\":\"(\",\"G\":\"~\",\"z\":\"*\",\"V\":\")\",\"o\":\"@\",\"8\":\".\",\"O\":\"<\",\"M\":\"&\",\"C\":\"^\",\"X\":\"!\",\"I\":\"%\",\"4\":\"`\"}", "PCRT": "{\"B\":\"^\",\"K\":\".\",\"O\":\"*\",\"H\":\"@\",\"R\":\" \",\"0\":\")\",\"j\":\"#\",\"L\":\"`\",\"M\":\"|\",\"Z\":\";\",\"U\":\">\",\"4\":\"-\",\"X\":\"%\",\"b\":\",\",\"1\":\"$\",\"Q\":\"!\",\"F\":\"&\",\"N\":\"<\",\"h\":\"(\",\"v\":\"~\",\"g\":\"_\"}", "TAG": "", "MUTEX": "DCR_MUTEX-a3qQsYoyPuBBAG1cZ3Yz", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001A.00000002.2104364085.00000000027AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000013.00000002.2099442008.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000013.00000002.2099442008.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.1911802231.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000015.00000002.2099801328.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001F.00000002.2112368700.0000000002551000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.1920641209.0000000012B1F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001A.00000002.2104364085.0000000002771000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000017.00000002.2103314028.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.1911802231.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001C.00000002.2077794232.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: portReview.exe PID: 7808	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 5EE314FAEE8C.exe PID: 8120	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: 5EE314FAEE8C.exe PID: 8144	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: FyQepTQ2XQt.exe PID: 8184	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: FyQepTQ2XQt.exe PID: 7264	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: O22dzei3Iu.exe PID: 4520	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: O22dzei3Iu.exe PID: 7312	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Portcontaineragentmonitor\portReview.exe, ProcessId: 7808, TargetFilename: C:\Portcontaineragentmonitor\fontdrvhost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe, ParentProcessId: 7480, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe" , ProcessId: 7548, ProcessName: wscript.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-04T03:17:45.097331+0100	2034194	1	A Network Trojan was detected	192.168.2.4	49765	141.8.197.42	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: leFhB1aYaW.exe	Avira: detected
Source: leFhB1aYaW.exe	Avira: detected

Antivirus detection for dropped file

Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Portcontaineragentmonitor\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Mozilla Firefox\fonts\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\Default\OneDrive\SGPiNAyrVb.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\FyQepTQ2XQt.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Portcontaineragentmonitor\portReview.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Portable Devices\portReview.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\ssh\xbTEghU2zpROdl.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\wIlNWyXixw.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\cmd.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Portable Devices\HBqubJhnqe6r5W.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000006.00000002.1920641209.0000000012B1F000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"0\":\" \",\"L\":\"|\",\"S\":\"-\",\"6\":\",\",\"9\":\"_\",\"h\":\">\",\"W\":\"$\",\"J\":\";\",\"A\":\"#\",\"n\":\"(\",\"G\":\"~\",\"z\":\"*\",\"V\":\")\",\"o\":\"@\",\"8\":\".\",\"O\":\"<\",\"M\":\"&\",\"C\":\"^\",\"X\":\"!\",\"I\":\"%\",\"4\":\"`\"}", "PCRT": "{\"B\":\"^\",\"K\":\".\",\"O\":\"*\",\"H\":\"@\",\"R\":\" \",\"0\":\")\",\"j\":\"#\",\"L\":\"`\",\"M\":\"|\",\"Z\":\";\",\"U\":\">\",\"4\":\"-\",\"X\":\"%\",\"b\":\",\",\"1\":\"$\",\"Q\":\"!\",\"F\":\"&\",\"N\":\"<\",\"h\":\"(\",\"v\":\"~\",\"g\":\"_\"}", "TAG": "", "MUTEX": "DCR_MUTEX-a3qQsYoyPuBBAG1cZ3Yz", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	ReversingLabs: Detection: 76%
Source: C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe	ReversingLabs: Detection: 76%
Source: C:\Portcontaineragentmonitor\fontdrvhost.exe	ReversingLabs: Detection: 76%
Source: C:\Portcontaineragentmonitor\portReview.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\cmd.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files (x86)\Windows Portable Devices\HBqubJhnqe6r5W.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files\Mozilla Firefox\fonts\WmiPrvSE.exe	ReversingLabs: Detection: 76%
Source: C:\Program Files\Windows Portable Devices\portReview.exe	ReversingLabs: Detection: 76%
Source: C:\ProgramData\ssh\xbTEghU2zpROdl.exe	ReversingLabs: Detection: 76%
Source: C:\Recovery\FyQepTQ2XQt.exe	ReversingLabs: Detection: 76%
Source: C:\Users\Default\OneDrive\SGPiNAyrVb.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	ReversingLabs: Detection: 83%

Multi AV Scanner detection for submitted file

Source: leFhB1aYaW.exe	ReversingLabs: Detection: 87%
Source: leFhB1aYaW.exe	Virustotal: Detection: 82%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: leFhB1aYaW.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Internet Explorer\en-US\b61cbc651add38	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Windows Portable Devices\portReview.exe	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Windows Portable Devices\0410b3bb7eb9b8	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\WmiPrvSE.exe	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\24dbde2999530e	Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:50092 version: TLS 1.2

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: leFhB1aYaW.exe, DCRatBuild.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		1_2_0055A5F4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		1_2_0056B8E0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49765 -> 141.8.197.42:80

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: egepefr.ru
Source: global traffic	DNS traffic detected: DNS query: pegasustour.ru

Source: portReview.exe, 00000006.00000002.1911802231.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 5EE314FAEE8C.exe, 00000003.00000003.1879403016.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1799289541.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1850566849.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1829879150.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1818941431.0000000007F11000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1890420854.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1820104583.0000000007F18000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1799289541.000000000322A000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1822575746.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1864700692.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1887528546.0000000003265000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1858097517.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1822575746.00000000031ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://egepefr.ru/api/loader/ping
Source: 5EE314FAEE8C.exe, 00000003.00000003.1879403016.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1890420854.0000000003231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://egepefr.ru/api/loader/pingRetrying
Source: 5EE314FAEE8C.exe, 00000003.00000003.1887528546.0000000003265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://egepefr.ru/api/loader/pingur.ruf2
Source: 5EE314FAEE8C.exe, 00000003.00000003.1799289541.000000000322A000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1822575746.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1847824057.0000000003265000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1822575746.00000000031ED000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.2052612230.0000000007F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pegasustour.ru/api/loader/ping
Source: 5EE314FAEE8C.exe, 00000003.00000003.1822575746.0000000003231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pegasustour.ru/api/loader/pingm32
Source: 5EE314FAEE8C.exe, 00000003.00000003.1879403016.0000000003231000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1890420854.0000000003231000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pegasustour.ru/api/loader/pingying
Source: 5EE314FAEE8C.exe, 00000003.00000003.1822575746.0000000003227000.00000004.00000020.00020000.00000000.sdmp, 5EE314FAEE8C.exe, 00000003.00000003.1829879150.0000000003227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pegasustour.ru/api/loader/pingying.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.13.94:443 -> 192.168.2.4:50091 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.18.55.44:443 -> 192.168.2.4:50092 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 5EE314FAEE8C.exe.0.dr	Static PE information: section name: .l{0
Source: 5EE314FAEE8C.exe.0.dr	Static PE information: section name: .$Nk
Source: 5EE314FAEE8C.exe.0.dr	Static PE information: section name: .kV-

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0055718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

1_2_0055718C

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055857B	1_2_0055857B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055407E	1_2_0055407E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0057D00E	1_2_0057D00E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_005670BF	1_2_005670BF
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00581194	1_2_00581194
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_005702F6	1_2_005702F6
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00553281	1_2_00553281
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055E2A0	1_2_0055E2A0
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00566646	1_2_00566646
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0057070E	1_2_0057070E
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0057473A	1_2_0057473A
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_005637C1	1_2_005637C1
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_005527E8	1_2_005527E8
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055E8A0	1_2_0055E8A0
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055F968	1_2_0055F968
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00574969	1_2_00574969
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00566A7B	1_2_00566A7B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00563A3C	1_2_00563A3C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00570B43	1_2_00570B43
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0057CB60	1_2_0057CB60
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00565C77	1_2_00565C77
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00563D6D	1_2_00563D6D
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055ED14	1_2_0055ED14
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056FDFA	1_2_0056FDFA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055DE6C	1_2_0055DE6C
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055BE13	1_2_0055BE13
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00570F78	1_2_00570F78
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_00555F3C	1_2_00555F3C
Source: C:\Portcontaineragentmonitor\portReview.exe	Code function: 6_2_00007FFD9BAB36EA	6_2_00007FFD9BAB36EA
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAAD098	19_2_00007FFD9BAAD098
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAB3878	19_2_00007FFD9BAB3878
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAB4F90	19_2_00007FFD9BAB4F90
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAA36EA	19_2_00007FFD9BAA36EA
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAB43D1	19_2_00007FFD9BAB43D1
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAAAF70	19_2_00007FFD9BAAAF70
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAA8557	19_2_00007FFD9BAA8557
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAAA138	19_2_00007FFD9BAAA138
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 21_2_00007FFD9BAA36EA	21_2_00007FFD9BAA36EA
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 21_2_00007FFD9BAAA495	21_2_00007FFD9BAAA495
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 21_2_00007FFD9BAAB0B0	21_2_00007FFD9BAAB0B0
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 23_2_00007FFD9BAC36EA	23_2_00007FFD9BAC36EA
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BAA3878	26_2_00007FFD9BAA3878
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BA9B0D0	26_2_00007FFD9BA9B0D0
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BAA4F90	26_2_00007FFD9BAA4F90
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BA936EA	26_2_00007FFD9BA936EA
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BAA43D1	26_2_00007FFD9BAA43D1
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BA9AF70	26_2_00007FFD9BA9AF70
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BA98557	26_2_00007FFD9BA98557
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BA9A138	26_2_00007FFD9BA9A138
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Code function: 28_2_00007FFD9BAB36EA	28_2_00007FFD9BAB36EA
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Code function: 31_2_00007FFD9BAA36EA	31_2_00007FFD9BAA36EA
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Code function: 31_2_00007FFD9BAAA495	31_2_00007FFD9BAAA495
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Code function: 31_2_00007FFD9BAAB0B0	31_2_00007FFD9BAAB0B0

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 0056E360 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 0056E28C appears 35 times
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: String function: 0056ED00 appears 31 times

Source: leFhB1aYaW.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: leFhB1aYaW.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: portReview.exe.1.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: leFhB1aYaW.exe, 00000000.00000003.1722730142.0000000003633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs leFhB1aYaW.exe
Source: leFhB1aYaW.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs leFhB1aYaW.exe

Source: leFhB1aYaW.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@48/36@2/3

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_00556EC9 GetLastError,FormatMessageW,

1_2_00556EC9

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_00569E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

1_2_00569E1C

Source: C:\Portcontaineragentmonitor\portReview.exe

File created: C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe

Jump to behavior

Source: C:\Portcontaineragentmonitor\portReview.exe

File created: C:\Users\Default User\OneDrive\SGPiNAyrVb.exe

Jump to behavior

Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Portcontaineragentmonitor\portReview.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\9935c40a2536597bb5bee2db73046e847aa8c086

Source: C:\Users\user\Desktop\leFhB1aYaW.exe

File created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Portcontaineragentmonitor\AQ3gfQ1W.bat" "

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxname	1_2_0056D5D4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: sfxstime	1_2_0056D5D4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: STARTDLG	1_2_0056D5D4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Command line argument: xjZ	1_2_0056D5D4

Source: leFhB1aYaW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\leFhB1aYaW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\leFhB1aYaW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: leFhB1aYaW.exe	ReversingLabs: Detection: 87%
Source: leFhB1aYaW.exe	Virustotal: Detection: 82%

Source: unknown	Process created: C:\Users\user\Desktop\leFhB1aYaW.exe "C:\Users\user\Desktop\leFhB1aYaW.exe"
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe"
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Process created: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe "C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Portcontaineragentmonitor\AQ3gfQ1W.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Portcontaineragentmonitor\portReview.exe "C:\Portcontaineragentmonitor\portReview.exe"
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "O22dzei3IuO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe'" /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "O22dzei3Iu" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "O22dzei3IuO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FyQepTQ2XQtF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FyQepTQ2XQt.exe'" /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FyQepTQ2XQt" /sc ONLOGON /tr "'C:\Recovery\FyQepTQ2XQt.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "FyQepTQ2XQtF" /sc MINUTE /mo 14 /tr "'C:\Recovery\FyQepTQ2XQt.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "5EE314FAEE8C5" /sc MINUTE /mo 13 /tr "'C:\Portcontaineragentmonitor\5EE314FAEE8C.exe'" /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "5EE314FAEE8C" /sc ONLOGON /tr "'C:\Portcontaineragentmonitor\5EE314FAEE8C.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "5EE314FAEE8C5" /sc MINUTE /mo 9 /tr "'C:\Portcontaineragentmonitor\5EE314FAEE8C.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "7IAGP0ksz77" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe'" /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "7IAGP0ksz7" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe C:\Portcontaineragentmonitor\5EE314FAEE8C.exe
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "7IAGP0ksz77" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe C:\Portcontaineragentmonitor\5EE314FAEE8C.exe
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SGPiNAyrVbS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OneDrive\SGPiNAyrVb.exe'" /f
Source: unknown	Process created: C:\Recovery\FyQepTQ2XQt.exe C:\Recovery\FyQepTQ2XQt.exe
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SGPiNAyrVb" /sc ONLOGON /tr "'C:\Users\Default User\OneDrive\SGPiNAyrVb.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SGPiNAyrVbS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OneDrive\SGPiNAyrVb.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\FyQepTQ2XQt.exe C:\Recovery\FyQepTQ2XQt.exe
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TjX1QjrI08PnT" /sc MINUTE /mo 8 /tr "'C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe'" /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe "C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe"
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TjX1QjrI08Pn" /sc ONLOGON /tr "'C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TjX1QjrI08PnT" /sc MINUTE /mo 7 /tr "'C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe "C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe"
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "portReviewp" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\portReview.exe'" /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "portReview" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\portReview.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "portReviewp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\portReview.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Portcontaineragentmonitor\fontdrvhost.exe'" /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Portcontaineragentmonitor\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Portcontaineragentmonitor\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HBqubJhnqe6r5WH" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows portable devices\HBqubJhnqe6r5W.exe'" /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HBqubJhnqe6r5W" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\HBqubJhnqe6r5W.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HBqubJhnqe6r5WH" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windows portable devices\HBqubJhnqe6r5W.exe'" /rl HIGHEST /f
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "xbTEghU2zpROdlx" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\xbTEghU2zpROdl.exe'" /f
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Process created: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe "C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Portcontaineragentmonitor\AQ3gfQ1W.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Portcontaineragentmonitor\portReview.exe "C:\Portcontaineragentmonitor\portReview.exe"	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: mscoree.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: apphelp.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: kernel.appcore.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: version.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: uxtheme.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: windows.storage.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: wldp.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: profapi.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: cryptsp.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: rsaenh.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: cryptbase.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: mscoree.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: kernel.appcore.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: version.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: uxtheme.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: windows.storage.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: wldp.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: profapi.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: cryptsp.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: rsaenh.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: cryptbase.dll
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: apphelp.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: version.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: wldp.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: profapi.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: mscoree.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: version.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: wldp.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: profapi.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\FyQepTQ2XQt.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\leFhB1aYaW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Internet Explorer\en-US\b61cbc651add38	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Windows Portable Devices\portReview.exe	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Windows Portable Devices\0410b3bb7eb9b8	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\WmiPrvSE.exe	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Directory created: C:\Program Files\Mozilla Firefox\fonts\24dbde2999530e	Jump to behavior

Source: leFhB1aYaW.exe

Static file information: File size 22760448 > 1048576

Source: leFhB1aYaW.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x15b2a00

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: leFhB1aYaW.exe, DCRatBuild.exe.0.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .kV-

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

File created: C:\Portcontaineragentmonitor\__tmp_rar_sfx_access_check_4919484

Jump to behavior

Source: DCRatBuild.exe.0.dr	Static PE information: section name: .didat
Source: 5EE314FAEE8C.exe.0.dr	Static PE information: section name: .l{0
Source: 5EE314FAEE8C.exe.0.dr	Static PE information: section name: .$Nk
Source: 5EE314FAEE8C.exe.0.dr	Static PE information: section name: .kV-

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056E28C push eax; ret	1_2_0056E2AA
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056ED46 push ecx; ret	1_2_0056ED59
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 19_2_00007FFD9BAB1B49 push ebx; retf	19_2_00007FFD9BAB1B4A
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Code function: 21_2_00007FFD9BAB1B49 push ebx; retf	21_2_00007FFD9BAB1B4A
Source: C:\Recovery\FyQepTQ2XQt.exe	Code function: 26_2_00007FFD9BAA1B49 push ebx; retf	26_2_00007FFD9BAA1B4A
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Code function: 28_2_00007FFD9BAC1B49 push ebx; retf	28_2_00007FFD9BAC1B4A
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Code function: 31_2_00007FFD9BAB1B49 push ebx; retf	31_2_00007FFD9BAB1B4A

Source: portReview.exe.1.dr

Static PE information: section name: .text entropy: 6.880099545638984

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Portcontaineragentmonitor\portReview.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executable to a common third party application directory

Source: C:\Portcontaineragentmonitor\portReview.exe	File written: C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe			Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	File written: C:\Program Files\Mozilla Firefox\fonts\WmiPrvSE.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	File created: C:\Portcontaineragentmonitor\portReview.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Program Files (x86)\Windows Photo Viewer\en-GB\cmd.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Program Files\Internet Explorer\en-US\7IAGP0ksz7.exe	Jump to dropped file
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	File created: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Program Files (x86)\Windows Portable Devices\HBqubJhnqe6r5W.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Program Files\Windows Portable Devices\portReview.exe	Jump to dropped file
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	File created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Portcontaineragentmonitor\fontdrvhost.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Recovery\FyQepTQ2XQt.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Program Files\Mozilla Firefox\fonts\WmiPrvSE.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Users\Default\OneDrive\SGPiNAyrVb.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Portcontaineragentmonitor\TjX1QjrI08Pn.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\ProgramData\ssh\xbTEghU2zpROdl.exe	Jump to dropped file
Source: C:\Portcontaineragentmonitor\portReview.exe	File created: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Jump to dropped file

Source: C:\Portcontaineragentmonitor\portReview.exe

File created: C:\ProgramData\ssh\xbTEghU2zpROdl.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Portcontaineragentmonitor\portReview.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "O22dzei3IuO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows portable devices\O22dzei3Iu.exe'" /f

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Memory written: PID: 7572 base: 3160005 value: E9 8B 2F DA 73			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Memory written: PID: 7572 base: 76F02F90 value: E9 7A D0 25 8C			Jump to behavior

Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\FyQepTQ2XQt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 2FAD2DB
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 2FC9033
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 1CB292C
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 1D2137B
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 2C8EA2C
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 2E85D31
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 1F04266
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 2E14959
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 1D2D652
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 3058E6C
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 1C5F30E
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	API/Special instruction interceptor: Address: 1D0160B

Source: C:\Portcontaineragentmonitor\portReview.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Memory allocated: 10E0000 memory reserve \| memory write watch
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Memory allocated: 1AC20000 memory reserve \| memory write watch
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Memory allocated: A20000 memory reserve \| memory write watch
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Memory allocated: 1A3C0000 memory reserve \| memory write watch
Source: C:\Recovery\FyQepTQ2XQt.exe	Memory allocated: 1490000 memory reserve \| memory write watch
Source: C:\Recovery\FyQepTQ2XQt.exe	Memory allocated: 1B0D0000 memory reserve \| memory write watch
Source: C:\Recovery\FyQepTQ2XQt.exe	Memory allocated: CB0000 memory reserve \| memory write watch
Source: C:\Recovery\FyQepTQ2XQt.exe	Memory allocated: 1A770000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Memory allocated: 1AC60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Memory allocated: 8A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Memory allocated: 1A550000 memory reserve \| memory write watch

Source: C:\Portcontaineragentmonitor\portReview.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Thread delayed: delay time: 922337203685477
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\FyQepTQ2XQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\FyQepTQ2XQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Window / User API: threadDelayed 6178	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Window / User API: foregroundWindowGot 879	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Window / User API: foregroundWindowGot 869	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Window / User API: threadDelayed 786	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Window / User API: threadDelayed 518	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Window / User API: threadDelayed 363
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Window / User API: threadDelayed 364
Source: C:\Recovery\FyQepTQ2XQt.exe	Window / User API: threadDelayed 363
Source: C:\Recovery\FyQepTQ2XQt.exe	Window / User API: threadDelayed 368
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Window / User API: threadDelayed 362

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_1-22902

Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe TID: 7616	Thread sleep time: -61780s >= -30000s	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe TID: 7872	Thread sleep count: 786 > 30	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe TID: 7864	Thread sleep count: 518 > 30	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe TID: 7848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe TID: 3164	Thread sleep count: 363 > 30
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe TID: 3128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe TID: 7540	Thread sleep count: 364 > 30
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe TID: 7948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\FyQepTQ2XQt.exe TID: 6420	Thread sleep count: 363 > 30
Source: C:\Recovery\FyQepTQ2XQt.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\FyQepTQ2XQt.exe TID: 7536	Thread sleep count: 368 > 30
Source: C:\Recovery\FyQepTQ2XQt.exe TID: 3512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe TID: 7340	Thread sleep count: 362 > 30
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe TID: 6024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe TID: 8460	Thread sleep count: 299 > 30
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe TID: 8248	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe

Thread sleep count: Count: 6178 delay: -10

Jump to behavior

Source: C:\Portcontaineragentmonitor\portReview.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\FyQepTQ2XQt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\FyQepTQ2XQt.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0055A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		1_2_0055A5F4
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		1_2_0056B8E0

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0056DD72 VirtualQuery,GetSystemInfo,

1_2_0056DD72

Source: C:\Portcontaineragentmonitor\portReview.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Thread delayed: delay time: 922337203685477
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\FyQepTQ2XQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\FyQepTQ2XQt.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Thread delayed: delay time: 922337203685477

Source: wscript.exe, 00000002.00000002.1839550554.00000000034A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: portReview.exe, 00000006.00000002.1951801870.000000001B93A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

API call chain: ExitProcess graph end node

graph_1-23245

Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0057866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0057866F

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0057753D mov eax, dword ptr fs:[00000030h]

1_2_0057753D

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0057B710 GetProcessHeap,

1_2_0057B710

Source: C:\Portcontaineragentmonitor\portReview.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process token adjusted: Debug
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Process token adjusted: Debug
Source: C:\Recovery\FyQepTQ2XQt.exe	Process token adjusted: Debug
Source: C:\Recovery\FyQepTQ2XQt.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056F063 SetUnhandledExceptionFilter,	1_2_0056F063
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0056F22B
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0057866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0057866F
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Code function: 1_2_0056EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0056EF05

Source: C:\Portcontaineragentmonitor\portReview.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Process created: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe "C:\Users\user\AppData\Local\Temp\DCRatBuild.exe"	Jump to behavior
Source: C:\Users\user\Desktop\leFhB1aYaW.exe	Process created: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe "C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Portcontaineragentmonitor\hNBH1JM8Dw5h0F0L8eQ7zHbW.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Portcontaineragentmonitor\AQ3gfQ1W.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Portcontaineragentmonitor\portReview.exe "C:\Portcontaineragentmonitor\portReview.exe"	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0056ED5B cpuid

1_2_0056ED5B

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

1_2_0056A63C

Source: C:\Users\user\AppData\Local\Temp\5EE314FAEE8C.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Queries volume information: C:\Portcontaineragentmonitor\portReview.exe VolumeInformation	Jump to behavior
Source: C:\Portcontaineragentmonitor\portReview.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Queries volume information: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe VolumeInformation
Source: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe	Queries volume information: C:\Portcontaineragentmonitor\5EE314FAEE8C.exe VolumeInformation
Source: C:\Recovery\FyQepTQ2XQt.exe	Queries volume information: C:\Recovery\FyQepTQ2XQt.exe VolumeInformation
Source: C:\Recovery\FyQepTQ2XQt.exe	Queries volume information: C:\Recovery\FyQepTQ2XQt.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe	Queries volume information: C:\Program Files (x86)\Windows Portable Devices\O22dzei3Iu.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0056D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

1_2_0056D5D4

Source: C:\Users\user\AppData\Local\Temp\DCRatBuild.exe

Code function: 1_2_0055ACF5 GetVersionExW,

1_2_0055ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001A.00000002.2104364085.00000000027AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2099442008.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2099442008.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1911802231.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2099801328.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2112368700.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1920641209.0000000012B1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2104364085.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2103314028.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1911802231.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2077794232.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: portReview.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5EE314FAEE8C.exe PID: 8120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5EE314FAEE8C.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FyQepTQ2XQt.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FyQepTQ2XQt.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: O22dzei3Iu.exe PID: 4520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: O22dzei3Iu.exe PID: 7312, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001A.00000002.2104364085.00000000027AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2099442008.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2099442008.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1911802231.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2099801328.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2112368700.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1920641209.0000000012B1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2104364085.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2103314028.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1911802231.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2077794232.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: portReview.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5EE314FAEE8C.exe PID: 8120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 5EE314FAEE8C.exe PID: 8144, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FyQepTQ2XQt.exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FyQepTQ2XQt.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: O22dzei3Iu.exe PID: 4520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: O22dzei3Iu.exe PID: 7312, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	13 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	Login Hook	11 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	137 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report leFhB1aYaW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
leFhB1aYaW.exe