dcrat | 18f98cf70e93f573af35a3f74fc6bf092d249b554336320f6c17a8925c35f8bb

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
Size

2.2MB
MD5

50ee114bba99ce3a7ba3e64c0080a644
SHA1

3c9f1189b07b612888a1124714d1586408c78ba0
SHA256

e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6
SHA512

58b94a8596d4a94b28da6f0051d90bf098d9def8a112d9541eca814c7b46f5bae619a331831c060eff04f39b62cac1a2ad2a5fe380c75f59aa79322e09a4b64d
SSDEEP

49152:IBJaWLMtwyMxRizAwgueOJNN3lRHiKLWDWUs:yALwyMb9ue0NTH2Ps

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\fr\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\OSPPSVC.exe\", \"C:\\hyperIntoBroker\\winlogon.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\", \"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\fr\\wininit.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\fr\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\OSPPSVC.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\fr\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\OSPPSVC.exe\", \"C:\\hyperIntoBroker\\winlogon.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\fr\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Mail\\es-ES\\OSPPSVC.exe\", \"C:\\hyperIntoBroker\\winlogon.exe\", \"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	hyperProviderbrokermonitorNet.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2856	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2856	schtasks.exe	34

Executes dropped EXE 10 IoCs

pid	Process
2312	hyperProviderbrokermonitorNet.exe
2400	spoolsv.exe
1588	spoolsv.exe
2920	spoolsv.exe
2468	spoolsv.exe
1016	spoolsv.exe
2588	spoolsv.exe
1624	spoolsv.exe
2292	spoolsv.exe
904	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2168	cmd.exe
2168	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\fr\\wininit.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\fr\\wininit.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Windows Mail\\es-ES\\OSPPSVC.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Uninstall Information\\csrss.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Windows Mail\\es-ES\\OSPPSVC.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\hyperIntoBroker\\winlogon.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\hyperIntoBroker\\winlogon.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC90C54D659A9943A9B4B8951E51C4B9C.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	hyperProviderbrokermonitorNet.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\csrss.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\OSPPSVC.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\1610b97d3ab4a7	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\56085415360792	hyperProviderbrokermonitorNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1632	PING.EXE
1708	PING.EXE
2004	PING.EXE
3044	PING.EXE
1320	PING.EXE
2832	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1320	PING.EXE
2832	PING.EXE
1632	PING.EXE
1708	PING.EXE
2004	PING.EXE
3044	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe
2676	schtasks.exe
1400	schtasks.exe
2240	schtasks.exe
2244	schtasks.exe
2176	schtasks.exe
2276	schtasks.exe
3008	schtasks.exe
1644	schtasks.exe
2200	schtasks.exe
1968	schtasks.exe
1316	schtasks.exe
2740	schtasks.exe
1660	schtasks.exe
1632	schtasks.exe
764	schtasks.exe
1132	schtasks.exe
560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe
2312	hyperProviderbrokermonitorNet.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2400	spoolsv.exe
Token: SeDebugPrivilege	1588	spoolsv.exe
Token: SeDebugPrivilege	2920	spoolsv.exe
Token: SeDebugPrivilege	2468	spoolsv.exe
Token: SeDebugPrivilege	1016	spoolsv.exe
Token: SeDebugPrivilege	2588	spoolsv.exe
Token: SeDebugPrivilege	1624	spoolsv.exe
Token: SeDebugPrivilege	2292	spoolsv.exe
Token: SeDebugPrivilege	904	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2900	1740	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 1740 wrote to memory of 2900	1740	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 1740 wrote to memory of 2900	1740	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 1740 wrote to memory of 2900	1740	e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe	30
PID 2900 wrote to memory of 2168	2900	WScript.exe	31
PID 2900 wrote to memory of 2168	2900	WScript.exe	31
PID 2900 wrote to memory of 2168	2900	WScript.exe	31
PID 2900 wrote to memory of 2168	2900	WScript.exe	31
PID 2168 wrote to memory of 2312	2168	cmd.exe	33
PID 2168 wrote to memory of 2312	2168	cmd.exe	33
PID 2168 wrote to memory of 2312	2168	cmd.exe	33
PID 2168 wrote to memory of 2312	2168	cmd.exe	33
PID 2312 wrote to memory of 2260	2312	hyperProviderbrokermonitorNet.exe	38
PID 2312 wrote to memory of 2260	2312	hyperProviderbrokermonitorNet.exe	38
PID 2312 wrote to memory of 2260	2312	hyperProviderbrokermonitorNet.exe	38
PID 2260 wrote to memory of 2868	2260	csc.exe	40
PID 2260 wrote to memory of 2868	2260	csc.exe	40
PID 2260 wrote to memory of 2868	2260	csc.exe	40
PID 2312 wrote to memory of 756	2312	hyperProviderbrokermonitorNet.exe	56
PID 2312 wrote to memory of 756	2312	hyperProviderbrokermonitorNet.exe	56
PID 2312 wrote to memory of 756	2312	hyperProviderbrokermonitorNet.exe	56
PID 756 wrote to memory of 1812	756	cmd.exe	58
PID 756 wrote to memory of 1812	756	cmd.exe	58
PID 756 wrote to memory of 1812	756	cmd.exe	58
PID 756 wrote to memory of 1320	756	cmd.exe	59
PID 756 wrote to memory of 1320	756	cmd.exe	59
PID 756 wrote to memory of 1320	756	cmd.exe	59
PID 756 wrote to memory of 2400	756	cmd.exe	60
PID 756 wrote to memory of 2400	756	cmd.exe	60
PID 756 wrote to memory of 2400	756	cmd.exe	60
PID 2400 wrote to memory of 1808	2400	spoolsv.exe	61
PID 2400 wrote to memory of 1808	2400	spoolsv.exe	61
PID 2400 wrote to memory of 1808	2400	spoolsv.exe	61
PID 1808 wrote to memory of 1928	1808	cmd.exe	63
PID 1808 wrote to memory of 1928	1808	cmd.exe	63
PID 1808 wrote to memory of 1928	1808	cmd.exe	63
PID 1808 wrote to memory of 2392	1808	cmd.exe	64
PID 1808 wrote to memory of 2392	1808	cmd.exe	64
PID 1808 wrote to memory of 2392	1808	cmd.exe	64
PID 1808 wrote to memory of 1588	1808	cmd.exe	65
PID 1808 wrote to memory of 1588	1808	cmd.exe	65
PID 1808 wrote to memory of 1588	1808	cmd.exe	65
PID 1588 wrote to memory of 2304	1588	spoolsv.exe	66
PID 1588 wrote to memory of 2304	1588	spoolsv.exe	66
PID 1588 wrote to memory of 2304	1588	spoolsv.exe	66
PID 2304 wrote to memory of 2836	2304	cmd.exe	68
PID 2304 wrote to memory of 2836	2304	cmd.exe	68
PID 2304 wrote to memory of 2836	2304	cmd.exe	68
PID 2304 wrote to memory of 2832	2304	cmd.exe	69
PID 2304 wrote to memory of 2832	2304	cmd.exe	69
PID 2304 wrote to memory of 2832	2304	cmd.exe	69
PID 2304 wrote to memory of 2920	2304	cmd.exe	70
PID 2304 wrote to memory of 2920	2304	cmd.exe	70
PID 2304 wrote to memory of 2920	2304	cmd.exe	70
PID 2920 wrote to memory of 1832	2920	spoolsv.exe	71
PID 2920 wrote to memory of 1832	2920	spoolsv.exe	71
PID 2920 wrote to memory of 1832	2920	spoolsv.exe	71
PID 1832 wrote to memory of 1548	1832	cmd.exe	73
PID 1832 wrote to memory of 1548	1832	cmd.exe	73
PID 1832 wrote to memory of 1548	1832	cmd.exe	73
PID 1832 wrote to memory of 1632	1832	cmd.exe	74
PID 1832 wrote to memory of 1632	1832	cmd.exe	74
PID 1832 wrote to memory of 1632	1832	cmd.exe	74
PID 1832 wrote to memory of 2468	1832	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe
"C:\Users\Admin\AppData\Local\Temp\e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
      "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0sfloxyp\0sfloxyp.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB32.tmp" "c:\Windows\System32\CSC90C54D659A9943A9B4B8951E51C4B9C.TMP"
        6⤵
        
        PID:2868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z0sbmsynLZ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1812
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1320
      - C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\imE7OxQXo6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2392
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eMBuAd62pF.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2832
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat"
        13⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2144
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnlL3aVnrp.bat"
        15⤵
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1708
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pKJ6edTRWc.bat"
        17⤵
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w6HeTDdWXW.bat"
        19⤵
        
        PID:940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2908
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XGPt9CNEzD.bat"
        21⤵
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3044
        
        C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\hyperIntoBroker\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\hyperIntoBroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\hyperIntoBroker\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 7 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNet" /sc ONLOGON /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 10 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FnlL3aVnrp.bat

Filesize
187B

MD5
23adbbd145bf9ad2e5d2fa7c970a4f0b

SHA1
64b9af1626f4884e7806d6f8310ca29fbf3edec8

SHA256
bd3ab7e8c7f3d59f213f9125106e4352898c9211ffb31d08e274b471acefa3fa

SHA512
9db8acdb4c4f4fbe514a5b230cf22522e030dd87be6a9f9331302ed6ba13cf126f700ea778e4efd8266c6620270d1a4ee8d070391acc3c313be03e6e545b784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDB32.tmp

Filesize
1KB

MD5
08e114c3cf3403c2bdeb309379ae74f7

SHA1
5cf14e36e2c35aac567249b62de669e6e109a242

SHA256
19431d8edf197afbe783678f31465f44caefbefae419ad5c3d79c0862220e64b

SHA512
8a7c2b81df002e4d0825232e7d2b17d2136f8a2f0663c6d7a8205b9940b597b57162cad07369ed4b1bd0a8a20672203c9e507444396b14973f2f2d189520dc64

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGPt9CNEzD.bat

Filesize
187B

MD5
e993a8de42dbb8ff6f38076725c05c46

SHA1
0aeda426ef31a157fc48fa250065036903681a11

SHA256
fd5a9b8eee8e87a0935c1311f41cbeb37f3f1aad32e7e2d1a1a4c46cf11b6d5a

SHA512
32e6e6213169e9b716ec23748eceef0931633e6760cac48fb2ddc67e92843188fbc1e3c704551e729ddc4c94e3de7ef7ba5bec3ff603a6c396812b7f482434bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z0sbmsynLZ.bat

Filesize
187B

MD5
5ec591021c66e725c4f772c7f54e2ea7

SHA1
297abbac787d72f447c895accfb5916127e1d278

SHA256
cf51bf0fa004d282c643fc72b66fbe0bae3eef8935cd10c954e540fbc2c9bf8b

SHA512
d2713078c9a161aac1bfd5473748754ba63654076ff3f39fb6ae4d9eb68a572d758f0459d505662a87fa0a6c778b28f1374eb9646115add495a363b534a251e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMBuAd62pF.bat

Filesize
187B

MD5
0da773e63fa1c3e0371c05d1a98920a5

SHA1
81f57c9a8714f316140657e743b313b1e62a85ea

SHA256
d921d7a9f4555957949f07e71aa7000297a934f291a4c177ad3c23ba1d65c575

SHA512
3ef3299a04c0b55a82e875c7615d9f5ac65db83b3cfdb9850b55aabc23a086d708f02cdaaaf0d59327e8690791e38298f63d58febd15ed023e60df34941558a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\imE7OxQXo6.bat

Filesize
235B

MD5
445f9104a87eeb0c6dea1f257c8193f4

SHA1
614fc5d66f923b446894490a24bd573381e8f1cb

SHA256
8cf1c2e43e5e95666a6942bd733726137e2bca4b85585d8a1f063acd6290f669

SHA512
b657df3a12c1b542f0b0031fb6bb37e62cea6c9fa2ec05861353253a4667d162aa15c562709ddd1ca109b904e2e624ca723796c37a5d2f7a6fb165790ea6c067

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat

Filesize
235B

MD5
ca453c576de87494f08d8fecc3bc891d

SHA1
471b1a202ecdfa53ef7ccbb9527fa0a7091665e6

SHA256
4c60255be86fff7e64d40d6ab0ceed1593f307550efd627772a800cb973cde8f

SHA512
bb7f9c98dfaa6927c4b55b3f4c4c868839ee02fee0ee5af498d89959f490ac54857f56afe86d616cd78e92bfd95c5f4e06b92c59ad61311c90804259b9afc690

Download Submit
C:\Users\Admin\AppData\Local\Temp\pKJ6edTRWc.bat

Filesize
187B

MD5
fd23e3ed5470d120e944870d7e6bd20e

SHA1
ca7bdd7892551b708737c2fafd293ad0fe8d1c79

SHA256
7c4900ff5a15abb0ba8b21a83cd147c1271c27ed607377997a5a394a181d7cbb

SHA512
2317a4900eb6d4f4bee4a9fed17a59c2f03ae151cc3da8ba275c1143dff3dcd8710a1c8feacc954b2850a9f315a2d665f9a331aa46eeeab0e97bf5d0b7732a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6HeTDdWXW.bat

Filesize
235B

MD5
841c48b27c06a854543f60f7659924e6

SHA1
b18871865e22f9eacf8fde0a00cfca57b6dd9cf7

SHA256
f7f7010db7ac6f794f08eba578ab870ba381bf9620edb2d556e7ffe9bba0d5e1

SHA512
f04cc3e9cdd3b3175f9e7abc64d97710586055775f64a0a88d1b1a9c42ebeae5b0bff4bba66c0cf37cd977574e8320032881d2b32aea4e4a039fc13129e0b3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xMU3vrX2xf.bat

Filesize
187B

MD5
57efc3e64884c4c3efa8466776180024

SHA1
ac27dff9e520cab2267d407f02e2f76029f62639

SHA256
e1d170175788e4481c8294b234b169f273257519169e732f5bcb05a13fb99e74

SHA512
98dcfd904d4c411a64c845be49ff59763e55f45122b4e7dcf3b64daa38ca62e16b9d65aa7d5c6de18b9734d17d72446e67055d40d47ce7566529e2a94678428b

Download Submit
C:\hyperIntoBroker\7ZVJJhRLWkC.bat

Filesize
78B

MD5
65f873c875c73f084119594a4449ecea

SHA1
9f050c5bfc5cd3d94c37acac16105f031658904f

SHA256
825a9f47fd1242c15bd81fea64d0f739c9e74f62a1820e182cfa069e1726fd90

SHA512
c4c2886fd99303e222a379a02c981532070c932acb70d2a7460fe257e22b8b0625018fab158e7be011bd5b2f7c45517e2c2fc947b11b84bbbda37ecc1bdc8d63

Download Submit
C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe

Filesize
205B

MD5
3abc77a7e4977f35cab6e9f29e677438

SHA1
bd300a11ea5af663fe723883f8b5d980d1cbb417

SHA256
e987a0608105af1e7422322184159c1559b26e3d84c27917408c2cdbbd9f9a72

SHA512
b445fd9b854e822077d17b060edd7e253b8e8aeb8ebfb4e1084e2d604276295d715101f0ce1e1b25f0d83247385f76b1ab8885efd7ba6286cd8317d994359cb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0sfloxyp\0sfloxyp.0.cs

Filesize
391B

MD5
983f01ce1ee76893af2dc94c34618ddb

SHA1
d3eb0748f3a9711f5964688a917bf44b5d3eabc0

SHA256
8516ad6163a147a6bcaa31275db50a2564a61be1cdcf39a38812431a6ebcd83e

SHA512
b72eb9d5fb1a7076ff1e96fc785cd9e9b1712d7f57dff83dd89a8db78dc60146219a2c42378ab985b50e058b8d7c69347d98286d7347f6ea0b63e360d8181508

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0sfloxyp\0sfloxyp.cmdline

Filesize
235B

MD5
f02d382a12e1dcbff762aacc6df39304

SHA1
a89a0d483a16b9f00cc7d9b354a964b2d9138e3f

SHA256
0220441a99e92703424f663d030cfb147e13006a998e984044efce635ea96349

SHA512
367872752ab017204145d59155a9bd25e4fecaba49b36715159bc70f08cc786d54315d543e03f7752352be21c936507b488bdd6e6dd3f554a39dff830a485438

Download Submit
\??\c:\Windows\System32\CSC90C54D659A9943A9B4B8951E51C4B9C.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Filesize
1.9MB

MD5
54eff01605da5e7cbdb382c98ece2c2a

SHA1
be2ecfc24603a5e282bdfbb7780a03c1410879b8

SHA256
26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

SHA512
dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0

Download Submit
memory/1588-72-0x0000000001330000-0x0000000001524000-memory.dmp

Filesize
2.0MB

Download
memory/2312-25-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/2312-21-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2312-19-0x0000000000540000-0x0000000000558000-memory.dmp

Filesize
96KB

Download
memory/2312-17-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/2312-15-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2312-13-0x00000000001C0000-0x00000000003B4000-memory.dmp

Filesize
2.0MB

Download
memory/2312-23-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2312-27-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/2400-58-0x0000000000230000-0x0000000000424000-memory.dmp

Filesize
2.0MB

Download
memory/2588-128-0x0000000001390000-0x0000000001584000-memory.dmp

Filesize
2.0MB

Download