Malware Analysis Report

2025-08-10 14:27

Sample ID 240730-pjcjbsybjr
Target SampCheat.zip
SHA256 b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085
Tags
dcrat xred backdoor discovery execution infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4e0a7e5019643db5b46529c37c22173b1001d59030f1d711492aa3387445085

Threat Level: Known bad

The file SampCheat.zip was found to be: Known bad.

Malicious Activity Summary

dcrat xred backdoor discovery execution infostealer persistence rat

Xred

Process spawned unexpected child process

Xred family

Modifies WinLogon for persistence

Dcrat family

DcRat

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Scheduled Task/Job: Scheduled Task

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-30 12:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 12:21

Reported

2024-07-30 12:22

Platform

win11-20240709-en

Max time kernel

61s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SampCheat.exe"

Signatures

DcRat

rat infostealer dcrat

Dcrat family

dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Windows\\Branding\\shellbrd\\wininit.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Windows\\Branding\\shellbrd\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\fontdrvhost.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Windows\\Branding\\shellbrd\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\fontdrvhost.exe\", \"C:\\MsAgentBrowserdhcp\\spoolsv.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\", \"C:\\Users\\Admin\\RuntimeBroker.exe\", \"C:\\Windows\\Branding\\shellbrd\\wininit.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\fontdrvhost.exe\", \"C:\\MsAgentBrowserdhcp\\spoolsv.exe\", \"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Xred

backdoor xred

Xred family

xred

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\Synaptics = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Admin\\RuntimeBroker.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Branding\\shellbrd\\wininit.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MsAgentBrowserdhcp\\spoolsv.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\SampCheat.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Branding\\shellbrd\\wininit.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\fontdrvhost.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\fontdrvhost.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MsAgentBrowserdhcp\\spoolsv.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Synaptics = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\en-US\\Synaptics.exe\"" C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC177E7DC6B824077B499109FF66BE3D1.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\mk3jii.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\c6f8bd924b61fb C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Branding\shellbrd\wininit.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
File created C:\Windows\Branding\shellbrd\56085415360792 C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SampCheat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\SampCheat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe
PID 2776 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe
PID 2776 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2776 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\SampCheat.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2964 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe C:\Windows\SysWOW64\WScript.exe
PID 2964 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe C:\Windows\SysWOW64\WScript.exe
PID 2964 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 808 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2612 wrote to memory of 808 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2612 wrote to memory of 808 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 808 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\SysWOW64\WScript.exe
PID 808 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\SysWOW64\WScript.exe
PID 808 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\SysWOW64\WScript.exe
PID 1384 wrote to memory of 380 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 380 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 380 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 5808 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 380 wrote to memory of 5808 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 868 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 868 wrote to memory of 5108 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 5108 wrote to memory of 3736 N/A C:\Windows\SysWOW64\cmd.exe C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
PID 5808 wrote to memory of 3252 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5808 wrote to memory of 3252 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3252 wrote to memory of 1212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3252 wrote to memory of 1212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5808 wrote to memory of 3116 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 3116 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 4756 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 4756 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 4636 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 4636 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 2452 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 2452 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 2128 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 2128 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 2220 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 2220 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5808 wrote to memory of 3564 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\cmd.exe
PID 5808 wrote to memory of 3564 N/A C:\MsAgentBrowserdhcp\Bridgesurrogate.exe C:\Windows\System32\cmd.exe
PID 3564 wrote to memory of 5736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3564 wrote to memory of 5736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3564 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3564 wrote to memory of 2456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3564 wrote to memory of 5512 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe
PID 3564 wrote to memory of 5512 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SampCheat.exe

"C:\Users\Admin\AppData\Local\Temp\SampCheat.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "

C:\MsAgentBrowserdhcp\Bridgesurrogate.exe

"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "

C:\MsAgentBrowserdhcp\Bridgesurrogate.exe

"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SynapticsS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Synaptics" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SynapticsS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x4hizs0l\x4hizs0l.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC999.tmp" "c:\Windows\System32\CSC177E7DC6B824077B499109FF66BE3D1.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\shellbrd\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MsAgentBrowserdhcp\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MsAgentBrowserdhcp\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 11 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 9 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l6onJHxmYw.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe

"C:\Program Files (x86)\Windows Photo Viewer\en-US\Synaptics.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp

Files

memory/2776-0-0x0000000002A50000-0x0000000002A51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_SampCheat.exe

MD5 885383199b4458661a083d690adec52f
SHA1 7f3a0cdbf4f14e71fe0061f35c121ce087918a99
SHA256 7e1fbcc206aed09ff42684b9dcdac876e2a1f7c068463430b1bfb21564af1252
SHA512 dbe796e5c8caf1de33ddfc499c86f3a2d289ab6f1e1f89ecabef7403c70e2ea18da72897184988f12024e01e159276dc6f70b09266102bb542517d08bf41d31b

C:\ProgramData\Synaptics\Synaptics.exe

MD5 73d7e637cd16f1f807930fa6442436df
SHA1 26c13b2c29065485ce1858d85d9dc792c06ed052
SHA256 cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6
SHA512 f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922

memory/2776-106-0x0000000000400000-0x0000000000AAC000-memory.dmp

C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe

MD5 e6aa5a9a61e5a14929496cc623751fcb
SHA1 e5e193008aaf6155d8959d1f237297e134c8c69f
SHA256 4518eab1e079194970bee0b64f0dc5151e2208a48a94672e9a98fbe046e6a7d9
SHA512 45a4385a57d928587194313bd04ea42714619e2a3f35f8c7af0d930507f1e717dfd9c4d00c36514a826fb2e5090ed7e9b8a76f099798d2c468910c40e1d7cd0e

memory/2988-146-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

memory/2988-147-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

memory/2988-145-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

memory/2988-144-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

memory/2988-143-0x00007FFF16150000-0x00007FFF16160000-memory.dmp

memory/2988-148-0x00007FFF13D70000-0x00007FFF13D80000-memory.dmp

memory/2988-149-0x00007FFF13D70000-0x00007FFF13D80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zUo62WiT.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\BEB75E00

MD5 47ad106c92a133bbc7324a06520dbd51
SHA1 8a1fb769038b1156955993ef77f8be2f49aaca00
SHA256 102ecf4be18a33ddc7c4ba0bc170eeb994cd4f2fee420f06f1f33e20df4e8700
SHA512 389aa85238b5d4ca790755a883ab6f658881f0d6433dc65c1cdba7b511b9e4517749c17f169f6c89b80d8e5aafec4470be1bd305c262bf03e9cde6adf3c8c1b2

C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat

MD5 f0817915454c14a131a03bb1e970a3d9
SHA1 40bba77a1b68a36053d1cfce4a8820eeef1108df
SHA256 9983f72ca78bee90d64610d7bd9bce46c075674f22307494ad40982ff760978d
SHA512 00a97f09edc0824207fe5bf10e6d7ab903740bfb507db085b912e58a62f8ec814f05940bcb263163bec71e71def1ff9868fedd7b0348b4146a70198a00606c66

C:\MsAgentBrowserdhcp\Bridgesurrogate.exe

MD5 d5eb73597ed0a278e1a993ee15c5cdb1
SHA1 c0a88c5eb727b7e4eb38dd90e95cbb1c37de0341
SHA256 b6b9517b7429afea6d33ae62a1cff9ce8290b160f9f5544b1d9dd3ab0f620404
SHA512 538de4b61b35c7acead9e8c26bdf1a47e024e7dd78402b4dbeb5fe6afe6ec7c323f2700f12c6ed441c51b61b4b3884967df67db6ba4ac682fc32c616dca2c932

memory/5808-195-0x00000000004C0000-0x000000000069A000-memory.dmp

memory/5808-197-0x0000000000F20000-0x0000000000F2E000-memory.dmp

memory/5808-200-0x0000000002940000-0x000000000295C000-memory.dmp

memory/5808-205-0x0000000002920000-0x000000000292C000-memory.dmp

memory/5808-203-0x0000000002960000-0x0000000002978000-memory.dmp

memory/5808-201-0x000000001B2E0000-0x000000001B330000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\x4hizs0l\x4hizs0l.cmdline

MD5 694f489d9bb97befa26eb989433ec9ca
SHA1 415fa3d5d38e9590df76a9b657244320444b8523
SHA256 9a81f5619600f8c0d0af1066aeb15b63900746ead7e23f542914e1426a0b2377
SHA512 0ae1c81789abc42201d09e88dc0d82ceaa6c5746188e02f55a86768f3c8b332724962f6c8d51355f88aff4629c0ffe731eb3d12596c4f137ff0c4c4beb38a50b

\??\c:\Users\Admin\AppData\Local\Temp\x4hizs0l\x4hizs0l.0.cs

MD5 d6e083bfdb14c49e524e08efa40a480f
SHA1 802082be6b747cbb72636004510a85f7725531ca
SHA256 ea65ada245514b472142eade80cadd07edd1a5f2007f6830c4334c0277d9af08
SHA512 3a754586450b8ce876a109a328e3e22b9d8cb2c16295cd0f6b533becc48a28d568a30f4f04b5e56a7371c7995db935820a6b15d9995671fe8cd5b187160bec87

\??\c:\Windows\System32\CSC177E7DC6B824077B499109FF66BE3D1.TMP

MD5 b0aae136dd0df9a56e1ad2d0fd1f88c0
SHA1 c8b9a6bf2c06984d8ee99a9ce2c61d577b6fb9f3
SHA256 6398170068f2c2644c27f977479a44611c48d78e75ceb45d857d4fe535ba84dc
SHA512 2ece8c69ccb09fd485021fbde9c17cc38eb86def14f2d8345cfb82df591f8bfa5418a27bb765aa8b0cd33b8463020920146dd76bcda64ea0f909cf05a9e79e8f

C:\Users\Admin\AppData\Local\Temp\RESC999.tmp

MD5 1fb608c68ef12a17fcaa7550997c0387
SHA1 e3c49c63dde31fe36487160c2a89cb7768db1430
SHA256 bb9f9cc19ff21f8de2aabc4feb194a290db44adffb43d77e858d7078a6fdb7f9
SHA512 34a7ffdfc5ae404a6adf846c5aac7cdd74e59cde2488a6345a6024c535fb7881dd707ce29981fa311667633600bdd43db9c606c6927f3c919f04e2536c9b2a67

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koqgd3xj.lp0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4756-241-0x000001CFB8EF0000-0x000001CFB8F12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l6onJHxmYw.bat

MD5 332b52493277de1aa1bc606ecc484530
SHA1 54c2a11127f8f44fdaa1af035e76bd87f2753ebc
SHA256 c0221899a9d3b34d0822a19c7ec9ac6831776ac5e024b47c7f3262684b8c3c67
SHA512 6e45875d0fb86476c62ad85851622bf77cc3d7f294736e974c4c3e2b2007bc9e9146447adccaa847f8e3dbbb4808432871e4605fa872749e8424b80081837d14

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 408641808e457ab6e23d62e59b767753
SHA1 4205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA256 3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512 e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 437395ef86850fbff98c12dff89eb621
SHA1 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA256 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512 bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05b3cd21c1ec02f04caba773186ee8d0
SHA1 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512 e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

memory/2612-295-0x0000000000400000-0x0000000000AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bridgesurrogate.exe.log

MD5 1126a1de0a15000f1687b171641ffea6
SHA1 dcc99b2446d05b8f0f970e3e9105198a20ca9e78
SHA256 b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7
SHA512 6cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4

memory/2612-304-0x0000000000400000-0x0000000000AAC000-memory.dmp