dcrat | b95be0f98df652640e019ce8bc06dc4999399305834f1b75e981dd7c5a1c0423

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2022 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
Size

2.0MB
MD5

fc9ea28a3c3659c4200e442d20198458
SHA1

79ede873cd08d5941e54524dd85b5add0a79bd7c
SHA256

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0
SHA512

c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17
SSDEEP

49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3932	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
C:\agentBrowsersavesRefBroker\SurrogateDll.exe	dcrat
behavioral2/memory/448-139-0x0000000000140000-0x0000000000300000-memory.dmp	dcrat
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe	dcrat
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe	dcrat
behavioral2/memory/4356-209-0x0000000000210000-0x00000000003D0000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts SurrogateDll.exe
Executes dropped EXE 2 IoCs

Processes:

SurrogateDll.execmd.exe

pid process

448 SurrogateDll.exe
4356 cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exeWScript.exeSurrogateDll.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SurrogateDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 20 IoCs

Processes:

SurrogateDll.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\upfc.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9DA1.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9F38.tmp	SurrogateDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ebf1f9fa8afd6d	SurrogateDll.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX8275.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\RCX91A2.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX9520.tmp	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\c5b4cb5e9653cc	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	SurrogateDll.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX8303.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\RCX9220.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX94A2.tmp	SurrogateDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\upfc.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\ea1d8f6d871115	SurrogateDll.exe

Drops file in Windows directory 5 IoCs

Processes:

SurrogateDll.exe

description	ioc	process
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SearchApp.exe	SurrogateDll.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SearchApp.exe	SurrogateDll.exe
File created	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\38384e6a620884	SurrogateDll.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RCX9AA1.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\schemas\CodeIntegrity\ExamplePolicies\RCX9B1F.tmp	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4164	schtasks.exe
2404	schtasks.exe
4300	schtasks.exe
1652	schtasks.exe
1016	schtasks.exe
364	schtasks.exe
4832	schtasks.exe
4032	schtasks.exe
4668	schtasks.exe
4636	schtasks.exe
3168	schtasks.exe
3980	schtasks.exe
3756	schtasks.exe
4284	schtasks.exe
2448	schtasks.exe
1300	schtasks.exe
2040	schtasks.exe
4876	schtasks.exe
4736	schtasks.exe
3948	schtasks.exe
4828	schtasks.exe
1336	schtasks.exe
4664	schtasks.exe
4912	schtasks.exe
2420	schtasks.exe
4160	schtasks.exe
3820	schtasks.exe
4324	schtasks.exe
3748	schtasks.exe
1216	schtasks.exe
1084	schtasks.exe
4404	schtasks.exe
208	schtasks.exe

Modifies registry class 3 IoCs

Processes:

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exeSurrogateDll.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	SurrogateDll.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
1080	powershell.exe
4908	powershell.exe
4904	powershell.exe
4904	powershell.exe
3360	powershell.exe
3360	powershell.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
448	SurrogateDll.exe
540	powershell.exe
540	powershell.exe
3580	powershell.exe
3580	powershell.exe
4484	powershell.exe
4484	powershell.exe
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	448	SurrogateDll.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	3360	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	4356	cmd.exe
Token: SeBackupPrivilege	4576	vssvc.exe
Token: SeRestorePrivilege	4576	vssvc.exe
Token: SeAuditPrivilege	4576	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cmd.exe

pid process

4356 cmd.exe

pid	process
4356	cmd.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exeWScript.execmd.exeSurrogateDll.execmd.execmd.exe

description	pid	process	target process
PID 4988 wrote to memory of 1896	4988	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	WScript.exe
PID 4988 wrote to memory of 1896	4988	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	WScript.exe
PID 4988 wrote to memory of 1896	4988	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	WScript.exe
PID 1896 wrote to memory of 2248	1896	WScript.exe	cmd.exe
PID 1896 wrote to memory of 2248	1896	WScript.exe	cmd.exe
PID 1896 wrote to memory of 2248	1896	WScript.exe	cmd.exe
PID 2248 wrote to memory of 448	2248	cmd.exe	SurrogateDll.exe
PID 2248 wrote to memory of 448	2248	cmd.exe	SurrogateDll.exe
PID 448 wrote to memory of 4908	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4908	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4904	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4904	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 1080	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 1080	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 540	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 540	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3360	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3360	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3580	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3580	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 2848	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 2848	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3936	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3936	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4484	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4484	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 756	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 756	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 1680	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 1680	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4468	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4468	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3128	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 3128	448	SurrogateDll.exe	powershell.exe
PID 448 wrote to memory of 4568	448	SurrogateDll.exe	cmd.exe
PID 448 wrote to memory of 4568	448	SurrogateDll.exe	cmd.exe
PID 4568 wrote to memory of 4364	4568	cmd.exe	w32tm.exe
PID 4568 wrote to memory of 4364	4568	cmd.exe	w32tm.exe
PID 4568 wrote to memory of 4356	4568	cmd.exe	cmd.exe
PID 4568 wrote to memory of 4356	4568	cmd.exe	cmd.exe
PID 4356 wrote to memory of 2900	4356	cmd.exe	WScript.exe
PID 4356 wrote to memory of 2900	4356	cmd.exe	WScript.exe
PID 4356 wrote to memory of 2488	4356	cmd.exe	WScript.exe
PID 4356 wrote to memory of 2488	4356	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
"C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2kvMhQbIai.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4364
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d72e5cb-a55d-4e14-aa95-f6ced75a129e.vbs"
        7⤵
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a92c7b47-142b-491a-bb86-dcfad9591404.vbs"
        7⤵
        
        PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\agentBrowsersavesRefBroker\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\CodeIntegrity\ExamplePolicies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\agentBrowsersavesRefBroker\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe

Filesize
1.7MB

MD5
cbb79b68a7874b40daa9f1e524498392

SHA1
f1a22fff925a07b7a01d1060f31909bbaaf91057

SHA256
20566bed4620216878568eb6fcaa47214568136163e4ad3cb76b21c44253e2b7

SHA512
ac2b45c8594ebb8f4fa4ae3b48957b43eba2a6ba58b3c2b1a00883b477b7beae6ecaadc828e4447f7e7f9f4ed8589764a9d84ed40685ac18ef6123d494517de4

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cmd.exe

Filesize
1.7MB

MD5
cbb79b68a7874b40daa9f1e524498392

SHA1
f1a22fff925a07b7a01d1060f31909bbaaf91057

SHA256
20566bed4620216878568eb6fcaa47214568136163e4ad3cb76b21c44253e2b7

SHA512
ac2b45c8594ebb8f4fa4ae3b48957b43eba2a6ba58b3c2b1a00883b477b7beae6ecaadc828e4447f7e7f9f4ed8589764a9d84ed40685ac18ef6123d494517de4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0b9e8156d5e7e613f1e699f60680343e

SHA1
40e8c73a2f940a29204530e0abede7a379b16fc8

SHA256
a0e15c06ae789ebf73669855171453311252c1713afa0953cb448707bd60889a

SHA512
d1f33cf07389c57f371d39d88353e548eac83fd6356f570507594202ec1a24f491cc4375288424194ca9e841d225adb65444297fca9884f02eefa9ad50bbc036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d72e5cb-a55d-4e14-aa95-f6ced75a129e.vbs

Filesize
746B

MD5
c1753168b5e41cbc67f507314f7aa7fd

SHA1
e2a7c0979c993f1bbe3f05b96b75e889743fa722

SHA256
ad6df1ddabefda39c04a74d9b7b6cc9b72d54cb67423759008294ea61b8135bf

SHA512
93b2e78b028f61fd7996819f64c3984d8a2bbc8bbe70b4acba22f146a60d8ddb4cd651980a3912d4a0959b6d4b613df9a55eae4d192b109a874403fe122a5316

Download Submit
C:\Users\Admin\AppData\Local\Temp\2kvMhQbIai.bat

Filesize
235B

MD5
759b891c67d7321f1365c7f60e5b2437

SHA1
f017a366a2ae1821a6c3f0a7e39c6d328bdc2a9a

SHA256
2c6aaaa25bc7de0b025f9685cfe5af0c157066237b31d93945ccc75af2d44c7d

SHA512
544657c180bc07e584d4bac0701a50cd3b391798531a26c863deadbdb9b2e4fdc1bde0f085c95a2982dafa0ac0740ea9b04d658974bc1da9cb6b023eeda73502

Download Submit
C:\Users\Admin\AppData\Local\Temp\a92c7b47-142b-491a-bb86-dcfad9591404.vbs

Filesize
522B

MD5
18371822452d8958ab31c2744116e9eb

SHA1
4e023f2cae516b15ff05cccc25135ea03cde5d16

SHA256
0fb58df9336a8fbf84c4b1a1d99dc2ff839ba87d7f31b4d16087aeacc00c5651

SHA512
c6a117079acaf85cedca3b64514b6f451caa2db2d06d5869cc07af463739074db66fc28320d1a239f829c16a96911c6aa6c631b845f1505f45a321c63a00cdda

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe

Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
memory/448-139-0x0000000000140000-0x0000000000300000-memory.dmp

Filesize
1.8MB

Download
memory/448-136-0x0000000000000000-mapping.dmp

Download
memory/448-140-0x0000000000C70000-0x0000000000CC0000-memory.dmp

Filesize
320KB

Download
memory/448-144-0x000000001D360000-0x000000001D364000-memory.dmp

Filesize
16KB

Download
memory/448-141-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/448-160-0x000000001AFF9000-0x000000001AFFF000-memory.dmp

Filesize
24KB

Download
memory/448-167-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/448-142-0x000000001C6F0000-0x000000001CC18000-memory.dmp

Filesize
5.2MB

Download
memory/448-143-0x000000001AFF9000-0x000000001AFFF000-memory.dmp

Filesize
24KB

Download
memory/448-168-0x000000001D367000-0x000000001D36A000-memory.dmp

Filesize
12KB

Download
memory/448-146-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/448-145-0x000000001D364000-0x000000001D367000-memory.dmp

Filesize
12KB

Download
memory/540-150-0x0000000000000000-mapping.dmp

Download
memory/540-170-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/540-196-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/756-200-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/756-173-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/756-156-0x0000000000000000-mapping.dmp

Download
memory/1080-163-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/1080-159-0x0000020DA0210000-0x0000020DA0232000-memory.dmp

Filesize
136KB

Download
memory/1080-180-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/1080-149-0x0000000000000000-mapping.dmp

Download
memory/1680-157-0x0000000000000000-mapping.dmp

Download
memory/1680-187-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/1680-179-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/1896-132-0x0000000000000000-mapping.dmp

Download
memory/2248-135-0x0000000000000000-mapping.dmp

Download
memory/2488-214-0x0000000000000000-mapping.dmp

Download
memory/2848-202-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/2848-178-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/2848-153-0x0000000000000000-mapping.dmp

Download
memory/2900-213-0x0000000000000000-mapping.dmp

Download
memory/3128-175-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/3128-205-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/3128-161-0x0000000000000000-mapping.dmp

Download
memory/3360-166-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/3360-151-0x0000000000000000-mapping.dmp

Download
memory/3360-186-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/3580-152-0x0000000000000000-mapping.dmp

Download
memory/3580-197-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/3580-169-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/3936-154-0x0000000000000000-mapping.dmp

Download
memory/3936-171-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/3936-199-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4356-220-0x0000000000B09000-0x0000000000B0F000-memory.dmp

Filesize
24KB

Download
memory/4356-222-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-212-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-218-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-226-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-225-0x0000000000B07000-0x0000000000B0E000-memory.dmp

Filesize
28KB

Download
memory/4356-224-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-223-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-206-0x0000000000000000-mapping.dmp

Download
memory/4356-217-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-221-0x000000001C0E0000-0x000000001C608000-memory.dmp

Filesize
5.2MB

Download
memory/4356-209-0x0000000000210000-0x00000000003D0000-memory.dmp

Filesize
1.8MB

Download
memory/4356-210-0x00007FFEE8F30000-0x00007FFEE99F1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-211-0x0000000000B09000-0x0000000000B0F000-memory.dmp

Filesize
24KB

Download
memory/4356-227-0x0000000000B07000-0x0000000000B0E000-memory.dmp

Filesize
28KB

Download
memory/4356-219-0x00007FFEE8F30000-0x00007FFEE99F1000-memory.dmp

Filesize
10.8MB

Download
memory/4364-177-0x0000000000000000-mapping.dmp

Download
memory/4468-158-0x0000000000000000-mapping.dmp

Download
memory/4468-174-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4468-203-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4484-172-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4484-155-0x0000000000000000-mapping.dmp

Download
memory/4484-192-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4568-164-0x0000000000000000-mapping.dmp

Download
memory/4904-148-0x0000000000000000-mapping.dmp

Download
memory/4904-188-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4904-165-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4908-162-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download
memory/4908-147-0x0000000000000000-mapping.dmp

Download
memory/4908-190-0x00007FFEE8FA0000-0x00007FFEE9A61000-memory.dmp

Filesize
10.8MB

Download