dcrat | 2318153f6af14c4c99e8c0c106c4d5d28667a904bb1a6547a00f78ef03f3fab8

Analysis

max time kernel
36s
max time network
38s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exe
Size

2.6MB
MD5

09cacacf6eef86e62b26d5d1ca217c8e
SHA1

21520171163005980651861cea13fc6edc82d2da
SHA256

abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac
SHA512

fc90917fa408769cef02c977ff4a0f30a6b14e0fe0731a7ccd573c63da9523e48d58914c5a26b4f5d3d8faee47ea3d32ccbf5e462e802dd7b3cc23e6ad6fd4c6
SSDEEP

49152:ubA3jlSSI+tkWr2mvKSq32s+FBf4HrypMFQtwfRKSSutCn0:ubcSbWr2mLHyC8LSut1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	744	schtasks.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\hyperchainagent\Surrogaterefnet.exe	dcrat
C:\hyperchainagent\Surrogaterefnet.exe	dcrat
\hyperchainagent\Surrogaterefnet.exe	dcrat
C:\hyperchainagent\Surrogaterefnet.exe	dcrat
behavioral1/memory/1632-67-0x00000000009E0000-0x0000000000C32000-memory.dmp	dcrat
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe	dcrat
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe	dcrat
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe	dcrat
behavioral1/memory/888-109-0x0000000001310000-0x0000000001562000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

Surrogaterefnet.exeIdle.exe

pid process

1632 Surrogaterefnet.exe
888 Idle.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1472 cmd.exe
1472 cmd.exe

pid	process
1632	Surrogaterefnet.exe
888	Idle.exe

pid	process
1472	cmd.exe
1472	cmd.exe

Drops file in Program Files directory 11 IoCs

Processes:

Surrogaterefnet.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\24dbde2999530e	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	Surrogaterefnet.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\WmiPrvSE.exe	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\886983d96e3d3e	Surrogaterefnet.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc	Surrogaterefnet.exe
File created	C:\Program Files\Windows Journal\smss.exe	Surrogaterefnet.exe
File created	C:\Program Files\Windows Journal\69ddcba757bf72	Surrogaterefnet.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	Surrogaterefnet.exe

Drops file in Windows directory 2 IoCs

Processes:

Surrogaterefnet.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\ScanFile\spoolsv.exe	Surrogaterefnet.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\f3b6ecef712a24	Surrogaterefnet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1848	schtasks.exe
1536	schtasks.exe
1364	schtasks.exe
1732	schtasks.exe
1048	schtasks.exe
1876	schtasks.exe
884	schtasks.exe
1700	schtasks.exe
1588	schtasks.exe
1264	schtasks.exe
1984	schtasks.exe
1328	schtasks.exe
1092	schtasks.exe
1896	schtasks.exe
1700	schtasks.exe
1204	schtasks.exe
280	schtasks.exe
872	schtasks.exe
528	schtasks.exe
864	schtasks.exe
1204	schtasks.exe
1456	schtasks.exe
1724	schtasks.exe
1364	schtasks.exe
1636	schtasks.exe
1316	schtasks.exe
2036	schtasks.exe
1160	schtasks.exe
2020	schtasks.exe
520	schtasks.exe
1380	schtasks.exe
1284	schtasks.exe
1540	schtasks.exe
1276	schtasks.exe
988	schtasks.exe
592	schtasks.exe
1836	schtasks.exe
1596	schtasks.exe
1780	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Idle.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Idle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Idle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Idle.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Surrogaterefnet.exeIdle.exe

pid process

1632 Surrogaterefnet.exe
888 Idle.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Surrogaterefnet.exeIdle.exe

description pid process

Token: SeDebugPrivilege 1632 Surrogaterefnet.exe
Token: SeDebugPrivilege 888 Idle.exe

pid	process
1632	Surrogaterefnet.exe
888	Idle.exe

description	pid	process
Token: SeDebugPrivilege	1632	Surrogaterefnet.exe
Token: SeDebugPrivilege	888	Idle.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exeWScript.execmd.exeSurrogaterefnet.exe

description	pid	process	target process
PID 1676 wrote to memory of 304	1676	abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exe	WScript.exe
PID 1676 wrote to memory of 304	1676	abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exe	WScript.exe
PID 1676 wrote to memory of 304	1676	abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exe	WScript.exe
PID 1676 wrote to memory of 304	1676	abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exe	WScript.exe
PID 304 wrote to memory of 1472	304	WScript.exe	cmd.exe
PID 304 wrote to memory of 1472	304	WScript.exe	cmd.exe
PID 304 wrote to memory of 1472	304	WScript.exe	cmd.exe
PID 304 wrote to memory of 1472	304	WScript.exe	cmd.exe
PID 1472 wrote to memory of 1632	1472	cmd.exe	Surrogaterefnet.exe
PID 1472 wrote to memory of 1632	1472	cmd.exe	Surrogaterefnet.exe
PID 1472 wrote to memory of 1632	1472	cmd.exe	Surrogaterefnet.exe
PID 1472 wrote to memory of 1632	1472	cmd.exe	Surrogaterefnet.exe
PID 1632 wrote to memory of 888	1632	Surrogaterefnet.exe	Idle.exe
PID 1632 wrote to memory of 888	1632	Surrogaterefnet.exe	Idle.exe
PID 1632 wrote to memory of 888	1632	Surrogaterefnet.exe	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exe
"C:\Users\Admin\AppData\Local\Temp\abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperchainagent\hVasfh5Xz1.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hyperchainagent\DMBt2834kk6smlkgJa5RvPFxYK.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\hyperchainagent\Surrogaterefnet.exe
      "C:\hyperchainagent\Surrogaterefnet.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe
        
        "C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\hyperchainagent\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\hyperchainagent\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\hyperchainagent\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\ScanFile\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\ScanFile\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\Idle.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d067071f4ea0f5ae54c1a6563df47fd

SHA1
4279ec0aaf1502eef7932081d334f0f0f7c1197b

SHA256
816e350720928f4b0a9ecbfb72eb30559d81bc9d046bc757a8a195d27a0439b3

SHA512
8e0db8de25a94b9916bb8923e7eeb8aacb1bb349db1309b39413ba83c3b4bb25a0c13ac639a2c83e3f78f47deae7d239cd1eb3fa9d5c2a874aafd472bda70ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7FFC.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar816A.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\hyperchainagent\DMBt2834kk6smlkgJa5RvPFxYK.bat

Filesize
40B

MD5
9cbc6ed294d7df3d71188be1778d1e84

SHA1
49ea3428916b3fbbb817df9f40bd7fd3385dfb1e

SHA256
91bb54ba35c1ac167d6eedccd1b18f9178426f21aefcf14ac488e09dbb798af8

SHA512
7303ae61150beb18504db411371d2d6e0383f2f3e7a7e3f5f7e7feffa5cbce4fc9b1225474f57050c99f32d3adcbff7f8cab41e4f9edd78a5c26c15e95dea06a

Download Submit
C:\hyperchainagent\Surrogaterefnet.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\hyperchainagent\Surrogaterefnet.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
C:\hyperchainagent\hVasfh5Xz1.vbe

Filesize
218B

MD5
16389aa806a3fd9a2322e3fbcddacede

SHA1
03c06c620f9717650013b8d2c30ca4a67d4e1939

SHA256
f2e9cef08cce338bbc9d5eea18059a3df236f4ca5a050bce564a94347dbc1742

SHA512
9d04db24f78c9a947510e32196d31380db479425cf52752231e1b0df44da43356c7e010f3dd9c79a446b05ca61ec35fbb2de5762f221b7aa1d9555d71555ea91

Download Submit
\hyperchainagent\Surrogaterefnet.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
\hyperchainagent\Surrogaterefnet.exe

Filesize
2.3MB

MD5
dbf705ce9641d7783c9e867a15d463dc

SHA1
e14b23c79cdc102ef10cb35ce78e84a50e725549

SHA256
ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3

SHA512
4ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81

Download Submit
memory/888-110-0x000000001AF40000-0x000000001AFC0000-memory.dmp

Filesize
512KB

Download
memory/888-109-0x0000000001310000-0x0000000001562000-memory.dmp

Filesize
2.3MB

Download
memory/1632-67-0x00000000009E0000-0x0000000000C32000-memory.dmp

Filesize
2.3MB

Download
memory/1632-76-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/1632-75-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/1632-74-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1632-73-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/1632-72-0x0000000000960000-0x00000000009B6000-memory.dmp

Filesize
344KB

Download
memory/1632-71-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/1632-70-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/1632-69-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1632-68-0x000000001B180000-0x000000001B200000-memory.dmp

Filesize
512KB

Download