dcrat | b2629e2580c4e27c632d0517771a61d3ca9e1e4c6725f4ea5d48a102da4c043c

Analysis

max time kernel
85s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
Size

7.8MB
MD5

09e9cefb358c55b03e898488f8d052df
SHA1

4e8a3b17d01b386e0e1442ae05d885168c1206e4
SHA256

c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77
SHA512

8f80435e4f5e82465a98327c915c689ad97b66e822397b82d0b70e9d45d4158c373b33b92cb06cfefc4068e156ac0aa7012ade22b07552cbe911e41b6a44fa59
SSDEEP

196608:W5YhQECsXDjpf3ZkJMFEAJX8JvC/UcwCK:8YhQECENZkcJVw

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4972	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4972	schtasks.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\main.exe	dcrat
C:\main.exe	dcrat
C:\main1.exe	dcrat
C:\main1.exe	dcrat
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe	dcrat
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe	dcrat
behavioral2/memory/4492-162-0x0000000000F80000-0x00000000010D2000-memory.dmp	dcrat
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe	dcrat
C:\Program Files (x86)\Windows Mail\csrss.exe	dcrat
C:\Program Files (x86)\Windows Mail\csrss.exe	dcrat

Executes dropped EXE 5 IoCs

Processes:

main.exemain1.exeAgentbrokerhost.exeAgentbrokerhost.execsrss.exe

pid process

1680 main.exe
1380 main1.exe
4492 Agentbrokerhost.exe
4264 Agentbrokerhost.exe
1160 csrss.exe

pid	process
1680	main.exe
1380	main1.exe
4492	Agentbrokerhost.exe
4264	Agentbrokerhost.exe
1160	csrss.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

main.exemain1.exeWScript.exeWScript.exeAgentbrokerhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	main1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Agentbrokerhost.exe

Loads dropped DLL 4 IoCs

Processes:

c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe

pid	process
1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe

Drops file in Program Files directory 9 IoCs

Processes:

Agentbrokerhost.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe	Agentbrokerhost.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\OfficeClickToRun.exe	Agentbrokerhost.exe
File created	C:\Program Files\Common Files\microsoft shared\4d54b1c88a4dbc	Agentbrokerhost.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	Agentbrokerhost.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe	Agentbrokerhost.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e	Agentbrokerhost.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\e6c9b481da804f	Agentbrokerhost.exe
File created	C:\Program Files\Common Files\microsoft shared\Agentbrokerhost.exe	Agentbrokerhost.exe
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	Agentbrokerhost.exe

Drops file in Windows directory 2 IoCs

Processes:

Agentbrokerhost.exe

description ioc process

File created C:\Windows\ja-JP\winlogon.exe Agentbrokerhost.exe
File created C:\Windows\ja-JP\cc11b995f2a76d Agentbrokerhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\ja-JP\winlogon.exe	Agentbrokerhost.exe
File created	C:\Windows\ja-JP\cc11b995f2a76d	Agentbrokerhost.exe

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2064	schtasks.exe
4620	schtasks.exe
1308	schtasks.exe
4168	schtasks.exe
4852	schtasks.exe
3920	schtasks.exe
2032	schtasks.exe
2140	schtasks.exe
4344	schtasks.exe
3772	schtasks.exe
1804	schtasks.exe
1936	schtasks.exe
3388	schtasks.exe
3824	schtasks.exe
2424	schtasks.exe
1336	schtasks.exe
2224	schtasks.exe
3796	schtasks.exe
4712	schtasks.exe
2128	schtasks.exe
1224	schtasks.exe
1288	schtasks.exe
5084	schtasks.exe
996	schtasks.exe
5112	schtasks.exe
4788	schtasks.exe
3996	schtasks.exe
916	schtasks.exe
2624	schtasks.exe
2416	schtasks.exe
4152	schtasks.exe
3292	schtasks.exe
3496	schtasks.exe
1244	schtasks.exe
1472	schtasks.exe
2976	schtasks.exe
4128	schtasks.exe
3148	schtasks.exe
4648	schtasks.exe
3616	schtasks.exe
4036	schtasks.exe
2444	schtasks.exe
3976	schtasks.exe
4980	schtasks.exe
1964	schtasks.exe
1392	schtasks.exe
4572	schtasks.exe
4040	schtasks.exe
4172	schtasks.exe
2352	schtasks.exe
2304	schtasks.exe

Modifies registry class 3 IoCs

Processes:

main.exemain1.exeAgentbrokerhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	main.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	main1.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	Agentbrokerhost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

Agentbrokerhost.execsrss.exe

pid	process
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
4492	Agentbrokerhost.exe
1160	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Agentbrokerhost.exeAgentbrokerhost.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4492	Agentbrokerhost.exe
Token: SeDebugPrivilege	4264	Agentbrokerhost.exe
Token: SeDebugPrivilege	1160	csrss.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exec98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.execmd.exemain.execmd.exemain1.exeWScript.execmd.exeWScript.execmd.exeAgentbrokerhost.execmd.exe

description	pid	process	target process
PID 4536 wrote to memory of 1232	4536	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
PID 4536 wrote to memory of 1232	4536	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
PID 1232 wrote to memory of 1244	1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe	cmd.exe
PID 1232 wrote to memory of 1244	1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe	cmd.exe
PID 1244 wrote to memory of 1680	1244	cmd.exe	main.exe
PID 1244 wrote to memory of 1680	1244	cmd.exe	main.exe
PID 1244 wrote to memory of 1680	1244	cmd.exe	main.exe
PID 1680 wrote to memory of 3100	1680	main.exe	WScript.exe
PID 1680 wrote to memory of 3100	1680	main.exe	WScript.exe
PID 1680 wrote to memory of 3100	1680	main.exe	WScript.exe
PID 1680 wrote to memory of 1096	1680	main.exe	WScript.exe
PID 1680 wrote to memory of 1096	1680	main.exe	WScript.exe
PID 1680 wrote to memory of 1096	1680	main.exe	WScript.exe
PID 1232 wrote to memory of 204	1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe	cmd.exe
PID 1232 wrote to memory of 204	1232	c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe	cmd.exe
PID 204 wrote to memory of 1380	204	cmd.exe	main1.exe
PID 204 wrote to memory of 1380	204	cmd.exe	main1.exe
PID 204 wrote to memory of 1380	204	cmd.exe	main1.exe
PID 1380 wrote to memory of 3868	1380	main1.exe	WScript.exe
PID 1380 wrote to memory of 3868	1380	main1.exe	WScript.exe
PID 1380 wrote to memory of 3868	1380	main1.exe	WScript.exe
PID 1380 wrote to memory of 3456	1380	main1.exe	WScript.exe
PID 1380 wrote to memory of 3456	1380	main1.exe	WScript.exe
PID 1380 wrote to memory of 3456	1380	main1.exe	WScript.exe
PID 3100 wrote to memory of 4716	3100	WScript.exe	cmd.exe
PID 3100 wrote to memory of 4716	3100	WScript.exe	cmd.exe
PID 3100 wrote to memory of 4716	3100	WScript.exe	cmd.exe
PID 4716 wrote to memory of 4492	4716	cmd.exe	Agentbrokerhost.exe
PID 4716 wrote to memory of 4492	4716	cmd.exe	Agentbrokerhost.exe
PID 3868 wrote to memory of 3548	3868	WScript.exe	cmd.exe
PID 3868 wrote to memory of 3548	3868	WScript.exe	cmd.exe
PID 3868 wrote to memory of 3548	3868	WScript.exe	cmd.exe
PID 3548 wrote to memory of 4264	3548	cmd.exe	Agentbrokerhost.exe
PID 3548 wrote to memory of 4264	3548	cmd.exe	Agentbrokerhost.exe
PID 4492 wrote to memory of 4940	4492	Agentbrokerhost.exe	cmd.exe
PID 4492 wrote to memory of 4940	4492	Agentbrokerhost.exe	cmd.exe
PID 4940 wrote to memory of 4372	4940	cmd.exe	w32tm.exe
PID 4940 wrote to memory of 4372	4940	cmd.exe	w32tm.exe
PID 4940 wrote to memory of 1160	4940	cmd.exe	csrss.exe
PID 4940 wrote to memory of 1160	4940	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
"C:\Users\Admin\AppData\Local\Temp\c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe
"C:\Users\Admin\AppData\Local\Temp\c98e35ff05689705117dbb7e36e58f1237f08df30637132d6e2106db1bddff77.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\\main.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\main.exe
C:\\main.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hyperReviewsvc\tSkbM8Kgd45HNZU2lIsTAW.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\hyperReviewsvc\ds6dhr0GsXgFgRJynyVxU1.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe
"C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3PEIhcmHNi.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4372

C:\Program Files (x86)\Windows Mail\csrss.exe
"C:\Program Files (x86)\Windows Mail\csrss.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hyperReviewsvc\file.vbs"
5⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\\main1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\main1.exe
C:\\main1.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hyperReviewsvc\tSkbM8Kgd45HNZU2lIsTAW.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\hyperReviewsvc\ds6dhr0GsXgFgRJynyVxU1.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe
"C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hyperReviewsvc\file.vbs"
5⤵
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\images\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\lib\images\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\images\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentbrokerhostA" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\Agentbrokerhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Agentbrokerhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Agentbrokerhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentbrokerhostA" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\Agentbrokerhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Mail\csrss.exe
Filesize
1.3MB

MD5
b6b8ed3f241a8ec6c92614939819f96e

SHA1
36ba697c15cc03e6547e940058655b29c8a467f7

SHA256
b7976a3465d72517957a09a6e595980a2ab4f3079a9b9bbd3cf4758776409ce1

SHA512
a99f1a8493db96d9b902a97b2d05f8e18465a8da52c6ea52fb354056c8da06cdd9c5b23db2309e8a3f920f7a61b937f0c940c9de76940d4b4e15769599bcde6d

Download Submit
C:\Program Files (x86)\Windows Mail\csrss.exe
Filesize
1.3MB

MD5
b6b8ed3f241a8ec6c92614939819f96e

SHA1
36ba697c15cc03e6547e940058655b29c8a467f7

SHA256
b7976a3465d72517957a09a6e595980a2ab4f3079a9b9bbd3cf4758776409ce1

SHA512
a99f1a8493db96d9b902a97b2d05f8e18465a8da52c6ea52fb354056c8da06cdd9c5b23db2309e8a3f920f7a61b937f0c940c9de76940d4b4e15769599bcde6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Agentbrokerhost.exe.log
Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3PEIhcmHNi.bat
Filesize
210B

MD5
112163ae83167a9a5e4aa478a9f0a6e8

SHA1
f64741be16196ceed858ae38fa87d7c00b855c52

SHA256
367519852f0b550b1a9094b5adc4acd7ee76c4ce2c40ce243809f34aa591df5f

SHA512
22dd666100dd9ca791b1b717923c82e47290f30968c80d6cc17ad8b1c78fa99ad50c4ed437920f23bfe8ff5b6e747d96300b32b8d37f747f1ee963a7b4f2118e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\VCRUNTIME140.dll
Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\VCRUNTIME140.dll
Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_bz2.pyd
Filesize
84KB

MD5
e91b4f8e1592da26bacaceb542a220a8

SHA1
5459d4c2147fa6db75211c3ec6166b869738bd38

SHA256
20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f

SHA512
cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_bz2.pyd
Filesize
84KB

MD5
e91b4f8e1592da26bacaceb542a220a8

SHA1
5459d4c2147fa6db75211c3ec6166b869738bd38

SHA256
20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f

SHA512
cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_lzma.pyd
Filesize
159KB

MD5
493c33ddf375b394b648c4283b326481

SHA1
59c87ee582ba550f064429cb26ad79622c594f08

SHA256
6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16

SHA512
a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\_lzma.pyd
Filesize
159KB

MD5
493c33ddf375b394b648c4283b326481

SHA1
59c87ee582ba550f064429cb26ad79622c594f08

SHA256
6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16

SHA512
a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\base_library.zip
Filesize
1012KB

MD5
82a7ff1c3fd2a685d48a2d8901286eba

SHA1
4327631bbc3d7fb79bc5562c1ce2d7389000f2f1

SHA256
b1eb88441c0c413e7f3cf1db4114c403e0ace1ae0dbe3c285804347241720166

SHA512
7129f500c594a5ce36fbee54a3dd8b90984fe9512d043bad270c6b094221b014b5dbee6974a74461d0dd937d6fcbc06d16ab7192eaa5e8b9bc563fe2516220f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\main.zip
Filesize
2.1MB

MD5
123877dd77c88c247d34baecf8d4dc8f

SHA1
0e4599e431f1bd6bb986faa06fd45f8ee0319673

SHA256
fef0d4804c2faa0a67dd917067e87cbe46a9f64f0d38898cfb0c75d8986088f8

SHA512
ac77040953760edb9bb3ee8186b2b2c59ee8be5174e03d454ed729fde0380b0146cc77a637b476aec7885b8ef52a3b2b7f24feeb3f8cb24fd5a28d83acd13e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\python39.dll
Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45362\python39.dll
Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe
Filesize
1.3MB

MD5
b6b8ed3f241a8ec6c92614939819f96e

SHA1
36ba697c15cc03e6547e940058655b29c8a467f7

SHA256
b7976a3465d72517957a09a6e595980a2ab4f3079a9b9bbd3cf4758776409ce1

SHA512
a99f1a8493db96d9b902a97b2d05f8e18465a8da52c6ea52fb354056c8da06cdd9c5b23db2309e8a3f920f7a61b937f0c940c9de76940d4b4e15769599bcde6d

Download Submit
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe
Filesize
1.3MB

MD5
b6b8ed3f241a8ec6c92614939819f96e

SHA1
36ba697c15cc03e6547e940058655b29c8a467f7

SHA256
b7976a3465d72517957a09a6e595980a2ab4f3079a9b9bbd3cf4758776409ce1

SHA512
a99f1a8493db96d9b902a97b2d05f8e18465a8da52c6ea52fb354056c8da06cdd9c5b23db2309e8a3f920f7a61b937f0c940c9de76940d4b4e15769599bcde6d

Download Submit
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\Agentbrokerhost.exe
Filesize
1.3MB

MD5
b6b8ed3f241a8ec6c92614939819f96e

SHA1
36ba697c15cc03e6547e940058655b29c8a467f7

SHA256
b7976a3465d72517957a09a6e595980a2ab4f3079a9b9bbd3cf4758776409ce1

SHA512
a99f1a8493db96d9b902a97b2d05f8e18465a8da52c6ea52fb354056c8da06cdd9c5b23db2309e8a3f920f7a61b937f0c940c9de76940d4b4e15769599bcde6d

Download Submit
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\ds6dhr0GsXgFgRJynyVxU1.bat
Filesize
46B

MD5
fe96d641dd5093cd3752a9cc51b3b2f5

SHA1
32d760110d0ea649ce22b4efc4e2f2545ba51fe7

SHA256
1e0b86cf353bc25005f07930e896b913a967b33edaa97776e48ca0d6111b999a

SHA512
02265faec82c67f3969ee4793471c109176cd197c27847f3f1d78d48f872dd13003c106481a4d166d84cffee1a992681b55c3bdf9bb823acedc12b858ade83e7

Download Submit
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\hyperReviewsvc\tSkbM8Kgd45HNZU2lIsTAW.vbe
Filesize
220B

MD5
b32277a5411e9a2fc74244b09baef5dd

SHA1
b3bb4bd83f5cb716dc44a64e3a0efaa53347f58a

SHA256
b12df8d67bb03ccfa0251341ba18ee05a3331768062be4b79b12ed3675279aaa

SHA512
50179c1a2f6a22bd12985c7356edcdb396c8fad8706e0bdc7e77d57ea671706350df2f26a9fbc4490d7f65737d7dc396f73442fb32f0f1c25c90912ef6364075

Download Submit
C:\main.exe
Filesize
1.6MB

MD5
72424a924263141e04f605b0a8b1efa2

SHA1
f77690345b00318d5f27917b25d4cf98d9d22528

SHA256
d2292ddd2e8a43d635bb060db6633e6ce62dd078ab8a0a62636b717f234fc69b

SHA512
6010f07ce47d41f762af0c2b0829cbc103d688edf3461b4f7db3ceb1d5d03e1d64b5b6730fb7592e5e1f358359a8d8051e8e434c9f4b2e7ed838db90ef8db83e

Download Submit
C:\main.exe
Filesize
1.6MB

MD5
72424a924263141e04f605b0a8b1efa2

SHA1
f77690345b00318d5f27917b25d4cf98d9d22528

SHA256
d2292ddd2e8a43d635bb060db6633e6ce62dd078ab8a0a62636b717f234fc69b

SHA512
6010f07ce47d41f762af0c2b0829cbc103d688edf3461b4f7db3ceb1d5d03e1d64b5b6730fb7592e5e1f358359a8d8051e8e434c9f4b2e7ed838db90ef8db83e

Download Submit
C:\main1.exe
Filesize
1.6MB

MD5
72424a924263141e04f605b0a8b1efa2

SHA1
f77690345b00318d5f27917b25d4cf98d9d22528

SHA256
d2292ddd2e8a43d635bb060db6633e6ce62dd078ab8a0a62636b717f234fc69b

SHA512
6010f07ce47d41f762af0c2b0829cbc103d688edf3461b4f7db3ceb1d5d03e1d64b5b6730fb7592e5e1f358359a8d8051e8e434c9f4b2e7ed838db90ef8db83e

Download Submit
C:\main1.exe
Filesize
1.6MB

MD5
72424a924263141e04f605b0a8b1efa2

SHA1
f77690345b00318d5f27917b25d4cf98d9d22528

SHA256
d2292ddd2e8a43d635bb060db6633e6ce62dd078ab8a0a62636b717f234fc69b

SHA512
6010f07ce47d41f762af0c2b0829cbc103d688edf3461b4f7db3ceb1d5d03e1d64b5b6730fb7592e5e1f358359a8d8051e8e434c9f4b2e7ed838db90ef8db83e

Download Submit
memory/204-151-0x0000000000000000-mapping.dmp

Download
memory/1096-149-0x0000000000000000-mapping.dmp

Download
memory/1160-180-0x00007FFD37070000-0x00007FFD37B31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-179-0x00007FFD37070000-0x00007FFD37B31000-memory.dmp

Filesize
10.8MB

Download
memory/1160-176-0x0000000000000000-mapping.dmp

Download
memory/1232-132-0x0000000000000000-mapping.dmp

Download
memory/1244-143-0x0000000000000000-mapping.dmp

Download
memory/1380-152-0x0000000000000000-mapping.dmp

Download
memory/1680-144-0x0000000000000000-mapping.dmp

Download
memory/3100-147-0x0000000000000000-mapping.dmp

Download
memory/3456-156-0x0000000000000000-mapping.dmp

Download
memory/3548-164-0x0000000000000000-mapping.dmp

Download
memory/3868-155-0x0000000000000000-mapping.dmp

Download
memory/4264-169-0x00007FFD37070000-0x00007FFD37B31000-memory.dmp

Filesize
10.8MB

Download
memory/4264-165-0x0000000000000000-mapping.dmp

Download
memory/4264-175-0x00007FFD37070000-0x00007FFD37B31000-memory.dmp

Filesize
10.8MB

Download
memory/4372-172-0x0000000000000000-mapping.dmp

Download
memory/4492-163-0x00007FFD37070000-0x00007FFD37B31000-memory.dmp

Filesize
10.8MB

Download
memory/4492-173-0x00007FFD37070000-0x00007FFD37B31000-memory.dmp

Filesize
10.8MB

Download
memory/4492-166-0x0000000001920000-0x0000000001970000-memory.dmp

Filesize
320KB

Download
memory/4492-162-0x0000000000F80000-0x00000000010D2000-memory.dmp

Filesize
1.3MB

Download
memory/4492-159-0x0000000000000000-mapping.dmp

Download
memory/4492-168-0x000000001E1A0000-0x000000001E6C8000-memory.dmp

Filesize
5.2MB

Download
memory/4716-158-0x0000000000000000-mapping.dmp

Download
memory/4940-170-0x0000000000000000-mapping.dmp

Download