cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 13:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MinecraftFpsMod.exe
Size

6.6MB
MD5

73d7e637cd16f1f807930fa6442436df
SHA1

26c13b2c29065485ce1858d85d9dc792c06ed052
SHA256

cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6
SHA512

f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922
SSDEEP

49152:AnsHyjtk2MYC5GDuBJIopGdJ3Rjl4eZK4qgTouABRCXO8DSTYa:Ansmtk2aTeo4dJhjieLq37z8mka

Score

10^/10

discovery execution persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Users\\Admin\\Start Menu\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\System.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Users\\Admin\\Start Menu\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\System.exe\", \"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Users\\Admin\\Start Menu\\wininit.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\", \"C:\\Users\\Admin\\Start Menu\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\""	Bridgesurrogate.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1432	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1432	schtasks.exe	43

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2852	powershell.exe
2856	powershell.exe
856	powershell.exe
2504	powershell.exe
2016	powershell.exe
2472	powershell.exe

Executes dropped EXE 16 IoCs

pid	Process
560	._cache_MinecraftFpsMod.exe
1860	Synaptics.exe
2828	._cache_Synaptics.exe
1856	Bridgesurrogate.exe
2028	Bridgesurrogate.exe
316	lsass.exe
996	lsass.exe
2692	lsass.exe
2860	lsass.exe
2776	lsass.exe
1544	lsass.exe
1964	lsass.exe
1080	lsass.exe
2076	lsass.exe
1332	lsass.exe
2504	lsass.exe

Loads dropped DLL 8 IoCs

pid	Process
576	MinecraftFpsMod.exe
576	MinecraftFpsMod.exe
576	MinecraftFpsMod.exe
1860	Synaptics.exe
1860	Synaptics.exe
1300	cmd.exe
1300	cmd.exe
1156	cmd.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\System.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Start Menu\\wininit.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	MinecraftFpsMod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\wininit.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Start Menu\\wininit.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\System.exe\""	Bridgesurrogate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgesurrogate = "\"C:\\MsAgentBrowserdhcp\\Bridgesurrogate.exe\""	Bridgesurrogate.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe
File created	\??\c:\Windows\System32\CSCD0E800AFFDF34A4881E0568DEE4E1A8.TMP	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\System.exe	Bridgesurrogate.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\System.exe	Bridgesurrogate.exe
File created	C:\Program Files\VideoLAN\VLC\lua\27d1bcfc3c54e0	Bridgesurrogate.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe	Bridgesurrogate.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\6203df4a6bafc7	Bridgesurrogate.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	Bridgesurrogate.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	Bridgesurrogate.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-t..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ab1b22ba2dcdbb62\cmd.exe	Bridgesurrogate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinecraftFpsMod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_MinecraftFpsMod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1848	PING.EXE
2520	PING.EXE
2444	PING.EXE
536	PING.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1848	PING.EXE
2520	PING.EXE
2444	PING.EXE
536	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1532	schtasks.exe
1748	schtasks.exe
2692	schtasks.exe
2328	schtasks.exe
2384	schtasks.exe
280	schtasks.exe
2268	schtasks.exe
1936	schtasks.exe
3016	schtasks.exe
1712	schtasks.exe
1660	schtasks.exe
2396	schtasks.exe
572	schtasks.exe
2824	schtasks.exe
1444	schtasks.exe
1564	schtasks.exe
2320	schtasks.exe
2212	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2588	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe
1856	Bridgesurrogate.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	Bridgesurrogate.exe
Token: SeDebugPrivilege	2028	Bridgesurrogate.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	316	lsass.exe
Token: SeDebugPrivilege	996	lsass.exe
Token: SeDebugPrivilege	2692	lsass.exe
Token: SeDebugPrivilege	2860	lsass.exe
Token: SeDebugPrivilege	2776	lsass.exe
Token: SeDebugPrivilege	1544	lsass.exe
Token: SeDebugPrivilege	1964	lsass.exe
Token: SeDebugPrivilege	1080	lsass.exe
Token: SeDebugPrivilege	2076	lsass.exe
Token: SeDebugPrivilege	1332	lsass.exe
Token: SeDebugPrivilege	2504	lsass.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 560	576	MinecraftFpsMod.exe	31
PID 576 wrote to memory of 560	576	MinecraftFpsMod.exe	31
PID 576 wrote to memory of 560	576	MinecraftFpsMod.exe	31
PID 576 wrote to memory of 560	576	MinecraftFpsMod.exe	31
PID 560 wrote to memory of 2968	560	._cache_MinecraftFpsMod.exe	32
PID 560 wrote to memory of 2968	560	._cache_MinecraftFpsMod.exe	32
PID 560 wrote to memory of 2968	560	._cache_MinecraftFpsMod.exe	32
PID 560 wrote to memory of 2968	560	._cache_MinecraftFpsMod.exe	32
PID 576 wrote to memory of 1860	576	MinecraftFpsMod.exe	33
PID 576 wrote to memory of 1860	576	MinecraftFpsMod.exe	33
PID 576 wrote to memory of 1860	576	MinecraftFpsMod.exe	33
PID 576 wrote to memory of 1860	576	MinecraftFpsMod.exe	33
PID 1860 wrote to memory of 2828	1860	Synaptics.exe	34
PID 1860 wrote to memory of 2828	1860	Synaptics.exe	34
PID 1860 wrote to memory of 2828	1860	Synaptics.exe	34
PID 1860 wrote to memory of 2828	1860	Synaptics.exe	34
PID 2828 wrote to memory of 2624	2828	._cache_Synaptics.exe	36
PID 2828 wrote to memory of 2624	2828	._cache_Synaptics.exe	36
PID 2828 wrote to memory of 2624	2828	._cache_Synaptics.exe	36
PID 2828 wrote to memory of 2624	2828	._cache_Synaptics.exe	36
PID 2968 wrote to memory of 1300	2968	WScript.exe	37
PID 2968 wrote to memory of 1300	2968	WScript.exe	37
PID 2968 wrote to memory of 1300	2968	WScript.exe	37
PID 2968 wrote to memory of 1300	2968	WScript.exe	37
PID 1300 wrote to memory of 1856	1300	cmd.exe	39
PID 1300 wrote to memory of 1856	1300	cmd.exe	39
PID 1300 wrote to memory of 1856	1300	cmd.exe	39
PID 1300 wrote to memory of 1856	1300	cmd.exe	39
PID 2624 wrote to memory of 1156	2624	WScript.exe	40
PID 2624 wrote to memory of 1156	2624	WScript.exe	40
PID 2624 wrote to memory of 1156	2624	WScript.exe	40
PID 2624 wrote to memory of 1156	2624	WScript.exe	40
PID 1156 wrote to memory of 2028	1156	cmd.exe	42
PID 1156 wrote to memory of 2028	1156	cmd.exe	42
PID 1156 wrote to memory of 2028	1156	cmd.exe	42
PID 1156 wrote to memory of 2028	1156	cmd.exe	42
PID 1856 wrote to memory of 1640	1856	Bridgesurrogate.exe	47
PID 1856 wrote to memory of 1640	1856	Bridgesurrogate.exe	47
PID 1856 wrote to memory of 1640	1856	Bridgesurrogate.exe	47
PID 1640 wrote to memory of 900	1640	csc.exe	49
PID 1640 wrote to memory of 900	1640	csc.exe	49
PID 1640 wrote to memory of 900	1640	csc.exe	49
PID 1856 wrote to memory of 856	1856	Bridgesurrogate.exe	65
PID 1856 wrote to memory of 856	1856	Bridgesurrogate.exe	65
PID 1856 wrote to memory of 856	1856	Bridgesurrogate.exe	65
PID 1856 wrote to memory of 2856	1856	Bridgesurrogate.exe	66
PID 1856 wrote to memory of 2856	1856	Bridgesurrogate.exe	66
PID 1856 wrote to memory of 2856	1856	Bridgesurrogate.exe	66
PID 1856 wrote to memory of 2504	1856	Bridgesurrogate.exe	67
PID 1856 wrote to memory of 2504	1856	Bridgesurrogate.exe	67
PID 1856 wrote to memory of 2504	1856	Bridgesurrogate.exe	67
PID 1856 wrote to memory of 2852	1856	Bridgesurrogate.exe	68
PID 1856 wrote to memory of 2852	1856	Bridgesurrogate.exe	68
PID 1856 wrote to memory of 2852	1856	Bridgesurrogate.exe	68
PID 1856 wrote to memory of 2472	1856	Bridgesurrogate.exe	69
PID 1856 wrote to memory of 2472	1856	Bridgesurrogate.exe	69
PID 1856 wrote to memory of 2472	1856	Bridgesurrogate.exe	69
PID 1856 wrote to memory of 2016	1856	Bridgesurrogate.exe	70
PID 1856 wrote to memory of 2016	1856	Bridgesurrogate.exe	70
PID 1856 wrote to memory of 2016	1856	Bridgesurrogate.exe	70
PID 1856 wrote to memory of 2612	1856	Bridgesurrogate.exe	77
PID 1856 wrote to memory of 2612	1856	Bridgesurrogate.exe	77
PID 1856 wrote to memory of 2612	1856	Bridgesurrogate.exe	77
PID 2612 wrote to memory of 2584	2612	cmd.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MinecraftFpsMod.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftFpsMod.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\._cache_MinecraftFpsMod.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_MinecraftFpsMod.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
        
        "C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2ufhk3a\s2ufhk3a.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6C.tmp" "c:\Windows\System32\CSCD0E800AFFDF34A4881E0568DEE4E1A8.TMP"
        7⤵
        
        PID:900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f9hG5v9VzW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1624
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rAx8WBe6mr.bat"
        8⤵
        
        PID:2396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1984
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IMqqsTTOd.bat"
        10⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ItcmNmazXC.bat"
        12⤵
        
        PID:2744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1952
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xj8aQTjKDO.bat"
        14⤵
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:588
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat"
        16⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2100
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJeeA8Mqtp.bat"
        18⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2520
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat"
        20⤵
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"
        22⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2820
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        24⤵
        
        PID:444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:536
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qZ8E8OSIiX.bat"
        26⤵
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2080
        
        C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe
        
        "C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
        
        "C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\lua\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 13 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bridgesurrogate" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 10 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.bat

Filesize
86B

MD5
f0817915454c14a131a03bb1e970a3d9

SHA1
40bba77a1b68a36053d1cfce4a8820eeef1108df

SHA256
9983f72ca78bee90d64610d7bd9bce46c075674f22307494ad40982ff760978d

SHA512
00a97f09edc0824207fe5bf10e6d7ab903740bfb507db085b912e58a62f8ec814f05940bcb263163bec71e71def1ff9868fedd7b0348b4146a70198a00606c66

Download Submit
C:\MsAgentBrowserdhcp\Bridgesurrogate.exe

Filesize
5.6MB

MD5
d5eb73597ed0a278e1a993ee15c5cdb1

SHA1
c0a88c5eb727b7e4eb38dd90e95cbb1c37de0341

SHA256
b6b9517b7429afea6d33ae62a1cff9ce8290b160f9f5544b1d9dd3ab0f620404

SHA512
538de4b61b35c7acead9e8c26bdf1a47e024e7dd78402b4dbeb5fe6afe6ec7c323f2700f12c6ed441c51b61b4b3884967df67db6ba4ac682fc32c616dca2c932

Download Submit
C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe

Filesize
224B

MD5
e6aa5a9a61e5a14929496cc623751fcb

SHA1
e5e193008aaf6155d8959d1f237297e134c8c69f

SHA256
4518eab1e079194970bee0b64f0dc5151e2208a48a94672e9a98fbe046e6a7d9

SHA512
45a4385a57d928587194313bd04ea42714619e2a3f35f8c7af0d930507f1e717dfd9c4d00c36514a826fb2e5090ed7e9b8a76f099798d2c468910c40e1d7cd0e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.6MB

MD5
73d7e637cd16f1f807930fa6442436df

SHA1
26c13b2c29065485ce1858d85d9dc792c06ed052

SHA256
cd0f7fb1020a931c98c7c258241f06292cb9b7cab8e9acdb4010f4d56f076ef6

SHA512
f3561a2090e70b6a2a7c4070daebce1b9ff269fef1a8ca6297c20eb28170675eec7c689d05a05a00b8ddb2d1c2c82639c5d53f63782c0460acd4d3aa95328922

Download Submit
C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat

Filesize
235B

MD5
6b38a992844fa483f124cc7742e00952

SHA1
3707dee2e65dd8060828c8f71ab0a9acb7e8fdb3

SHA256
25b7c2331c03cb9ccf5c63df50e47fe452d0889a560a310825d71dadaf2c2c30

SHA512
aa0e7e851b28c96d8bf5b7d8820dc385d959ee8611b07e6f8f6f58f35e21cd67fb12baabfa27933a6c4897e7c2e7569659a823c3a5e982772e539a1672c57aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IMqqsTTOd.bat

Filesize
187B

MD5
97edb1587b1317fe7a6a2bf42b3a4232

SHA1
2183bd1c6b5e5e71190c7110c7923963133a6d3c

SHA256
f6a3bdb3a9fdf777091d0af3c9141fc79c32abe7d558f78b4106b2da048da770

SHA512
301faf72c794d5fca372a9aaa757ff330cd56f826b981a90100102f48ce23ed316aab605973adba7eb4a263680acda71ef6a9d53f71fa8a5a88c7af5b40e680c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ItcmNmazXC.bat

Filesize
235B

MD5
ff33c4d9231d3679d7f290f8844a0421

SHA1
36ac3520da227acbb105b50d2a102aea17fc8485

SHA256
bbdda96653ce42efadfc5669f813843b4361d06d8b8207cd57de40cadfe1cef6

SHA512
c0f0d6df6208e848cbcf8e6b6f6c267738ab644715a64abde852a6766e993a75e0a9c6de44f8a4692a8d307feaa88e1090f75845bd944ba1c62d97d3996bf808

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA6C.tmp

Filesize
1KB

MD5
3408df6c40be0064ad52275cf53f1f0b

SHA1
0a471cedc02a46d80cbbce1fbd8ebddb2ad08aeb

SHA256
e9966276e10f4d44b84a5156dc42cc50aed1110aa6e1895b07be725f8473584d

SHA512
96bd106294b674ed200109542336fd60d3b80858dc91ae0a9e5934b1d1fd60061ad6dba8674d1066a480eb00503f07f54fca56caf2d10ddc6005431b93f3fb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJeeA8Mqtp.bat

Filesize
187B

MD5
15c30ccad3138e873ffd41f1361ee209

SHA1
0dc2302c1a3a216d88905882deaa9bdd418d8e72

SHA256
c26b428421e88ef4b1d70f14d5467feabdf7818118508d7b6ff2e7d335eb0e05

SHA512
6d009c52c2e5d878248975b642502d8b76a9158f09203f611f560e5cf3bbe5576800147ac120f3af2c88bbcdb3e40c0a5aa21850baae08e55583c6b01e793a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xj8aQTjKDO.bat

Filesize
235B

MD5
75a251e7d35490bdaa124414893ab6c7

SHA1
9b60b75b9751d27edf61766bcd6d8b79966eb118

SHA256
775ab68f441eab1c01a89398654d055f5ebc998bc150e11990e2ed2587591936

SHA512
391d995b8c3f00f57f5417b0211ec0a93992592ce31f062d6a7fa0ca318404cb715de66d3569ef3403f8bdd4eff115e8f615e8495f72758e2bc3763633880146

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9hG5v9VzW.bat

Filesize
235B

MD5
20fbb9f97b931bec5e8079050e72c537

SHA1
eb2a9f800f5d09bcc79d7c56732643fedcf92716

SHA256
237fe78e2f8f71ebbaeb5b76255f9f54e15d610a962a1c0ee9d25d7b0e9c9e08

SHA512
8d9cf4529a0788fc738de89d50d999694e7a44d4aecec7037c2bec87c9751a13d87f67f3ff093fada7bd74c207ac7c93d6dab1e5b75f3f666158a0aac84d4dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqn5y7QE.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqn5y7QE.xlsm

Filesize
23KB

MD5
668016aa2c78b6bce050a64e6cba21f7

SHA1
33b4cb45b06e4a8e6d0d92d86cb5a9f4a2caa19d

SHA256
1e3249c6cd62aa9e52c219af028b5674a1d92d37d7aeb91548d7dcbcd08c1fc5

SHA512
6bd21dddde4a89d4eeec7e55df26d296f50edd2765b8aaeb96f032de93de699aa2f7b4cf28dc4a0c0c714ab63166379c6ef62f230dd23a18be104fd9b48937b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqn5y7QE.xlsm

Filesize
32KB

MD5
8a66b5695296189a7cd7d8ccfadf988d

SHA1
42832a014d2667988ca8205620c010eb1c39f912

SHA256
3570a3c25075fb5b0f3c0c19a64caf1373918e6c308a5ae16345153b02da7a1e

SHA512
b4613fe5211307adbbbeafb03def2a425a3ec85320b0cf8d65e0748ff17ffcd0b43a28546386ab13abf55c73b41db569b297b52eedafa90886d065ec38938fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
187B

MD5
ba338865774bba59ec45c55adad4c7bf

SHA1
410be6354ba541a999687b4ff39f41ff72ecbf5c

SHA256
b83484c26177a9d4df2a2160430a13e4af6a4e3110b1978af81f7824b1d1b0ce

SHA512
f74cb1f88bf4d5f582d1b58376d30c2ad46b3458b77ea93bd86e7e919d9ec445012aa90831877d9246fe631e9f7055048fe4e5ce54fd403ff98bed1114946e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat

Filesize
187B

MD5
9a5ae6bb5574b04d7673bc70f0168673

SHA1
f47c06bc5b9d6fc42ebd3c6fbd83fb5f2efe19cf

SHA256
f4229acddd91c62504a63631cd2439044e284188d3741f49dc50f7eb6780878c

SHA512
23e4421865c32654f6c5d298698e43fd6faea0023961d88fd70fa0bfd9e2731e28d646b3be05b03d1d47ca51f892f77e4c80812e1bc8d6b1b2954eb4cfaf949b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZ8E8OSIiX.bat

Filesize
235B

MD5
852d28e32ac1bf7b3166528f92d736b4

SHA1
665080718db3420afbce7d5a349098b70161257d

SHA256
a0335ddc263de97352f691a5ac265653dce5b302fadcb5e7b062ebad6e67124f

SHA512
031cc45575f145094c6d0cdecef51a6963c6b160373f6dfc51cda1279d2c0e6002416e85d10370aaddbfbd5a383c8acb510162ca8fbb2aa6e14f7f4c2cc77540

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAx8WBe6mr.bat

Filesize
235B

MD5
d98d202c184fb2f306adf701f7272d8e

SHA1
231a5ea76a04f43f95fff5a54cd8979877d96925

SHA256
8f2d96c3d5aab2ed12badbfd81fe77a6570119234a33e300bba20b0e8e94245b

SHA512
10e960dd0443630da3d8cf044adca124cb73cddf60e41bf19e22793b52e5bc8345847013ce422965e022dbe3bcdbef3530b404732d5be84ae85a5949f1902c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\wykhLflpMg.bat

Filesize
235B

MD5
626c244351c4fa38e99df2ce741a536e

SHA1
324834181eb6ad0deab6a5a5177f2964e3d62438

SHA256
03a0391d8a314e4076fa037bdfd06bf1fa72bb1a5843e3bf0bfb3a35d22d49d1

SHA512
45af826d252b8e121a897f5fc19aa3a059bdaca17850815bdda14176562f727cb507bdb2fa2180aa1b8ee7008bdb0535ddf5cee90797767774bb9352b26dc2f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9df6434a5e17a872906ef0fe28ff178e

SHA1
a6e6a3814353b8726c3df5ef7141d520281ed569

SHA256
49d9f1a4a93f3bf737fef63f91694d80c907496f43d4f5d53fe8d428dfbcc017

SHA512
6d6c28bb15993cc7e31f72acc7838845add8859cd6850ec1afd76633d19dd63566a04ea9d33a27210524dc847e3e74427e793eb8562b024ed5ecbecbce132148

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2ufhk3a\s2ufhk3a.0.cs

Filesize
386B

MD5
702aafde2622cb5b89538354bd28c430

SHA1
5e7eae07a3b9356c16a71e48d30090ba2983c3a2

SHA256
5a14f933663fc3e94f2370e18743ed3d3f46827b9b0a25c670e3bfc887526e97

SHA512
27b0d01a564506c2534c459d601ba800583d0564619785aa2f48842cd760a916834d8e434b2c1bc2f7a5f739379261a1abae0e816ea9c50dc4e55fac9ec80945

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2ufhk3a\s2ufhk3a.cmdline

Filesize
235B

MD5
7e033c34297016f52c4f30eea670f961

SHA1
9115115021454db14fd6f55d8d6b8ae86d33b3c9

SHA256
2cfb51794e0d883b875167a56788830a3c8265fdb6539455a469c9bc5c1ba265

SHA512
e41c44d623de7a61eb8405489315bac293b2914858df9d93081b105fd362b05ce853fb5c130778e6e52dbc1915416ca8aaa74362a85426ee28ad050851a28b53

Download Submit
\??\c:\Windows\System32\CSCD0E800AFFDF34A4881E0568DEE4E1A8.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_MinecraftFpsMod.exe

Filesize
5.9MB

MD5
885383199b4458661a083d690adec52f

SHA1
7f3a0cdbf4f14e71fe0061f35c121ce087918a99

SHA256
7e1fbcc206aed09ff42684b9dcdac876e2a1f7c068463430b1bfb21564af1252

SHA512
dbe796e5c8caf1de33ddfc499c86f3a2d289ab6f1e1f89ecabef7403c70e2ea18da72897184988f12024e01e159276dc6f70b09266102bb542517d08bf41d31b

Download Submit
memory/316-177-0x0000000000080000-0x000000000025A000-memory.dmp

Filesize
1.9MB

Download
memory/576-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/576-33-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/996-189-0x0000000000F90000-0x000000000116A000-memory.dmp

Filesize
1.9MB

Download
memory/1080-282-0x0000000001270000-0x000000000144A000-memory.dmp

Filesize
1.9MB

Download
memory/1544-258-0x0000000001250000-0x000000000142A000-memory.dmp

Filesize
1.9MB

Download
memory/1856-104-0x00000000002E0000-0x00000000004BA000-memory.dmp

Filesize
1.9MB

Download
memory/1856-114-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/1856-106-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1856-110-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/1856-112-0x00000000004C0000-0x00000000004D8000-memory.dmp

Filesize
96KB

Download
memory/1860-290-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/1860-263-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/1860-287-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/1860-174-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/1860-187-0x0000000000400000-0x0000000000AAC000-memory.dmp

Filesize
6.7MB

Download
memory/2472-156-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2472-163-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2504-320-0x0000000001310000-0x00000000014EA000-memory.dmp

Filesize
1.9MB

Download
memory/2588-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2692-201-0x0000000001060000-0x000000000123A000-memory.dmp

Filesize
1.9MB

Download