dcrat | 8d8083a15c3ed42eae1336ff0060628915f58b60ee35e95b18843b5711b13372

Analysis

max time kernel
51s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
28-01-2023 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Belle Delphine Nudes Leaked!/Big Dildo Riding.scr
Size

3.4MB
MD5

ed6ea767354e940d79e591d21d8e1bbd
SHA1

d07011f13100f7578506f45630cfdb73286a3e44
SHA256

be790ab14ba841b5a5ae4fb7853924f33be7577b35a5565ca31fcd399b1ad8f8
SHA512

b653626e2d42d76d6daa48ecf779e053ab3bff1781c54519fe70f47bd97a03fcce3eed5dacb01edbae655b588ad4be138b2df29e604ddfd2cc0ff4f80b8da569
SSDEEP

49152:EbA37QXuXj2m0oENBxCFk+M0/V5Z7dTMjPvxQp0VR4NOjtSskvRIaqiZd:EbXXuiyENBE209BqnOmeMjYsqR7d

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 46 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeBig Dildo Riding.scrschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
684	schtasks.exe
2536	schtasks.exe
4956	schtasks.exe
4744	schtasks.exe
4784	schtasks.exe
600	schtasks.exe
2184	schtasks.exe
4040	schtasks.exe
4600	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Big Dildo Riding.scr
1124	schtasks.exe
1780	schtasks.exe
1968	schtasks.exe
5048	schtasks.exe
372	schtasks.exe
4720	schtasks.exe
4696	schtasks.exe
2252	schtasks.exe
1860	schtasks.exe
3340	schtasks.exe
3944	schtasks.exe
1852	schtasks.exe
1848	schtasks.exe
1944	schtasks.exe
1168	schtasks.exe
4816	schtasks.exe
1052	schtasks.exe
1308	schtasks.exe
1112	schtasks.exe
1448	schtasks.exe
3380	schtasks.exe
4848	schtasks.exe
500	schtasks.exe
1176	schtasks.exe
1328	schtasks.exe
1908	schtasks.exe
1036	schtasks.exe
5040	schtasks.exe
4288	schtasks.exe
4808	schtasks.exe
1368	schtasks.exe
1912	schtasks.exe
1176	schtasks.exe
2080	schtasks.exe
2860	schtasks.exe
352	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

webbroker.exewebbroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\", \"C:\\odt\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\", \"C:\\odt\\powershell.exe\", \"C:\\SurrogateagentsavesDll\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\", \"C:\\odt\\powershell.exe\", \"C:\\SurrogateagentsavesDll\\powershell.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\powershell.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\powershell.exe\", \"C:\\Users\\Admin\\Saved Games\\dllhost.exe\", \"C:\\Users\\Default\\Music\\fontdrvhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\", \"C:\\odt\\powershell.exe\", \"C:\\SurrogateagentsavesDll\\powershell.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\powershell.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\", \"C:\\odt\\powershell.exe\", \"C:\\SurrogateagentsavesDll\\powershell.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\powershell.exe\", \"C:\\odt\\conhost.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\powershell.exe\", \"C:\\Users\\Admin\\Saved Games\\dllhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\", \"C:\\odt\\powershell.exe\", \"C:\\SurrogateagentsavesDll\\powershell.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\cmd.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\", \"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\", \"C:\\SurrogateagentsavesDll\\lsass.exe\", \"C:\\SurrogateagentsavesDll\\dwm.exe\", \"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\SurrogateagentsavesDll\\Idle.exe\", \"C:\\odt\\powershell.exe\", \"C:\\SurrogateagentsavesDll\\powershell.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\powershell.exe\", \"C:\\odt\\conhost.exe\""	webbroker.exe

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4772	schtasks.exe

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\SurrogateagentsavesDll\webbroker.exe	dcrat
C:\SurrogateagentsavesDll\webbroker.exe	dcrat
behavioral2/memory/3216-282-0x00000000003D0000-0x0000000000672000-memory.dmp	dcrat
C:\SurrogateagentsavesDll\webbroker.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\SurrogateagentsavesDll\powershell.exe	dcrat
C:\Windows\Logs\WindowsUpdate\powershell.exe	dcrat
C:\Windows\Logs\WindowsUpdate\powershell.exe	dcrat

Executes dropped EXE 12 IoCs

Processes:

webbroker.exewebbroker.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3216	webbroker.exe
5112	webbroker.exe
4852	powershell.exe
4312	powershell.exe
4700	powershell.exe
4132	powershell.exe
4764	powershell.exe
3736	powershell.exe
4172	powershell.exe
2680	powershell.exe
4088	powershell.exe
4884	powershell.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

webbroker.exewebbroker.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Saved Games\\dllhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Saved Games\\dllhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\cmd.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\SurrogateagentsavesDll\\dwm.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\SurrogateagentsavesDll\\Idle.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\odt\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\SurrogateagentsavesDll\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\Logs\\WindowsUpdate\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\SurrogateagentsavesDll\\lsass.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\Microsoft.NET\\authman\\OfficeClickToRun.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\SurrogateagentsavesDll\\lsass.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\SurrogateagentsavesDll\\dwm.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\SurrogateagentsavesDll\\Idle.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\odt\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\cmd.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\odt\\conhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Music\\fontdrvhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Windows Sidebar\\Shared Gadgets\\OfficeClickToRun.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\SurrogateagentsavesDll\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Windows\\Logs\\WindowsUpdate\\powershell.exe\""	webbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default\\Music\\fontdrvhost.exe\""	webbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\AppPatch\\ja-JP\\conhost.exe\""	webbroker.exe

Drops file in Program Files directory 6 IoCs

Processes:

webbroker.exewebbroker.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\e6c9b481da804f	webbroker.exe
File created	C:\Program Files\7-Zip\Lang\conhost.exe	webbroker.exe
File created	C:\Program Files\7-Zip\Lang\088424020bedd6	webbroker.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe	webbroker.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\e978f868350d50	webbroker.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe	webbroker.exe

Drops file in Windows directory 6 IoCs

Processes:

webbroker.exewebbroker.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\authman\OfficeClickToRun.exe	webbroker.exe
File created	C:\Windows\Microsoft.NET\authman\e6c9b481da804f	webbroker.exe
File created	C:\Windows\Logs\WindowsUpdate\powershell.exe	webbroker.exe
File created	C:\Windows\Logs\WindowsUpdate\e978f868350d50	webbroker.exe
File created	C:\Windows\AppPatch\ja-JP\conhost.exe	webbroker.exe
File created	C:\Windows\AppPatch\ja-JP\088424020bedd6	webbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4956	schtasks.exe
1912	schtasks.exe
1176	schtasks.exe
1860	schtasks.exe
2860	schtasks.exe
3944	schtasks.exe
4288	schtasks.exe
1124	schtasks.exe
4816	schtasks.exe
4744	schtasks.exe
684	schtasks.exe
500	schtasks.exe
1176	schtasks.exe
1848	schtasks.exe
1308	schtasks.exe
5040	schtasks.exe
4848	schtasks.exe
2184	schtasks.exe
1036	schtasks.exe
3380	schtasks.exe
5048	schtasks.exe
372	schtasks.exe
4696	schtasks.exe
1368	schtasks.exe
1448	schtasks.exe
1908	schtasks.exe
3340	schtasks.exe
2536	schtasks.exe
352	schtasks.exe
4600	schtasks.exe
1328	schtasks.exe
1112	schtasks.exe
1968	schtasks.exe
4784	schtasks.exe
2252	schtasks.exe
1052	schtasks.exe
1852	schtasks.exe
2080	schtasks.exe
1168	schtasks.exe
4040	schtasks.exe
4720	schtasks.exe
4808	schtasks.exe
600	schtasks.exe
1944	schtasks.exe
1780	schtasks.exe

Modifies registry class 2 IoCs

Processes:

webbroker.exeBig Dildo Riding.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	webbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	Big Dildo Riding.scr

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

webbroker.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewebbroker.exe

pid	process
3216	webbroker.exe
3216	webbroker.exe
3216	webbroker.exe
3216	webbroker.exe
3216	webbroker.exe
3216	webbroker.exe
3216	webbroker.exe
3216	webbroker.exe
3216	webbroker.exe
420	powershell.exe
2408	powershell.exe
868	powershell.exe
420	powershell.exe
2340	powershell.exe
868	powershell.exe
3356	powershell.exe
3384	powershell.exe
204	powershell.exe
2516	powershell.exe
868	powershell.exe
420	powershell.exe
2516	powershell.exe
2408	powershell.exe
204	powershell.exe
2340	powershell.exe
3384	powershell.exe
2516	powershell.exe
2408	powershell.exe
204	powershell.exe
3356	powershell.exe
2340	powershell.exe
3384	powershell.exe
3356	powershell.exe
5112	webbroker.exe
5112	webbroker.exe
5112	webbroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

webbroker.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3216	webbroker.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	204	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeIncreaseQuotaPrivilege	420	powershell.exe
Token: SeSecurityPrivilege	420	powershell.exe
Token: SeTakeOwnershipPrivilege	420	powershell.exe
Token: SeLoadDriverPrivilege	420	powershell.exe
Token: SeSystemProfilePrivilege	420	powershell.exe
Token: SeSystemtimePrivilege	420	powershell.exe
Token: SeProfSingleProcessPrivilege	420	powershell.exe
Token: SeIncBasePriorityPrivilege	420	powershell.exe
Token: SeCreatePagefilePrivilege	420	powershell.exe
Token: SeBackupPrivilege	420	powershell.exe
Token: SeRestorePrivilege	420	powershell.exe
Token: SeShutdownPrivilege	420	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeSystemEnvironmentPrivilege	420	powershell.exe
Token: SeRemoteShutdownPrivilege	420	powershell.exe
Token: SeUndockPrivilege	420	powershell.exe
Token: SeManageVolumePrivilege	420	powershell.exe
Token: 33	420	powershell.exe
Token: 34	420	powershell.exe
Token: 35	420	powershell.exe
Token: 36	420	powershell.exe
Token: SeIncreaseQuotaPrivilege	868	powershell.exe
Token: SeSecurityPrivilege	868	powershell.exe
Token: SeTakeOwnershipPrivilege	868	powershell.exe
Token: SeLoadDriverPrivilege	868	powershell.exe
Token: SeSystemProfilePrivilege	868	powershell.exe
Token: SeSystemtimePrivilege	868	powershell.exe
Token: SeProfSingleProcessPrivilege	868	powershell.exe
Token: SeIncBasePriorityPrivilege	868	powershell.exe
Token: SeCreatePagefilePrivilege	868	powershell.exe
Token: SeBackupPrivilege	868	powershell.exe
Token: SeRestorePrivilege	868	powershell.exe
Token: SeShutdownPrivilege	868	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeSystemEnvironmentPrivilege	868	powershell.exe
Token: SeRemoteShutdownPrivilege	868	powershell.exe
Token: SeUndockPrivilege	868	powershell.exe
Token: SeManageVolumePrivilege	868	powershell.exe
Token: 33	868	powershell.exe
Token: 34	868	powershell.exe
Token: 35	868	powershell.exe
Token: 36	868	powershell.exe
Token: SeIncreaseQuotaPrivilege	2516	powershell.exe
Token: SeSecurityPrivilege	2516	powershell.exe
Token: SeTakeOwnershipPrivilege	2516	powershell.exe
Token: SeLoadDriverPrivilege	2516	powershell.exe
Token: SeSystemProfilePrivilege	2516	powershell.exe
Token: SeSystemtimePrivilege	2516	powershell.exe
Token: SeProfSingleProcessPrivilege	2516	powershell.exe
Token: SeIncBasePriorityPrivilege	2516	powershell.exe
Token: SeCreatePagefilePrivilege	2516	powershell.exe
Token: SeBackupPrivilege	2516	powershell.exe
Token: SeRestorePrivilege	2516	powershell.exe
Token: SeShutdownPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

Big Dildo Riding.scrWScript.execmd.exewebbroker.execmd.exewebbroker.exe

description	pid	process	target process
PID 3848 wrote to memory of 4116	3848	Big Dildo Riding.scr	WScript.exe
PID 3848 wrote to memory of 4116	3848	Big Dildo Riding.scr	WScript.exe
PID 3848 wrote to memory of 4116	3848	Big Dildo Riding.scr	WScript.exe
PID 4116 wrote to memory of 5112	4116	WScript.exe	cmd.exe
PID 4116 wrote to memory of 5112	4116	WScript.exe	cmd.exe
PID 4116 wrote to memory of 5112	4116	WScript.exe	cmd.exe
PID 5112 wrote to memory of 3216	5112	cmd.exe	webbroker.exe
PID 5112 wrote to memory of 3216	5112	cmd.exe	webbroker.exe
PID 3216 wrote to memory of 868	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 868	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 420	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 420	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 2408	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 2408	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 2340	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 2340	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 3356	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 3356	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 3384	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 3384	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 204	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 204	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 2516	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 2516	3216	webbroker.exe	powershell.exe
PID 3216 wrote to memory of 628	3216	webbroker.exe	cmd.exe
PID 3216 wrote to memory of 628	3216	webbroker.exe	cmd.exe
PID 628 wrote to memory of 4160	628	cmd.exe	w32tm.exe
PID 628 wrote to memory of 4160	628	cmd.exe	w32tm.exe
PID 628 wrote to memory of 5112	628	cmd.exe	webbroker.exe
PID 628 wrote to memory of 5112	628	cmd.exe	webbroker.exe
PID 5112 wrote to memory of 4852	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4852	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4312	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4312	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4700	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4700	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4132	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4132	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4764	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4764	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 3736	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 3736	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4172	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4172	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 2680	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 2680	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4088	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4088	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4884	5112	webbroker.exe	powershell.exe
PID 5112 wrote to memory of 4884	5112	webbroker.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Belle Delphine Nudes Leaked!\Big Dildo Riding.scr
"C:\Users\Admin\AppData\Local\Temp\Belle Delphine Nudes Leaked!\Big Dildo Riding.scr" /S
1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SurrogateagentsavesDll\rh7k9gt.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\SurrogateagentsavesDll\2nvHsNHUhqkINTDaJO.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\SurrogateagentsavesDll\webbroker.exe
"C:\SurrogateagentsavesDll\webbroker.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\webbroker.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\ja-JP\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TgGFVV6FdQ.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4160

C:\SurrogateagentsavesDll\webbroker.exe
"C:\SurrogateagentsavesDll\webbroker.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\webbroker.exe'
7⤵
- Executes dropped EXE
PID:4852

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\powershell.exe'
7⤵
- Executes dropped EXE
PID:4700

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\powershell.exe'
7⤵
- Executes dropped EXE
PID:4132

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\SurrogateagentsavesDll\Idle.exe'
7⤵
- Executes dropped EXE
PID:4312

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'
7⤵
- Executes dropped EXE
PID:4764

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\WindowsUpdate\powershell.exe'
7⤵
- Executes dropped EXE
PID:4172

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\fontdrvhost.exe'
7⤵
- Executes dropped EXE
PID:4088

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\dllhost.exe'
7⤵
- Executes dropped EXE
PID:2680

C:\SurrogateagentsavesDll\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
7⤵
- Executes dropped EXE
PID:3736

C:\Windows\Logs\WindowsUpdate\powershell.exe
"C:\Windows\Logs\WindowsUpdate\powershell.exe"
7⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\ja-JP\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\authman\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\authman\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\SurrogateagentsavesDll\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\SurrogateagentsavesDll\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\SurrogateagentsavesDll\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\SurrogateagentsavesDll\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\SurrogateagentsavesDll\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\SurrogateagentsavesDll\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\SurrogateagentsavesDll\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\SurrogateagentsavesDll\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\SurrogateagentsavesDll\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\odt\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\SurrogateagentsavesDll\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\SurrogateagentsavesDll\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\SurrogateagentsavesDll\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\WindowsUpdate\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Logs\WindowsUpdate\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\WindowsUpdate\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Music\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SurrogateagentsavesDll\2nvHsNHUhqkINTDaJO.bat

Filesize
41B

MD5
d9fbba17a660eee76f5e6556e7f00ccc

SHA1
5e40c6de4f9a1d2dae42a33902120af6c561f631

SHA256
bed8275c849c71818fa90791dd5b71514a46a82990a7e04a3092dc7c761d1f62

SHA512
c3f484fbe0b3461335b6aa6fe8ec509044e853edf15a514e3d2d33bd5370d9566b21f03cc0e949ec9a6a91c2abeb7f30dc741b33522548b75c056384f1344955

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\rh7k9gt.vbe

Filesize
217B

MD5
243fd9d2bb97513854d1025a6727a5e4

SHA1
ab45973af5a26c54821b6897043958ecbf5683b3

SHA256
38a0c3d04ec79e01ecc452d0afb95ac1f419472d9abbd9ebde4b30b94da6509b

SHA512
da630c8c29ba43e8929ec89ba525930cceca5f580d338ca8337dc1be9cb41fe11ba7c7f4ab658407552b7d5ce2929fd56f86739bd76124e35a0110d407c6faeb

Download Submit
C:\SurrogateagentsavesDll\webbroker.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\webbroker.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\SurrogateagentsavesDll\webbroker.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\webbroker.exe.log

Filesize
1KB

MD5
430a3e587f99c7640a58a042ce63bdd6

SHA1
5d11d6b74e56cf622796971b8f57f57ca37592db

SHA256
a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7

SHA512
0b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c75468aaf0d8b04bf7f4946cd323d2d6

SHA1
13240d2f707cd84be34867c22a9d0c575b73fd2f

SHA256
d72d1806d71018d60bbac5078fc219836330da91e0d8f8021cf2f030c08a20e4

SHA512
0abd6d9521e3e944306a12dad10ffb58f3acda50eea3150d889dcc54778cdb886fda2f9e489dd8c880a4da7267fe1c33b727102f9b3a7fd0cbbe133617a8b900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02b6c68dead38613d1a8ea25fc80efc8

SHA1
3ebea48bb5ebe6cbf73f4ecbee0b67fd253b02e9

SHA256
e5d94cb19f98851096d1c2114e3d18543082cbfe1d91c42f927fcde3b7be75a7

SHA512
baef4ccff193426df30097f39126e271311ea0614ec24356069e15672fbf877248993c58a8816427bf93c5ff96e57357168449b3a2581e464b73e9b83286b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02b6c68dead38613d1a8ea25fc80efc8

SHA1
3ebea48bb5ebe6cbf73f4ecbee0b67fd253b02e9

SHA256
e5d94cb19f98851096d1c2114e3d18543082cbfe1d91c42f927fcde3b7be75a7

SHA512
baef4ccff193426df30097f39126e271311ea0614ec24356069e15672fbf877248993c58a8816427bf93c5ff96e57357168449b3a2581e464b73e9b83286b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d72db63dec8b8e84e8a1155e8e0ca96

SHA1
b4728a0fc4a47592806b3da1d30eb0291c4d05d1

SHA256
a1e91ce3b1f6b419c88a0b371225a6fac03881b39c8184bf2ff65129a00ed6d2

SHA512
5aef675942f6157ab2d678c7ce800360488c0948be42577574afec0486c5ce903802e4971b80ede2fddb131b8ac8c81b022233f88b0210cdc7835739465f1c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67ce02f385b4fc1c199c122a101bedd3

SHA1
d4eaaaa0774bbb3b7ee77ef0ed7162a8e0e7fba8

SHA256
54bdf8dd22f35b31f271c059695d1e1dfed55f9bf9776a4a7ac9bdcdc5bcbc32

SHA512
f4297cc244b64c8cec8c583b4eba9cc053d7247c3ce6417991d2130d20f3085c79f23281f6a1b8814965bead915f9b74a7e7c8d85821dac85bc3f9101574e3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5176c4369feaa788f29bcc46f92299e

SHA1
68b8805e3351510e57949c4508af1a2fb763be14

SHA256
9162b47b5b588583c2437d1a51fe572eb4b7ab4ff71ac09fa934fbe8241323d7

SHA512
bcaa43068ff33d00b8c4bb9d2767589fb95fbd571f62c6fcf378f02fb51e1525b78b5e77fd003effb8826ee3cfa091e03d8429903e7521627c47c8adc94b07c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da500a46bd340de072728f9f14a5eb56

SHA1
72b00df9826f5f872ae0c759ac8d9e2afb1915a3

SHA256
9ac145b4fc290d1e94d869702a3e271a1f3b5373fad47900775a7b27eb1c2d8a

SHA512
a13fc5d07d0852bc91c0a5cdbb601fd58c9c44522816db7e46a685cc30b5468c4e6006e211b4164356bd13b67f2acd72684e5e6671622ca1d008632d84787d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\TgGFVV6FdQ.bat

Filesize
204B

MD5
25e89cefdf4c3589308e932116b33ed1

SHA1
70e179af4fb3865dc5dba8b1a04eb0be99188fba

SHA256
e47c8da1fcdea31f8e93ebce0bc59d7e15bf8dd20b46ff1a32c4a24ebdd45b8b

SHA512
d1b6042a05ca1ba851d3b2318b991e47a14e0c0c55818a9aec6529ebaa00e3e437842546606c2476323f4e408dcf6085f13ea151d82bba6e0241452b19a939d8

Download Submit
C:\Windows\Logs\WindowsUpdate\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
C:\Windows\Logs\WindowsUpdate\powershell.exe

Filesize
2.6MB

MD5
b1364fea5ff9a5f9d5e4f63374b926fc

SHA1
a837da0330a19c84bd2aaef52125f9cf98dc6f95

SHA256
cf3dc60ee782af378f4ad7651deb5ac6229c9073e47973f0732a761fa06fc5ce

SHA512
bb71608ebdb9a15ad0bc46226f3d0354bcd8659e088b723a29bb77e128ffe4bdfdb7bec859f3a8b9552efd31561088778655da3f1cc2137eec8707535bb21ecf

Download Submit
memory/204-303-0x0000000000000000-mapping.dmp

Download
memory/420-298-0x0000000000000000-mapping.dmp

Download
memory/420-338-0x0000020F68590000-0x0000020F685A0000-memory.dmp

Filesize
64KB

Download
memory/420-337-0x0000020F68610000-0x0000020F68692000-memory.dmp

Filesize
520KB

Download
memory/420-341-0x0000020F69030000-0x0000020F69052000-memory.dmp

Filesize
136KB

Download
memory/628-332-0x0000000000000000-mapping.dmp

Download
memory/868-349-0x0000023FF27F0000-0x0000023FF2866000-memory.dmp

Filesize
472KB

Download
memory/868-297-0x0000000000000000-mapping.dmp

Download
memory/868-368-0x0000023FF2870000-0x0000023FF28BA000-memory.dmp

Filesize
296KB

Download
memory/2340-300-0x0000000000000000-mapping.dmp

Download
memory/2408-299-0x0000000000000000-mapping.dmp

Download
memory/2516-304-0x0000000000000000-mapping.dmp

Download
memory/2516-572-0x00000246772D0000-0x00000246772EE000-memory.dmp

Filesize
120KB

Download
memory/2680-621-0x0000000000000000-mapping.dmp

Download
memory/3216-279-0x0000000000000000-mapping.dmp

Download
memory/3216-292-0x00000000028A0000-0x00000000028AA000-memory.dmp

Filesize
40KB

Download
memory/3216-283-0x000000001C0F0000-0x000000001C1F2000-memory.dmp

Filesize
1.0MB

Download
memory/3216-284-0x0000000000E60000-0x0000000000E7C000-memory.dmp

Filesize
112KB

Download
memory/3216-285-0x000000001B290000-0x000000001B2E0000-memory.dmp

Filesize
320KB

Download
memory/3216-296-0x000000001B330000-0x000000001B33C000-memory.dmp

Filesize
48KB

Download
memory/3216-295-0x000000001B320000-0x000000001B32A000-memory.dmp

Filesize
40KB

Download
memory/3216-294-0x000000001B310000-0x000000001B31C000-memory.dmp

Filesize
48KB

Download
memory/3216-293-0x000000001B300000-0x000000001B30E000-memory.dmp

Filesize
56KB

Download
memory/3216-282-0x00000000003D0000-0x0000000000672000-memory.dmp

Filesize
2.6MB

Download
memory/3216-291-0x000000001CA30000-0x000000001CF56000-memory.dmp

Filesize
5.1MB

Download
memory/3216-290-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/3216-289-0x0000000002850000-0x00000000028A6000-memory.dmp

Filesize
344KB

Download
memory/3216-288-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

Filesize
64KB

Download
memory/3216-287-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/3216-286-0x0000000002830000-0x0000000002846000-memory.dmp

Filesize
88KB

Download
memory/3356-301-0x0000000000000000-mapping.dmp

Download
memory/3384-302-0x0000000000000000-mapping.dmp

Download
memory/3736-617-0x0000000000000000-mapping.dmp

Download
memory/3848-152-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-144-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-117-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-118-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-119-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-159-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-158-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-161-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-116-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-157-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-156-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-178-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-177-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-176-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-175-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-174-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-173-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-172-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-171-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-170-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-166-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-169-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-168-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-167-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-165-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-164-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-155-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-154-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-153-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-160-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-163-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-151-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-162-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-150-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-148-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-149-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-147-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-146-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-145-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-121-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-179-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-143-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-122-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-142-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-141-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-140-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-124-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-125-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-139-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-138-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-137-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-136-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-135-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-134-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-133-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-132-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-126-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-127-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-131-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-130-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-129-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/3848-128-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/4088-623-0x0000000000000000-mapping.dmp

Download
memory/4116-182-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/4116-180-0x0000000000000000-mapping.dmp

Download
memory/4116-181-0x0000000077410000-0x000000007759E000-memory.dmp

Filesize
1.6MB

Download
memory/4132-614-0x0000000000000000-mapping.dmp

Download
memory/4160-344-0x0000000000000000-mapping.dmp

Download
memory/4172-619-0x0000000000000000-mapping.dmp

Download
memory/4312-608-0x0000000000000000-mapping.dmp

Download
memory/4700-611-0x0000000000000000-mapping.dmp

Download
memory/4764-615-0x0000000000000000-mapping.dmp

Download
memory/4852-607-0x0000000000000000-mapping.dmp

Download
memory/4884-626-0x0000000000000000-mapping.dmp

Download
memory/5112-576-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/5112-256-0x0000000000000000-mapping.dmp

Download
memory/5112-567-0x0000000000000000-mapping.dmp

Download
memory/5112-573-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download