dcrat | e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
Size

2.2MB
MD5

50ee114bba99ce3a7ba3e64c0080a644
SHA1

3c9f1189b07b612888a1124714d1586408c78ba0
SHA256

e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6
SHA512

58b94a8596d4a94b28da6f0051d90bf098d9def8a112d9541eca814c7b46f5bae619a331831c060eff04f39b62cac1a2ad2a5fe380c75f59aa79322e09a4b64d
SSDEEP

49152:IBJaWLMtwyMxRizAwgueOJNN3lRHiKLWDWUs:yALwyMb9ue0NTH2Ps

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\ComSvcConfig\\2bd538d545e15452202ef3b41080e2ce\\csrss.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\ComSvcConfig\\2bd538d545e15452202ef3b41080e2ce\\csrss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\ComSvcConfig\\2bd538d545e15452202ef3b41080e2ce\\csrss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\it-IT\\dwm.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\", \"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\ComSvcConfig\\2bd538d545e15452202ef3b41080e2ce\\csrss.exe\", \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Branding\\Basebrd\\it-IT\\dwm.exe\", \"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2692	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2692	schtasks.exe	35

Executes dropped EXE 12 IoCs

pid	Process
2748	hyperProviderbrokermonitorNet.exe
840	hyperProviderbrokermonitorNet.exe
2564	hyperProviderbrokermonitorNet.exe
2772	hyperProviderbrokermonitorNet.exe
792	hyperProviderbrokermonitorNet.exe
2836	hyperProviderbrokermonitorNet.exe
1588	hyperProviderbrokermonitorNet.exe
2388	hyperProviderbrokermonitorNet.exe
2792	hyperProviderbrokermonitorNet.exe
1932	hyperProviderbrokermonitorNet.exe
1664	hyperProviderbrokermonitorNet.exe
952	hyperProviderbrokermonitorNet.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	cmd.exe
2360	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\ComSvcConfig\\2bd538d545e15452202ef3b41080e2ce\\csrss.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Branding\\Basebrd\\it-IT\\dwm.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\20e7eb62-69f6-11ef-be0c-62cb582c238c\\cmd.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Branding\\Basebrd\\it-IT\\dwm.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft Help\\wininit.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\ComSvcConfig\\2bd538d545e15452202ef3b41080e2ce\\csrss.exe\""	hyperProviderbrokermonitorNet.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC528A0DE9D1CE4B9B8546C337C04BE244.TMP	csc.exe
File created	\??\c:\Windows\System32\dzuhbf.exe	csc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Basebrd\it-IT\dwm.exe	hyperProviderbrokermonitorNet.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\dwm.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\Branding\Basebrd\it-IT\6cb0b6c459d5d3	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\csrss.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\886983d96e3d3e	hyperProviderbrokermonitorNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1644	PING.EXE
1884	PING.EXE
2816	PING.EXE
2020	PING.EXE
1232	PING.EXE
2344	PING.EXE
2152	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1644	PING.EXE
1884	PING.EXE
2816	PING.EXE
2020	PING.EXE
1232	PING.EXE
2344	PING.EXE
2152	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
664	schtasks.exe
2060	schtasks.exe
2932	schtasks.exe
1712	schtasks.exe
852	schtasks.exe
444	schtasks.exe
1804	schtasks.exe
1688	schtasks.exe
1708	schtasks.exe
1872	schtasks.exe
2796	schtasks.exe
2332	schtasks.exe
264	schtasks.exe
528	schtasks.exe
2508	schtasks.exe
2864	schtasks.exe
2484	schtasks.exe
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe
2748	hyperProviderbrokermonitorNet.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	840	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2564	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2772	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	792	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2836	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	1588	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2388	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2792	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	1932	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	1664	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	952	hyperProviderbrokermonitorNet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2112	2384	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 2384 wrote to memory of 2112	2384	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 2384 wrote to memory of 2112	2384	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 2384 wrote to memory of 2112	2384	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 2112 wrote to memory of 2360	2112	WScript.exe	31
PID 2112 wrote to memory of 2360	2112	WScript.exe	31
PID 2112 wrote to memory of 2360	2112	WScript.exe	31
PID 2112 wrote to memory of 2360	2112	WScript.exe	31
PID 2360 wrote to memory of 2748	2360	cmd.exe	33
PID 2360 wrote to memory of 2748	2360	cmd.exe	33
PID 2360 wrote to memory of 2748	2360	cmd.exe	33
PID 2360 wrote to memory of 2748	2360	cmd.exe	33
PID 2748 wrote to memory of 112	2748	hyperProviderbrokermonitorNet.exe	39
PID 2748 wrote to memory of 112	2748	hyperProviderbrokermonitorNet.exe	39
PID 2748 wrote to memory of 112	2748	hyperProviderbrokermonitorNet.exe	39
PID 112 wrote to memory of 1812	112	csc.exe	41
PID 112 wrote to memory of 1812	112	csc.exe	41
PID 112 wrote to memory of 1812	112	csc.exe	41
PID 2748 wrote to memory of 2044	2748	hyperProviderbrokermonitorNet.exe	57
PID 2748 wrote to memory of 2044	2748	hyperProviderbrokermonitorNet.exe	57
PID 2748 wrote to memory of 2044	2748	hyperProviderbrokermonitorNet.exe	57
PID 2044 wrote to memory of 1884	2044	cmd.exe	59
PID 2044 wrote to memory of 1884	2044	cmd.exe	59
PID 2044 wrote to memory of 1884	2044	cmd.exe	59
PID 2044 wrote to memory of 1944	2044	cmd.exe	60
PID 2044 wrote to memory of 1944	2044	cmd.exe	60
PID 2044 wrote to memory of 1944	2044	cmd.exe	60
PID 2044 wrote to memory of 840	2044	cmd.exe	61
PID 2044 wrote to memory of 840	2044	cmd.exe	61
PID 2044 wrote to memory of 840	2044	cmd.exe	61
PID 840 wrote to memory of 2252	840	hyperProviderbrokermonitorNet.exe	62
PID 840 wrote to memory of 2252	840	hyperProviderbrokermonitorNet.exe	62
PID 840 wrote to memory of 2252	840	hyperProviderbrokermonitorNet.exe	62
PID 2252 wrote to memory of 2228	2252	cmd.exe	64
PID 2252 wrote to memory of 2228	2252	cmd.exe	64
PID 2252 wrote to memory of 2228	2252	cmd.exe	64
PID 2252 wrote to memory of 2988	2252	cmd.exe	65
PID 2252 wrote to memory of 2988	2252	cmd.exe	65
PID 2252 wrote to memory of 2988	2252	cmd.exe	65
PID 2252 wrote to memory of 2564	2252	cmd.exe	66
PID 2252 wrote to memory of 2564	2252	cmd.exe	66
PID 2252 wrote to memory of 2564	2252	cmd.exe	66
PID 2564 wrote to memory of 1580	2564	hyperProviderbrokermonitorNet.exe	67
PID 2564 wrote to memory of 1580	2564	hyperProviderbrokermonitorNet.exe	67
PID 2564 wrote to memory of 1580	2564	hyperProviderbrokermonitorNet.exe	67
PID 1580 wrote to memory of 2260	1580	cmd.exe	69
PID 1580 wrote to memory of 2260	1580	cmd.exe	69
PID 1580 wrote to memory of 2260	1580	cmd.exe	69
PID 1580 wrote to memory of 2824	1580	cmd.exe	70
PID 1580 wrote to memory of 2824	1580	cmd.exe	70
PID 1580 wrote to memory of 2824	1580	cmd.exe	70
PID 1580 wrote to memory of 2772	1580	cmd.exe	71
PID 1580 wrote to memory of 2772	1580	cmd.exe	71
PID 1580 wrote to memory of 2772	1580	cmd.exe	71
PID 2772 wrote to memory of 860	2772	hyperProviderbrokermonitorNet.exe	72
PID 2772 wrote to memory of 860	2772	hyperProviderbrokermonitorNet.exe	72
PID 2772 wrote to memory of 860	2772	hyperProviderbrokermonitorNet.exe	72
PID 860 wrote to memory of 288	860	cmd.exe	74
PID 860 wrote to memory of 288	860	cmd.exe	74
PID 860 wrote to memory of 288	860	cmd.exe	74
PID 860 wrote to memory of 1644	860	cmd.exe	75
PID 860 wrote to memory of 1644	860	cmd.exe	75
PID 860 wrote to memory of 1644	860	cmd.exe	75
PID 860 wrote to memory of 792	860	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
"C:\Users\Admin\AppData\Local\Temp\e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
      "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuucqpsa\yuucqpsa.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:112
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCB1.tmp" "c:\Windows\System32\CSC528A0DE9D1CE4B9B8546C337C04BE244.TMP"
        6⤵
        
        PID:1812
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS7FN1cZca.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1884
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1944
      - C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1DAo4o4YO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2988
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tx5bI8CrM8.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2824
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7p8ySQy6iH.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1644
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat"
        13⤵
        
        PID:1528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2604
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lip5DIjgSk.bat"
        15⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1884
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\joyh461nXg.bat"
        17⤵
        
        PID:2444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2644
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat"
        19⤵
        
        PID:2560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cZiCzHXbdI.bat"
        21⤵
        
        PID:1460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UKSgvR4Pjt.bat"
        23⤵
        
        PID:2604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1232
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\opqphCX6ar.bat"
        25⤵
        
        PID:596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2344
        
        C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
        
        "C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat"
        27⤵
        
        PID:2648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\Basebrd\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 5 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNet" /sc ONLOGON /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 6 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat

Filesize
180B

MD5
71df26dde7ac579ae2021b8fbaaf5867

SHA1
9c89e1fb926956eed30fa2cfd01c572bcd5f8d18

SHA256
2f53ade01cbd72c500ef118188132b311b455bef0f346bcbad34656162b47e47

SHA512
c4814b61f035f8f05d72232cfba3573e049a30dbff3eb00e23084e7aa30f3ded5bb4c8587c55492039be173e4f127618489d7c6e2b8b7949dd87714f641bf6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7p8ySQy6iH.bat

Filesize
180B

MD5
56f5b0cf324c48a083ffef02eb93edf0

SHA1
2c34bd95c0b0029761d020d390fd9eb87aaded7a

SHA256
54d79aa390710b5f067a7294ae4ca6785794d1ba13d6b88effbebf20c17fc9d1

SHA512
fe478a8282099cc5ce9aa6eb5a628c62674ec7e6d6a596338f9d8ba8673661e5db4b6e11758838c0ca6364509589be2f96dedbea937fd3940897e8ef1c768f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1DAo4o4YO.bat

Filesize
228B

MD5
99e80f88f87d0613dbe47e33bda6b7af

SHA1
b16c0a6935791935e053dddb746a8793e9f6bf3b

SHA256
07b1a5fe93f6a7491cdfee07465a5ddb99c0fa6aef16a9221270f61b0ea82117

SHA512
0ba59dabe9c0a9ff61b5e26c8e0c1191244529ce1c166b606571840ff0cdb384866f5b2fc83acd7b2a60e2a25fccc540c059e45d32cb86340d6b36094c90d050

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lip5DIjgSk.bat

Filesize
180B

MD5
06fba4eb818618f925a261f7c3c57843

SHA1
972df261e6c4b4792334d4a647093b902e0b77df

SHA256
a85fe291459cdb3e59da08f903d0ac85fdcd6e5708e99c6a6b9fda556e7dc853

SHA512
82ebb488c0ce8c65b0d7e62d55275a90308195979e82937edb804a8505a68398421ed1b0e15354321088625ae53604e24f7b695e3a6574903e59fc7af66671d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat

Filesize
180B

MD5
8385e7896dce24bcb85942e60dcc325b

SHA1
23760c1b9a4af6b3408be9a2b2f4b576b8378559

SHA256
b1a2f7e7df35b48db515c77a5400205743a4ab70d828991e40d62484ef493c88

SHA512
9e123f8ac3eb5c68908d0846039271df22fc06567f2fe1173cc694ca295b0c98c21b01152c2031ce641d5df376fb92e6aa7f62ca93b7f40d83522981781aa9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCB1.tmp

Filesize
1KB

MD5
313ce61c1b77036112aa997a86a5794e

SHA1
b8e89ddd19be2f6e83ec8ac4c9ce856577037841

SHA256
222e11368a5b53234f35008b788afae6f4ae45c2fc774167b6a4193665da59ba

SHA512
a7f35bc5c4137d1b9fc267ed9c897d456156570fdd5b6ac75a24dc2a86d84b9dcacaf185a1ba321967ef8a0c37e4e59a9fffd1b9f2499d26dfe163cf109f7d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKW7EBQnZE.bat

Filesize
228B

MD5
2895a2e5e2f0fddba577d3b111f9784d

SHA1
c7ab509f894c44834b41bdae7164647ab3cf89a5

SHA256
a136f25fa95b9e3d22762c006db05a930e46ca99b1aa9f9cefc7df378fb7590d

SHA512
544e4c5ee0a48f20e0f5655f9cfa539c2688044ea61e7c542a5049cc5def0c909e53fa1ba8b602f727c718cec22a1c47eb12719ac4c1df0d888ad95d752bd93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tx5bI8CrM8.bat

Filesize
228B

MD5
76067259a7cb584867b3aeb5eadb4b1c

SHA1
f15b534b9945c9437353b3826bdf6be3fbd0fa81

SHA256
d4905a51be40abc98f60a1894c511300a3c2ce71a5f9bd9238caadde9a4f05a3

SHA512
b438939a349cc4e58eefa1cf60cf7959656baa879e92406075855aed1773d117c27a05b031cbe1219e5f940c178837a9293948e716745b457043066f057e0d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKSgvR4Pjt.bat

Filesize
180B

MD5
ac4b256dc9abc1d32d1769e2336c5f94

SHA1
6c463fc4a8c34f8e60d325e6821344003cd9d451

SHA256
215e00f87bf8c32d90a60a988b51fd0da8934cf38e78744a7d8e7caa56678296

SHA512
a4f900145977e75e939425fc079869bf76c87ae88d4a48e0860a8fb08b241880f105982a3de869be504979c0690bf82fb5f231bb448fddabd13b568bf1636064

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZS7FN1cZca.bat

Filesize
228B

MD5
7b4497afb6c9de9ced05c84dc648cb72

SHA1
c8f4f4b80824352122948cbf35e58bc2e9f6b6a1

SHA256
4389d2b22360200c585f6529de77f0c32aa5774baf4371005664cb46f4f3c511

SHA512
166284650b6e8fbe75bb9ad1ad0706f0358c1c015b0d8542b7410a02124b872b788e519a4e8439a159e28a41e3b5fcd64cfe803f9910f62bea9d1506a6340812

Download Submit
C:\Users\Admin\AppData\Local\Temp\cZiCzHXbdI.bat

Filesize
180B

MD5
3b8166b238f6da5986721fa4080b2cea

SHA1
032e4216bd5b63a058a9cfcf8ce093c0aee875f6

SHA256
f3d027d7bb12b68393fe365668b613a2194ce2afa3df2807d1b713fb769c4667

SHA512
be23167f4b1958248a13e3a1d40b5cc8b9d9651bafa3717b2d26f38de645aa529058217aca1d5dc0b967c174edcad34af7f59e8b9d582f6396f962e44edc4bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\joyh461nXg.bat

Filesize
228B

MD5
484f5d720c9663949dfa259b7475846a

SHA1
304047708a74e207c9fe2e2da40ef79af92abe2e

SHA256
e9c555bbabb693c7c2c3417a09a3b3c4abd66ddaf097eca8604b1ea54128565a

SHA512
248ad0b313226454e7fbe8fe4dbd35a7a39e31a92fa553378fc9e07aadb42c5d00f895bfcc4ab6ae6a6bdf14e4d83449717be828afe94dea4f3678174a78dffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\opqphCX6ar.bat

Filesize
180B

MD5
2cda8f8e774d789fed66edbeeeceb147

SHA1
1daa66de1ac0374306d2693df70f8ee62d66fb95

SHA256
c667074429936cbbed62f4e6f83c843b5802464000ce3b93e7a745bf60b98263

SHA512
977a772264d71299063491957c4afd7c57ebc39ce315804033e06d24e557c93746e6219acb92ad9c204c50399e63dc80dba84013dfdc9634da104fd69011e59d

Download Submit
C:\hyperIntoBroker\7ZVJJhRLWkC.bat

Filesize
78B

MD5
65f873c875c73f084119594a4449ecea

SHA1
9f050c5bfc5cd3d94c37acac16105f031658904f

SHA256
825a9f47fd1242c15bd81fea64d0f739c9e74f62a1820e182cfa069e1726fd90

SHA512
c4c2886fd99303e222a379a02c981532070c932acb70d2a7460fe257e22b8b0625018fab158e7be011bd5b2f7c45517e2c2fc947b11b84bbbda37ecc1bdc8d63

Download Submit
C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe

Filesize
205B

MD5
3abc77a7e4977f35cab6e9f29e677438

SHA1
bd300a11ea5af663fe723883f8b5d980d1cbb417

SHA256
e987a0608105af1e7422322184159c1559b26e3d84c27917408c2cdbbd9f9a72

SHA512
b445fd9b854e822077d17b060edd7e253b8e8aeb8ebfb4e1084e2d604276295d715101f0ce1e1b25f0d83247385f76b1ab8885efd7ba6286cd8317d994359cb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yuucqpsa\yuucqpsa.0.cs

Filesize
377B

MD5
4c1593b3cb945256926b568d9b573330

SHA1
0c71c23ecc993f05ddb61ea410cdc47d6d6b5680

SHA256
4285e84d86f25c519c5de1e036d762911f7f9db38e73e86cbb6221656d529bf5

SHA512
7fe27a0e1c936e586f96c9a793a1aa6ac0c4f9b3dca6fb926905a04f27e69b09d7afaa1b6f0da1e1aa867b55b30ab1b72ba2c9e86f3ed66ac417ab26309aa7d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yuucqpsa\yuucqpsa.cmdline

Filesize
235B

MD5
0af1edde30858d8799c40c62848c7fe2

SHA1
a3a59e389ee04dbb513ee3a8c9ebecb8cc93f5a1

SHA256
0fe1a5178ac6c0322a9a9b55b1cdb2f52d9a301aded2d511cd35fc5aa4184837

SHA512
ad8f3a5fc1520e57b53ce712c90ddad1d7d73743e31461727907e2397224091cb91438c133fcd0ca2b392dca5e83354795113483068056cdc387efb394a88889

Download Submit
\??\c:\Windows\System32\CSC528A0DE9D1CE4B9B8546C337C04BE244.TMP

Filesize
1KB

MD5
9446a6998523ec187daa3d79bec9c8fa

SHA1
16c7f73aef03c8a15b4d9e8b1cfa5183caf7ca96

SHA256
f55f1bd2c1246cfb3b60cd8649fcc78b3837896bdf5132d6fc8ea0ecabf892d7

SHA512
fac3ad1b0c8663aaa94cd66b6ea0aa1848e570ff4a22b709cf2696abb76e28f42fb0d2a74316a7ad86bb6216177013c6b71ce2f4df139edc3054a03ee3467c9d

Download Submit
\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Filesize
1.9MB

MD5
54eff01605da5e7cbdb382c98ece2c2a

SHA1
be2ecfc24603a5e282bdfbb7780a03c1410879b8

SHA256
26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

SHA512
dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0

Download Submit
memory/840-57-0x0000000000920000-0x0000000000B14000-memory.dmp

Filesize
2.0MB

Download
memory/1932-168-0x0000000000D40000-0x0000000000F34000-memory.dmp

Filesize
2.0MB

Download
memory/2388-139-0x0000000000270000-0x0000000000464000-memory.dmp

Filesize
2.0MB

Download
memory/2564-71-0x00000000009F0000-0x0000000000BE4000-memory.dmp

Filesize
2.0MB

Download
memory/2748-25-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2748-23-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2748-21-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2748-19-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/2748-27-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2748-17-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2748-15-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2748-13-0x00000000002B0000-0x00000000004A4000-memory.dmp

Filesize
2.0MB

Download
memory/2772-86-0x0000000001170000-0x0000000001364000-memory.dmp

Filesize
2.0MB

Download
memory/2792-153-0x00000000003B0000-0x00000000005A4000-memory.dmp

Filesize
2.0MB

Download