Malware Analysis Report

2024-11-13 13:46

Sample ID 240717-hzyyyatbpb
Target 76552F8BD7533C66BC900C75ABDC0EA7.exe
SHA256 7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f

Threat Level: Known bad

The file 76552F8BD7533C66BC900C75ABDC0EA7.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-17 07:11

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 07:11

Reported

2024-07-17 07:13

Platform

win7-20240704-en

Max time kernel

125s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Windows Defender\explorer.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\6cb0b6c459d5d3 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files\Windows Defender\es-ES\088424020bedd6 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Windows Defender\7a0fd90576e088 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\hostNet.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\051ac21cd939b1 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\dwm.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files\Windows Defender\es-ES\conhost.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\de-DE\conhost.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Windows\de-DE\088424020bedd6 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\DefaultIcon C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347 C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\URL Protocol C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open\command C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\discord-1199748644409184347\shell\open C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\surrogatereviewRuntimebrokerMonitor\conhost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\surrogatereviewRuntimebrokerMonitor\conhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\surrogatereviewRuntimebrokerMonitor\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
Token: SeDebugPrivilege N/A C:\surrogatereviewRuntimebrokerMonitor\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2508 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2508 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2508 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 2508 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2508 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2508 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2508 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2172 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2172 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2712 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2872 wrote to memory of 2800 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2800 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2800 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2800 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
PID 2800 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
PID 2800 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
PID 2800 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
PID 2644 wrote to memory of 592 N/A C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe C:\Windows\System32\cmd.exe
PID 2644 wrote to memory of 592 N/A C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe C:\Windows\System32\cmd.exe
PID 2644 wrote to memory of 592 N/A C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe C:\Windows\System32\cmd.exe
PID 592 wrote to memory of 1104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 592 wrote to memory of 1104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 592 wrote to memory of 1104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 592 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\conhost.exe
PID 592 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\conhost.exe
PID 592 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe

"C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "

C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe

"C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hostNet" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hostNeth" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\it-IT\hostNet.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\ba13f242-3a65-11ef-94cb-d685e2345d05\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\surrogatereviewRuntimebrokerMonitor\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uZdpTwG6ox.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\surrogatereviewRuntimebrokerMonitor\conhost.exe

"C:\surrogatereviewRuntimebrokerMonitor\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cr55307.tw1.ru udp
RU 185.114.247.170:80 cr55307.tw1.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 185.114.247.170:80 cr55307.tw1.ru tcp
RU 185.114.247.170:80 cr55307.tw1.ru tcp

Files

\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 c137c5f5287d73a94d55bc18df238303
SHA1 95b4b01775bea14feaaa462c98d969eb81696d2c
SHA256 d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512 ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 d5073e19a3ad042b1f759bcd13a65a3f
SHA1 9df8b87566284b169e56ee4a8b78d72ce2e3e5aa
SHA256 28aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b
SHA512 89c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e

memory/2508-12-0x0000000000400000-0x000000000053F000-memory.dmp

C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe

MD5 67ef89a77b03bfa1932cc54db6dce88f
SHA1 a2afed6d40b91cb6d48a7023fea05c0853437050
SHA256 67b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30
SHA512 7bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652

C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat

MD5 fbbcc9f113a6c0c84210f8550cffca28
SHA1 b3e94b80d166ad9c71260ce9674b7edd5d00aa25
SHA256 fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f
SHA512 f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8

\surrogatereviewRuntimebrokerMonitor\hostNet.exe

MD5 bc8b1b7e6c72022131728dd99627e1d3
SHA1 0dcd162ee7a24204fb032b5e02d3f99c185e82bf
SHA256 60e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a
SHA512 9dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340

memory/2644-27-0x00000000012F0000-0x00000000013C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uZdpTwG6ox.bat

MD5 47e49721ea8091840d99555c83649513
SHA1 84882c7331314dc1de39b4839eaca0b89c9b62c9
SHA256 ce915c24d44041174160af04fb6dd3e3b6879946626b6c9c95f300870702b4f7
SHA512 7a9b65a257b3ad33a18ccadf1a20efeda83753143c12df173c561a9d9bad93a0b9608ace77f82a4a99d0b11d4b636d51de791e6588cc03b6c2e380495d43766a

memory/2356-59-0x0000000000E20000-0x0000000000EF6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 07:11

Reported

2024-07-17 07:13

Platform

win10v2004-20240709-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Common Files\System\uk-UA\ea1d8f6d871115 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Windows Defender\es-ES\088424020bedd6 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\RuntimeBroker.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Windows\L2Schemas\9e8d7a4ca61bd9 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\csrss.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Windows\SKB\LanguageModels\explorer.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
File created C:\Windows\SKB\LanguageModels\7a0fd90576e088 C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347 C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\ = "URL:Run game 1199748644409184347 protocol" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\URL Protocol C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe" C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\DefaultIcon C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell\open\command C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\discord-1199748644409184347\shell\open C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 4924 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
PID 4924 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 4924 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 4924 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 1036 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe C:\Windows\system32\cmd.exe
PID 2796 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2796 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2796 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 228 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3728 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
PID 3728 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe
PID 908 wrote to memory of 2632 N/A C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe
PID 908 wrote to memory of 2632 N/A C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe

"C:\Users\Admin\AppData\Local\Temp\76552F8BD7533C66BC900C75ABDC0EA7.exe"

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat" "

C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe

"C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\surrogatereviewRuntimebrokerMonitor\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\surrogatereviewRuntimebrokerMonitor\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\surrogatereviewRuntimebrokerMonitor\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\surrogatereviewRuntimebrokerMonitor\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\System\uk-UA\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\surrogatereviewRuntimebrokerMonitor\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\surrogatereviewRuntimebrokerMonitor\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\surrogatereviewRuntimebrokerMonitor\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f

C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe

"C:\Users\All Users\regid.1991-06.com.microsoft\sihost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 cr55307.tw1.ru udp
RU 185.114.247.170:80 cr55307.tw1.ru tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 185.114.247.170:80 cr55307.tw1.ru tcp
US 8.8.8.8:53 170.247.114.185.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 185.114.247.170:80 cr55307.tw1.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe

MD5 c137c5f5287d73a94d55bc18df238303
SHA1 95b4b01775bea14feaaa462c98d969eb81696d2c
SHA256 d294856177658df0159cfe937e5ea95a8ee8a2ca85754d897aea3bb5d0d962c0
SHA512 ba595d185ae98152658ce95964fd6bcce7e970896b0b1c674a142d126cf0433094debcd25527d9b4f5a6568cc5a8a42aeaef536166748eea3973f8b694564aa5

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 d5073e19a3ad042b1f759bcd13a65a3f
SHA1 9df8b87566284b169e56ee4a8b78d72ce2e3e5aa
SHA256 28aee210bbeacee17831ab5acaa78551bb3c981ec8018ba3d0c2332178294e8b
SHA512 89c210bf7bccf524b2dc26d5ba574c06e7c5e7233932d2f98ddf37665542c170d99589c60fd3a1d9c92b322e3c1f8694988a8f446904a4155ee495bd9cb3171e

memory/4924-14-0x0000000000400000-0x000000000053F000-memory.dmp

C:\surrogatereviewRuntimebrokerMonitor\MUbLhzNCHv2Ljaa6Ortas1tSg5Ijz.vbe

MD5 67ef89a77b03bfa1932cc54db6dce88f
SHA1 a2afed6d40b91cb6d48a7023fea05c0853437050
SHA256 67b88c35860e20d6b83ca746c93088b98e0eb0ecfd913e769e1353e1809bef30
SHA512 7bf14a84e8af2ed04908666ef48233da887d856724c91e3ae3d80bda19b50d47681b5e3e8ae39de2e434c1af5d47f945af2ed0b0b2b3ae7a46987f8b3e962652

C:\surrogatereviewRuntimebrokerMonitor\QoneXY9Lni2fLPRVpDBSwrtS8.bat

MD5 fbbcc9f113a6c0c84210f8550cffca28
SHA1 b3e94b80d166ad9c71260ce9674b7edd5d00aa25
SHA256 fdb006c74fb6e8d52546f9cbf5cbc86cd39905eac5bf29536d1e1a8d3332846f
SHA512 f434c8e5ad16219c4a526690c9e8bf3a139df51439fb047a0fcd77e1e939c3fb53ef4d71c0609520fb522f7bcd34f3aab192df083dd3fa75d68724d26efd03b8

C:\surrogatereviewRuntimebrokerMonitor\hostNet.exe

MD5 bc8b1b7e6c72022131728dd99627e1d3
SHA1 0dcd162ee7a24204fb032b5e02d3f99c185e82bf
SHA256 60e5109f2ee7a7ff493ea0cb43cd182f22a6a2769561f030bc4668a46d8c6d7a
SHA512 9dae0a6cd1d6a26f6f03e00755dd0c05a41bcda787dc3fd6d245672058d7eed0c54b4aabdadb65c42341707e942603b0a01dbb442148949b8b7229197abca340

memory/908-29-0x0000000000C60000-0x0000000000D36000-memory.dmp