dcrat | 58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 22:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
Size

2.9MB
MD5

4662fe6f5c51595aebafd8121ec36063
SHA1

0659d4c5fbd528ca0029f59c592e7977cb3961c4
SHA256

58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5
SHA512

97cf55835e85bf4663112e2c8e8298f0dea4592253c57c50576a12e25b323915ad1bbce1337dca01d771d3c080b9b7b88a48f5b8facdfb2040c65208b21e7828
SSDEEP

49152:6ZB1G8Y5JpDd0Tv4DmBPO6XXb2m5NtmkGzNgL9eqTHhAL24LvXKpFhkgDoba18sM:g3G7Dd24a95qRgoShmLv+DUap8

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	3656	schtasks.exe	97
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	3656	schtasks.exe	97

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023404-14.dat	dcrat
behavioral2/files/0x0007000000023408-35.dat	dcrat
behavioral2/memory/668-36-0x0000000000AA0000-0x0000000000D36000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Containerwebwin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	HUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe	HUI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe	HUI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240605187	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240605890	HUI.exe

Executes dropped EXE 16 IoCs

pid	Process
2648	HUI.exe
4160	DCRatBuild.exe
668	Containerwebwin.exe
1332	RuntimeBroker.exe
4364	RuntimeBroker.exe
3536	RuntimeBroker.exe
748	RuntimeBroker.exe
4192	RuntimeBroker.exe
4856	RuntimeBroker.exe
2272	RuntimeBroker.exe
3700	RuntimeBroker.exe
1780	RuntimeBroker.exe
4764	RuntimeBroker.exe
4564	RuntimeBroker.exe
1516	RuntimeBroker.exe
2072	RuntimeBroker.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe	Containerwebwin.exe
File created	C:\Program Files (x86)\Windows Defender\9e8d7a4ca61bd9	Containerwebwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2964	schtasks.exe
2956	schtasks.exe
1468	schtasks.exe
2632	schtasks.exe
2988	schtasks.exe
1308	schtasks.exe
3788	schtasks.exe
3096	schtasks.exe
1436	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
668	Containerwebwin.exe
668	Containerwebwin.exe
668	Containerwebwin.exe
668	Containerwebwin.exe
668	Containerwebwin.exe
668	Containerwebwin.exe
668	Containerwebwin.exe
1332	RuntimeBroker.exe
4364	RuntimeBroker.exe
3536	RuntimeBroker.exe
748	RuntimeBroker.exe
4192	RuntimeBroker.exe
4856	RuntimeBroker.exe
2272	RuntimeBroker.exe
3700	RuntimeBroker.exe
1780	RuntimeBroker.exe
4764	RuntimeBroker.exe
4564	RuntimeBroker.exe
1516	RuntimeBroker.exe
2072	RuntimeBroker.exe
2072	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	Containerwebwin.exe
Token: SeDebugPrivilege	1332	RuntimeBroker.exe
Token: SeDebugPrivilege	4364	RuntimeBroker.exe
Token: SeDebugPrivilege	3536	RuntimeBroker.exe
Token: SeDebugPrivilege	748	RuntimeBroker.exe
Token: SeDebugPrivilege	4192	RuntimeBroker.exe
Token: SeDebugPrivilege	4856	RuntimeBroker.exe
Token: SeDebugPrivilege	2272	RuntimeBroker.exe
Token: SeDebugPrivilege	3700	RuntimeBroker.exe
Token: SeDebugPrivilege	1780	RuntimeBroker.exe
Token: SeDebugPrivilege	4764	RuntimeBroker.exe
Token: SeDebugPrivilege	4564	RuntimeBroker.exe
Token: SeDebugPrivilege	1516	RuntimeBroker.exe
Token: SeDebugPrivilege	2072	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1468	4076	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe	82
PID 4076 wrote to memory of 1468	4076	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe	82
PID 1468 wrote to memory of 2648	1468	cmd.exe	85
PID 1468 wrote to memory of 2648	1468	cmd.exe	85
PID 2648 wrote to memory of 4160	2648	HUI.exe	86
PID 2648 wrote to memory of 4160	2648	HUI.exe	86
PID 2648 wrote to memory of 4160	2648	HUI.exe	86
PID 4160 wrote to memory of 2724	4160	DCRatBuild.exe	89
PID 4160 wrote to memory of 2724	4160	DCRatBuild.exe	89
PID 4160 wrote to memory of 2724	4160	DCRatBuild.exe	89
PID 4160 wrote to memory of 4284	4160	DCRatBuild.exe	90
PID 4160 wrote to memory of 4284	4160	DCRatBuild.exe	90
PID 4160 wrote to memory of 4284	4160	DCRatBuild.exe	90
PID 2724 wrote to memory of 860	2724	WScript.exe	101
PID 2724 wrote to memory of 860	2724	WScript.exe	101
PID 2724 wrote to memory of 860	2724	WScript.exe	101
PID 860 wrote to memory of 668	860	cmd.exe	104
PID 860 wrote to memory of 668	860	cmd.exe	104
PID 668 wrote to memory of 1332	668	Containerwebwin.exe	114
PID 668 wrote to memory of 1332	668	Containerwebwin.exe	114
PID 1332 wrote to memory of 2448	1332	RuntimeBroker.exe	115
PID 1332 wrote to memory of 2448	1332	RuntimeBroker.exe	115
PID 1332 wrote to memory of 1520	1332	RuntimeBroker.exe	116
PID 1332 wrote to memory of 1520	1332	RuntimeBroker.exe	116
PID 2448 wrote to memory of 4364	2448	WScript.exe	117
PID 2448 wrote to memory of 4364	2448	WScript.exe	117
PID 4364 wrote to memory of 3212	4364	RuntimeBroker.exe	118
PID 4364 wrote to memory of 3212	4364	RuntimeBroker.exe	118
PID 4364 wrote to memory of 4880	4364	RuntimeBroker.exe	119
PID 4364 wrote to memory of 4880	4364	RuntimeBroker.exe	119
PID 3212 wrote to memory of 3536	3212	WScript.exe	120
PID 3212 wrote to memory of 3536	3212	WScript.exe	120
PID 3536 wrote to memory of 3188	3536	RuntimeBroker.exe	121
PID 3536 wrote to memory of 3188	3536	RuntimeBroker.exe	121
PID 3536 wrote to memory of 2964	3536	RuntimeBroker.exe	122
PID 3536 wrote to memory of 2964	3536	RuntimeBroker.exe	122
PID 3188 wrote to memory of 748	3188	WScript.exe	125
PID 3188 wrote to memory of 748	3188	WScript.exe	125
PID 748 wrote to memory of 5052	748	RuntimeBroker.exe	126
PID 748 wrote to memory of 5052	748	RuntimeBroker.exe	126
PID 748 wrote to memory of 4380	748	RuntimeBroker.exe	127
PID 748 wrote to memory of 4380	748	RuntimeBroker.exe	127
PID 5052 wrote to memory of 4192	5052	WScript.exe	128
PID 5052 wrote to memory of 4192	5052	WScript.exe	128
PID 4192 wrote to memory of 5016	4192	RuntimeBroker.exe	129
PID 4192 wrote to memory of 5016	4192	RuntimeBroker.exe	129
PID 4192 wrote to memory of 1020	4192	RuntimeBroker.exe	130
PID 4192 wrote to memory of 1020	4192	RuntimeBroker.exe	130
PID 5016 wrote to memory of 4856	5016	WScript.exe	131
PID 5016 wrote to memory of 4856	5016	WScript.exe	131
PID 4856 wrote to memory of 2988	4856	RuntimeBroker.exe	132
PID 4856 wrote to memory of 2988	4856	RuntimeBroker.exe	132
PID 4856 wrote to memory of 2656	4856	RuntimeBroker.exe	133
PID 4856 wrote to memory of 2656	4856	RuntimeBroker.exe	133
PID 2988 wrote to memory of 2272	2988	WScript.exe	135
PID 2988 wrote to memory of 2272	2988	WScript.exe	135
PID 2272 wrote to memory of 2424	2272	RuntimeBroker.exe	136
PID 2272 wrote to memory of 2424	2272	RuntimeBroker.exe	136
PID 2272 wrote to memory of 2412	2272	RuntimeBroker.exe	137
PID 2272 wrote to memory of 2412	2272	RuntimeBroker.exe	137
PID 2424 wrote to memory of 3700	2424	WScript.exe	138
PID 2424 wrote to memory of 3700	2424	WScript.exe	138
PID 3700 wrote to memory of 3672	3700	RuntimeBroker.exe	139
PID 3700 wrote to memory of 3672	3700	RuntimeBroker.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
"C:\Users\Admin\AppData\Local\Temp\58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe
    HUI.exe -p16336311
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Blockcommonitor\jZZXJTfXw.vbe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Blockcommonitor\Q8sYjEW8L9fGjuU7hv1qT.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Blockcommonitor\Containerwebwin.exe
        
        "C:\Blockcommonitor\Containerwebwin.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96858e0c-743b-4aa3-b216-e306cec3841b.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e3c959d-f3bc-448e-aa7f-4d58b19830a4.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3eb50b8-7b5d-45a6-92f6-51a10624e2a0.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8a0aa21-64fa-4259-be4b-17ea5ee2494a.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3990d7bc-dc7b-4dca-a7e5-f3c6d1938674.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ed4709b-c360-4eff-b2ac-25e8ea323da8.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8e8b9c3-bf75-467e-8281-b19db3bdedf4.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1afcea5c-3a8c-4fb1-9e57-2e494a1de00b.vbs"
        23⤵
        
        PID:3672
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4964eea6-2484-4f6a-8c00-103fa0922cd8.vbs"
        25⤵
        
        PID:4440
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\620c4f1f-11bb-4c09-a57e-a852e1681d3d.vbs"
        27⤵
        
        PID:3680
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0682199-3a48-4cfa-ba4c-bfe8b7bf76f7.vbs"
        29⤵
        
        PID:2100
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c83bba72-6a4d-4148-ae11-ea1df719d7ab.vbs"
        31⤵
        
        PID:980
        
        C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e041a3a2-7172-4e10-b11c-ea0bc9ef25f1.vbs"
        33⤵
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24907b51-d1b0-4b3c-b817-ea57c6985d5f.vbs"
        33⤵
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0de30c60-75d4-49fd-bc16-558f579f193f.vbs"
        31⤵
        
        PID:4152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56a5899f-96f5-44d4-a408-4d67dde4b867.vbs"
        29⤵
        
        PID:3380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\053f2081-646a-45ec-89ea-7b083cd27acf.vbs"
        27⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54296a3e-bee2-493e-b403-6ff02758da28.vbs"
        25⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a8c69b0-2981-4bfd-a2a2-f3d959157fa4.vbs"
        23⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83b3f7da-485f-4a46-a78f-d5eeb5aaab6a.vbs"
        21⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d7316a3-ce28-4cad-b708-42cb9ce6d675.vbs"
        19⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9751a7-2c35-474e-9380-9904b2cec895.vbs"
        17⤵
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1567a2a-8340-4b96-879d-4fbe38a06646.vbs"
        15⤵
        
        PID:4380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c733ca93-6fa4-4e9c-8998-7ab5d4bb1236.vbs"
        13⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c438da12-0c96-449c-8280-868b7c2044d9.vbs"
        11⤵
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac7838a6-393e-4123-8017-d6131c78bbbf.vbs"
        9⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Blockcommonitor\file.vbs"
        5⤵
        
        PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Blockcommonitor\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Blockcommonitor\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Blockcommonitor\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Blockcommonitor\Containerwebwin.exe

Filesize
2.6MB

MD5
e105ab45b46d7884e37e6dd909021c71

SHA1
713c42873b09df7b9b2c1a72b4193b75788dc6a6

SHA256
7840d1f25cb39fc847cd1003d095cf10ac9f26fd15397b6e9eaf34f860106a33

SHA512
ded9d015dbfbbae0bdfcb5871cfbf87077e4e339f974d497930acc70b32686157a636b29f23da1cde0a6eee6e899debcb9f5ab4aaec5ec9adaa6375fd264d707

Download Submit
C:\Blockcommonitor\Q8sYjEW8L9fGjuU7hv1qT.bat

Filesize
40B

MD5
d68aa7ed0a0ed53939d0996767a56021

SHA1
900609028724f7b980ff505416c483ca7162ae0e

SHA256
c7aeb05c3d3be57d16aa94c28b376e2977a47ebe2566544b3072450d876d489b

SHA512
d1c944ff37b5a52426dfeebc6790fc5b9d9e403ace26a1a95c571ec630d925ff537b7a22a90176efdab17e2d8b77e76e51b04e3a8fdd07ccb6e8e8b03f7379fc

Download Submit
C:\Blockcommonitor\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Blockcommonitor\jZZXJTfXw.vbe

Filesize
213B

MD5
e36321449d4449688960a4ef8374c9bb

SHA1
2414a6fb6b2752525ee5959b0a4356ec080c5ebf

SHA256
d39231d19b973edcd275ad9cea944942a444d4d1f67ea18b356e248cacef53d6

SHA512
44dd2c67a1d1b73a7fe1bab19048ead24fdc6886ab95b855cde6ae0b8ea0a04ea87d253a0800d0616af618d09fe560813b61ad200e82cd39bf50761f1ac1973f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
49b64127208271d8f797256057d0b006

SHA1
b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

SHA256
2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

SHA512
f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1afcea5c-3a8c-4fb1-9e57-2e494a1de00b.vbs

Filesize
733B

MD5
33e1d850bb3bdadca96db654c4b616c5

SHA1
ea9c2abc5667c65562208124d2625f4a7f3a1260

SHA256
4f69e97b0dfee16f29724f8ced0d5ccf0fafa86d4d798f3c25d1c599f1a08e61

SHA512
30a5a5340659c834afc0805f6144a965477eba8ca0b5cbe3a73565b2ea3efbc1abe92078dc4fd73fc68b2f429b43d1fab93cdc5212886ac8ec96730e31e964df

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ed4709b-c360-4eff-b2ac-25e8ea323da8.vbs

Filesize
733B

MD5
726e3ce7406abf6b29d99715f35131d9

SHA1
5662c848916b5dbc1624413060538907925fe52c

SHA256
02a549a8a37d3f60a2c877a5c6f6fc8759563be1c9a56ad41ed194e5625f834b

SHA512
d0d0cc2e286390f577093f5c5ab9e76fd94f1b1bf22eabf90c7feadaaa8f838ef0c0038e19a2478d76d1dd16ef6409990dbf8f7e5a6cbe01f82409e7773e8e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\3990d7bc-dc7b-4dca-a7e5-f3c6d1938674.vbs

Filesize
733B

MD5
997cfa06f936e6324caacf3b20616df3

SHA1
6fe9cc1424e694f3780ae05ad9711abd6c1650f0

SHA256
8dd8848e1445b0efcb3ae69ba0ee7f00780648ebd9b95dd3d5b6e97c83e4fc6b

SHA512
35d2558e2ec88ed4fb11e20b2c79e15f448cb41e1ccc35d170adfbe37de053e1bb5aea0d43e5e61d81e659f677c57493178464d2436840e92635b495f143f39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4964eea6-2484-4f6a-8c00-103fa0922cd8.vbs

Filesize
733B

MD5
2d38e761fc37fee512f33ac477432093

SHA1
ee30d4252ab70dbcddb04b1d5703b48be212341b

SHA256
bbb6172a45ebfc052b4d8b5c510528ab17b2a8fe8da35bdcc901ffec7624f1f4

SHA512
4273a84fc11ec2d094663ebbb0fe9c03f38d479f88ced370911cf2237d6eacd8e3e5d1dbe111c138cb933c52171a752b01029f4e440e329a27605978687da345

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e3c959d-f3bc-448e-aa7f-4d58b19830a4.vbs

Filesize
733B

MD5
98afca523b92386ebd5a2161315e874f

SHA1
47f0800423f734efd2e2daf7b41a17ada4068d8b

SHA256
ed2209aabe550e00f3d494e285ee0959b6e926cfcdda970f4981332bf9a03ff9

SHA512
c8f20b6a49551773844a72bd25289552235b4ad2c4d9a592945427848acbab153342fccc9ebc282800192be976b5a5293eec1b743f7c59954f1b75eb4c7d3fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\620c4f1f-11bb-4c09-a57e-a852e1681d3d.vbs

Filesize
733B

MD5
1bb7110f30bc736467813676af346049

SHA1
fc82af95bfcf1c1acf6a83256c3ae71604c6a43c

SHA256
1ddcf2b6a2b202539eb47045ba08a84ad2bff22df43384cb90ff8912ae7753c1

SHA512
f88be44f83145e3a2fd36463f20692390666cc460fd84aee966501375a7575348836c68fa9fa6f1be83dc97137d7954aab1ae75f8d25a217c97287689abab93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96858e0c-743b-4aa3-b216-e306cec3841b.vbs

Filesize
733B

MD5
38299c1797a65604d010b1fd4053c7c7

SHA1
5d6ff217ce8f6c8b257d420f54795e1a38854a2a

SHA256
35fcbd06250117a482ece87bd14ef2f491a9c5679c0c7a04d6a089aef6f154ac

SHA512
435d7596306e460517e5189a04d3fae8f7c84d47719320ddd64370c707f8f45faf6bd2c6a279aeb6307bbdb3abb15696ab0b3a545279f4714da88c593c710e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0682199-3a48-4cfa-ba4c-bfe8b7bf76f7.vbs

Filesize
733B

MD5
a131cbfaf03c7061248ecb2d48f1e8a9

SHA1
eb76a72493a01bb0fcac52ab30edd9db020969ed

SHA256
6952ba72507bd56011143443e955537a0d9a6be479a0af8573ac41724b43fe61

SHA512
e528475f389d2be5c3ee05dff12fb94b7ac6ac61f2ed68ddc6758536b77f643cd90403b153ec6d923c23a86a30ebc62c7e0fa245c1d8bdd509268fd62aa51d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac7838a6-393e-4123-8017-d6131c78bbbf.vbs

Filesize
509B

MD5
ae1ccfa8e2d489a7b4c8d5195b1262ad

SHA1
3aafeb1a72b33a5a355a3a78693f2d4fd232c233

SHA256
967f2f0558ba4cabd300ca8ac6c00521e91e39cc32da06254535197d3e8c6f92

SHA512
2f9da3a5ef83b5b5651a19dde94787da42bebecd1f4601a785fa59076857025933da5ff7b56baecd7be693208d9e7e910df34775fde9440f56cad2a68641845c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8a0aa21-64fa-4259-be4b-17ea5ee2494a.vbs

Filesize
732B

MD5
dca979b182c5304f08e224846454e8f0

SHA1
92861541490e81f8e06fb5fc6a77d22a4314d690

SHA256
a54b8ac9d48f95d1598c4f7d747e2f53297f21d0445d927da0591236652da807

SHA512
e4039659fd9652515cc47a24be134c25f815c7485524b38b2ce1d32da8c283c896bdcb2ab6984dec51bf71e3bb8a6b569d00dd9f9d1a0042de3da748d6bb38d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c83bba72-6a4d-4148-ae11-ea1df719d7ab.vbs

Filesize
733B

MD5
5d600debfb199ab61b87bf8ffde928e3

SHA1
94cfb86e40f16ee202e96db73b60c5698c9cd243

SHA256
dd04a6e82901d4861caad088046745e3da5c18d8ce708e72adf1ba3ea65deec7

SHA512
ffe690978704eebe770bd280e0df82c930e6782a5afe40ba4b735709cd03161b3d10cb9c94e862c623d3808c1a1afaf12246d252a9e854ecb1e816be8fb75bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3eb50b8-7b5d-45a6-92f6-51a10624e2a0.vbs

Filesize
733B

MD5
58d788fbaee8f284557e9844b65a186d

SHA1
3cd9db4d581b88a860a38952f56712c9e95fa4bd

SHA256
43a9b88308e0b8bae384e31e1e2f50245884b3d6158a92e79a0c53eb8fafc311

SHA512
fca3a6457c44491dfa28c81206930c63bbd2fc5c488450618d65703dc539443b0eefc285bcceb735b2c80489485d8ef747808ca79c01d3695eddc8185c488fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e041a3a2-7172-4e10-b11c-ea0bc9ef25f1.vbs

Filesize
733B

MD5
0989ea87056f64d876597c5cb819b548

SHA1
a2f644bf98b3b22b9b27a45d615a2cdc1f040c07

SHA256
3f95ae688af90495dac07c152a029f13ef89599937b85f3f8e17bad7afba6f43

SHA512
9019563388eb735fe51ca62e9d997336abe0622ba6076fd57cbbc07308a3473a3b43fb6c3f9b2c864a9de804aca2faef37c432066237baa730b554dd207754ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8e8b9c3-bf75-467e-8281-b19db3bdedf4.vbs

Filesize
733B

MD5
05a4ab2aa90d952116769e858efa0735

SHA1
0457a8636d031d25cffb58a41ec7859077185017

SHA256
a59576102a580e8ca3a5a8d54f91313b2de213240a8836ea2843ed13d9b2ba24

SHA512
d98d6ba46e610644689641d57fb75c5be73323c42f12b23cd06ace7b825f221b6379093969b28fcb242ee0dc6b5a9a937b94d9c82790687e5980eccc7010481d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe

Filesize
2.9MB

MD5
293b6f4b745915079b40780365ed39dd

SHA1
20488972b4e32ba9829467e4241f155dbf044758

SHA256
98eb2ad98cc87ba4360821d2f829bc7d7fa188876c6d10f7698e19d0289a558f

SHA512
de49315a5134a55d1cac17425a3056a77d91a90f5bc726f3e69986f0458ffbf85236fdcf0a1bbd084e25ea952363bb1acfe8290928a71ce5769a1935e742b497

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe

Filesize
2.7MB

MD5
afda7cb58731fe6b387ced3d36e46d4f

SHA1
50e44067d2541b1bfd5517c7dc46d51c0f415a05

SHA256
aaa1b9d0ad8da53b5f751de4e9f96add9821d45003777a909ebe064c098dc037

SHA512
50f082f5e802921c04bb467ae1cec6049bfe8e4c6e2f6d969db845cabda80339b4958fa2ed4cbf8d66529e39dcdcb9c8a3a2283ac89c5c8581f12578814c9d7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat

Filesize
24B

MD5
e9346834d9fae22f2efbb5ad85499996

SHA1
0ab244641b14e68290dfa98f8d50414c501e8778

SHA256
8776711ae3319db0babedd398b89268cfe69884e265a43d7e1bb7ed0b57ba284

SHA512
0c0e206e4ff9f680f71965cf346ec07f5eb04e5e970fefc1d9c5cd52286b6bd3340de0308cef9dc583e0ec61c9dc0b627c23125cbb1fe9f7cce8dd7a4a0ae995

Download Submit
memory/668-40-0x000000001B890000-0x000000001B8A6000-memory.dmp

Filesize
88KB

Download
memory/668-46-0x000000001BFA0000-0x000000001BFAC000-memory.dmp

Filesize
48KB

Download
memory/668-50-0x000000001BFE0000-0x000000001BFE8000-memory.dmp

Filesize
32KB

Download
memory/668-51-0x000000001BFF0000-0x000000001BFFC000-memory.dmp

Filesize
48KB

Download
memory/668-36-0x0000000000AA0000-0x0000000000D36000-memory.dmp

Filesize
2.6MB

Download
memory/668-48-0x000000001BFC0000-0x000000001BFCE000-memory.dmp

Filesize
56KB

Download
memory/668-37-0x0000000002E20000-0x0000000002E2E000-memory.dmp

Filesize
56KB

Download
memory/668-38-0x000000001B870000-0x000000001B88C000-memory.dmp

Filesize
112KB

Download
memory/668-47-0x000000001BFB0000-0x000000001BFBA000-memory.dmp

Filesize
40KB

Download
memory/668-49-0x000000001BFD0000-0x000000001BFD8000-memory.dmp

Filesize
32KB

Download
memory/668-45-0x000000001C8B0000-0x000000001CDD8000-memory.dmp

Filesize
5.2MB

Download
memory/668-44-0x000000001BF70000-0x000000001BF82000-memory.dmp

Filesize
72KB

Download
memory/668-43-0x000000001BF60000-0x000000001BF68000-memory.dmp

Filesize
32KB

Download
memory/668-42-0x0000000002E30000-0x0000000002E3C000-memory.dmp

Filesize
48KB

Download
memory/668-39-0x000000001BF10000-0x000000001BF60000-memory.dmp

Filesize
320KB

Download
memory/668-41-0x000000001BEC0000-0x000000001BF16000-memory.dmp

Filesize
344KB

Download
memory/1516-194-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/3536-94-0x000000001BF20000-0x000000001BF32000-memory.dmp

Filesize
72KB

Download
memory/3536-93-0x000000001BF80000-0x000000001BFD6000-memory.dmp

Filesize
344KB

Download
memory/4364-81-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download