dcrat | 2c2f3eb6ca985e2116305370b66916156737ce3371e61fc4db0048ca325be5a1

Analysis

max time kernel
159s
max time network
157s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-02-2025 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nedohackers4.exe
Size

1.1MB
MD5

215c2ae4474bfc4ed0413f18306d9166
SHA1

eeef87c29c4190d2e9bce74026e8753cd5dd3a8a
SHA256

2c2f3eb6ca985e2116305370b66916156737ce3371e61fc4db0048ca325be5a1
SHA512

8e9185118c885e641221e5463188c2945819da2e54c4dc15cecc3fdb7dead163f9ea82362d9d00f1e6d88f5ae6d2f5b672134373f95e371eb2607da22ab5f6d0
SSDEEP

24576:U2G/nvxW3Ww0tgpur/hbcITVYFMMjFiJmUixpO6:UbA30k0hb3Y36U06

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3680	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3680	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000b000000027c6e-14.dat	dcrat
behavioral1/memory/2960-16-0x0000000000870000-0x0000000000946000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	nedohackers4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	blockfontsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
2960	blockfontsvc.exe
4992	RuntimeBroker.exe
4428	RuntimeBroker.exe
4012	RuntimeBroker.exe
328	RuntimeBroker.exe
2176	RuntimeBroker.exe
3672	RuntimeBroker.exe
5056	RuntimeBroker.exe
1380	RuntimeBroker.exe
4640	RuntimeBroker.exe
3764	RuntimeBroker.exe
4580	RuntimeBroker.exe
4548	RuntimeBroker.exe
2088	RuntimeBroker.exe
1768	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
40	pastebin.com
42	pastebin.com
27	pastebin.com
30	pastebin.com
43	pastebin.com
6	pastebin.com
15	pastebin.com
17	pastebin.com
28	pastebin.com
35	pastebin.com
39	pastebin.com
41	pastebin.com
1	pastebin.com
2	pastebin.com
16	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe	blockfontsvc.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\9e8d7a4ca61bd9	blockfontsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\conhost.exe	blockfontsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\088424020bedd6	blockfontsvc.exe
File created	C:\Program Files\Windows Mail\smss.exe	blockfontsvc.exe
File created	C:\Program Files\Windows Mail\69ddcba757bf72	blockfontsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\authman\66fc9ff0ee96c2	blockfontsvc.exe
File created	C:\Windows\Help\OEM\fontdrvhost.exe	blockfontsvc.exe
File created	C:\Windows\Help\OEM\5b884080fd4f94	blockfontsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe	blockfontsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5b884080fd4f94	blockfontsvc.exe
File created	C:\Windows\Microsoft.NET\authman\sihost.exe	blockfontsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nedohackers4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	nedohackers4.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4804	schtasks.exe
3928	schtasks.exe
4328	schtasks.exe
764	schtasks.exe
2392	schtasks.exe
4344	schtasks.exe
3720	schtasks.exe
3152	schtasks.exe
2792	schtasks.exe
2344	schtasks.exe
3164	schtasks.exe
2456	schtasks.exe
4532	schtasks.exe
4404	schtasks.exe
3212	schtasks.exe
5028	schtasks.exe
1320	schtasks.exe
640	schtasks.exe
1224	schtasks.exe
3600	schtasks.exe
1520	schtasks.exe
4280	schtasks.exe
4356	schtasks.exe
240	schtasks.exe
4256	schtasks.exe
4836	schtasks.exe
3024	schtasks.exe
4436	schtasks.exe
568	schtasks.exe
5116	schtasks.exe
2988	schtasks.exe
456	schtasks.exe
1844	schtasks.exe
4676	schtasks.exe
3232	schtasks.exe
4340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2960	blockfontsvc.exe
2960	blockfontsvc.exe
2960	blockfontsvc.exe
2960	blockfontsvc.exe
2960	blockfontsvc.exe
4992	RuntimeBroker.exe
4428	RuntimeBroker.exe
4012	RuntimeBroker.exe
328	RuntimeBroker.exe
2176	RuntimeBroker.exe
3672	RuntimeBroker.exe
5056	RuntimeBroker.exe
1380	RuntimeBroker.exe
4640	RuntimeBroker.exe
3764	RuntimeBroker.exe
4580	RuntimeBroker.exe
4548	RuntimeBroker.exe
2088	RuntimeBroker.exe
1768	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	blockfontsvc.exe
Token: SeDebugPrivilege	4992	RuntimeBroker.exe
Token: SeDebugPrivilege	4428	RuntimeBroker.exe
Token: SeDebugPrivilege	4012	RuntimeBroker.exe
Token: SeDebugPrivilege	328	RuntimeBroker.exe
Token: SeDebugPrivilege	2176	RuntimeBroker.exe
Token: SeDebugPrivilege	3672	RuntimeBroker.exe
Token: SeDebugPrivilege	5056	RuntimeBroker.exe
Token: SeDebugPrivilege	1380	RuntimeBroker.exe
Token: SeDebugPrivilege	4640	RuntimeBroker.exe
Token: SeDebugPrivilege	3764	RuntimeBroker.exe
Token: SeDebugPrivilege	4580	RuntimeBroker.exe
Token: SeDebugPrivilege	4548	RuntimeBroker.exe
Token: SeDebugPrivilege	2088	RuntimeBroker.exe
Token: SeDebugPrivilege	1768	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4440	4800	nedohackers4.exe	79
PID 4800 wrote to memory of 4440	4800	nedohackers4.exe	79
PID 4800 wrote to memory of 4440	4800	nedohackers4.exe	79
PID 4440 wrote to memory of 2888	4440	WScript.exe	80
PID 4440 wrote to memory of 2888	4440	WScript.exe	80
PID 4440 wrote to memory of 2888	4440	WScript.exe	80
PID 2888 wrote to memory of 2960	2888	cmd.exe	82
PID 2888 wrote to memory of 2960	2888	cmd.exe	82
PID 2960 wrote to memory of 4992	2960	blockfontsvc.exe	120
PID 2960 wrote to memory of 4992	2960	blockfontsvc.exe	120
PID 4992 wrote to memory of 2076	4992	RuntimeBroker.exe	121
PID 4992 wrote to memory of 2076	4992	RuntimeBroker.exe	121
PID 2076 wrote to memory of 1184	2076	cmd.exe	123
PID 2076 wrote to memory of 1184	2076	cmd.exe	123
PID 2076 wrote to memory of 4428	2076	cmd.exe	124
PID 2076 wrote to memory of 4428	2076	cmd.exe	124
PID 4428 wrote to memory of 1240	4428	RuntimeBroker.exe	126
PID 4428 wrote to memory of 1240	4428	RuntimeBroker.exe	126
PID 1240 wrote to memory of 3608	1240	cmd.exe	128
PID 1240 wrote to memory of 3608	1240	cmd.exe	128
PID 1240 wrote to memory of 4012	1240	cmd.exe	129
PID 1240 wrote to memory of 4012	1240	cmd.exe	129
PID 4012 wrote to memory of 388	4012	RuntimeBroker.exe	130
PID 4012 wrote to memory of 388	4012	RuntimeBroker.exe	130
PID 388 wrote to memory of 2680	388	cmd.exe	132
PID 388 wrote to memory of 2680	388	cmd.exe	132
PID 388 wrote to memory of 328	388	cmd.exe	133
PID 388 wrote to memory of 328	388	cmd.exe	133
PID 328 wrote to memory of 1428	328	RuntimeBroker.exe	134
PID 328 wrote to memory of 1428	328	RuntimeBroker.exe	134
PID 1428 wrote to memory of 476	1428	cmd.exe	136
PID 1428 wrote to memory of 476	1428	cmd.exe	136
PID 1428 wrote to memory of 2176	1428	cmd.exe	137
PID 1428 wrote to memory of 2176	1428	cmd.exe	137
PID 2176 wrote to memory of 3756	2176	RuntimeBroker.exe	138
PID 2176 wrote to memory of 3756	2176	RuntimeBroker.exe	138
PID 3756 wrote to memory of 2664	3756	cmd.exe	140
PID 3756 wrote to memory of 2664	3756	cmd.exe	140
PID 3756 wrote to memory of 3672	3756	cmd.exe	141
PID 3756 wrote to memory of 3672	3756	cmd.exe	141
PID 3672 wrote to memory of 640	3672	RuntimeBroker.exe	142
PID 3672 wrote to memory of 640	3672	RuntimeBroker.exe	142
PID 640 wrote to memory of 4252	640	cmd.exe	144
PID 640 wrote to memory of 4252	640	cmd.exe	144
PID 640 wrote to memory of 5056	640	cmd.exe	145
PID 640 wrote to memory of 5056	640	cmd.exe	145
PID 5056 wrote to memory of 2792	5056	RuntimeBroker.exe	146
PID 5056 wrote to memory of 2792	5056	RuntimeBroker.exe	146
PID 2792 wrote to memory of 4436	2792	cmd.exe	148
PID 2792 wrote to memory of 4436	2792	cmd.exe	148
PID 2792 wrote to memory of 1380	2792	cmd.exe	149
PID 2792 wrote to memory of 1380	2792	cmd.exe	149
PID 1380 wrote to memory of 2204	1380	RuntimeBroker.exe	150
PID 1380 wrote to memory of 2204	1380	RuntimeBroker.exe	150
PID 2204 wrote to memory of 2988	2204	cmd.exe	152
PID 2204 wrote to memory of 2988	2204	cmd.exe	152
PID 2204 wrote to memory of 4640	2204	cmd.exe	153
PID 2204 wrote to memory of 4640	2204	cmd.exe	153
PID 4640 wrote to memory of 464	4640	RuntimeBroker.exe	154
PID 4640 wrote to memory of 464	4640	RuntimeBroker.exe	154
PID 464 wrote to memory of 4028	464	cmd.exe	156
PID 464 wrote to memory of 4028	464	cmd.exe	156
PID 464 wrote to memory of 3764	464	cmd.exe	157
PID 464 wrote to memory of 3764	464	cmd.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\nedohackers4.exe
"C:\Users\Admin\AppData\Local\Temp\nedohackers4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\HypersurrogatewinsessionDhcp\dYZ8AJXs29nzvYWJlIwG5mAl.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\HypersurrogatewinsessionDhcp\Esvo7P.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\HypersurrogatewinsessionDhcp\blockfontsvc.exe
      "C:\HypersurrogatewinsessionDhcp\blockfontsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1184
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3608
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2680
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:476
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2664
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4252
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4436
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2988
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4028
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat"
        24⤵
        
        PID:60
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:896
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        26⤵
        
        PID:4132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4812
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
        28⤵
        
        PID:4800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2572
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        30⤵
        
        PID:1424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2588
        
        C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\HypersurrogatewinsessionDhcp\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\HypersurrogatewinsessionDhcp\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\HypersurrogatewinsessionDhcp\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\authman\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\authman\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\OEM\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Help\OEM\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\OEM\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\HypersurrogatewinsessionDhcp\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\HypersurrogatewinsessionDhcp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\HypersurrogatewinsessionDhcp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Oracle\Java\.oracle_jre_usage\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HypersurrogatewinsessionDhcp\Esvo7P.bat

Filesize
50B

MD5
e3354876d4ab17357229ad81e55fb5ec

SHA1
1e8bd41a7d28712438de364f6e6a6450fad76236

SHA256
34946c401756c6022bba3cf3102fc29b13ca870d2b3036e4af629093ebc14f0c

SHA512
fb61c9d65859a8fe9f2efe4ea01d8adde3141c7f75aa29dae8d5594a2f69b56e2f0a3ad9981711e8e388ea9c2461e52101ab50e254091d656f6ce63509ca3d78

Download Submit
C:\HypersurrogatewinsessionDhcp\blockfontsvc.exe

Filesize
826KB

MD5
6ccfcac59014598cff37d63e9fcdd1bf

SHA1
ef50d1a952dc55cddd1cb6c5a891d82f30bc9df5

SHA256
b12b0a770a1a4c95d0d799013ac07b11de12493d6f2b1a40183d67e8c2773789

SHA512
652c3458acbf7769e7b46832afdeed7825aa9e16dd594dd0dffa36680dec38d2a759fe642af67ab318b315aa041684a220e00fe9689eb2d0f0e58ac9f9733cba

Download Submit
C:\HypersurrogatewinsessionDhcp\dYZ8AJXs29nzvYWJlIwG5mAl.vbe

Filesize
211B

MD5
3d75b27cde18863301c52516a4e3a98c

SHA1
6612058cb5737e62facd9612892371224492e3e5

SHA256
b1cda2a185842984aa3123de9904c0cbcf14e1e15c0fbc53ed834b5c0b861f8f

SHA512
b7bf30446c29946be582a4615eb80b883858b0d07836f5fe131b40abba66c5c6bee714febe451b9c90fa83699103833a99e75550d59f2febb7b73cfeb84c2af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

Filesize
228B

MD5
fc0fa1b8c2d157c4cec038249c40feac

SHA1
495c140467f86e5a833af6a5f8b52b03058e14c5

SHA256
0f524a59ab12ff11ffb5416dfc5283572bd7d921b8a40ca25502457f8b3339e5

SHA512
9849c28899c7b670ba8aad6e9e154d853e13c6e34b48e54c07a411883070b530ac7aee90b43ea6150c45c64d9ae59f70eabb566fd7f53a3be9aca2aedeadc343

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
228B

MD5
b770383999b8240590b0cd3c9d3114f5

SHA1
6471bab10f16575c0427692e444bf663a8b19a6e

SHA256
55b5857105effc4c3eb9fb6278e6b8dce8e392cb39c99f3fe0e04bd7de9e46e1

SHA512
946f5bda9c5573c8a18722976f7e727e7d7a13d4cb6ae1e06e52073803b6c5aee63085289aa31637a808a27ce6b5c4f774ac848e48e7631e3e5f6459317d235c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat

Filesize
228B

MD5
7aa5d82ae166c9f4db2f07d04b128ef2

SHA1
fc566ae6c8c75defa0eb18ccdc873e46aa0b4133

SHA256
d25b11518e66bb11dec6c54f1d9088e5d2f0d1c65bae5653c7563bba3dd3b9bf

SHA512
232e9ba433a438243e3809b8d176c4337d485642b0ee05b7010a59f3f09f2b03de09a1caec71987b06b919f4af175d2183073ef3873fa8e65f501a30958260ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
228B

MD5
3b6f3a7b5de6f6321f12ea0aeb713fc3

SHA1
76da6adf9da4d5e10ca1d261d6a1082fe7983a4f

SHA256
1ef4c18eee1d70176323d060e9818f839908c82b8d0dac26208aeb5bd64627bf

SHA512
2713e515b423b9f1618838e9a2558277372e4e497083ca226c1c31ef5bf1c35e2524eb3f5834c98182528888a41995d7546376dcf44c97539dd1d9f15af43756

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

Filesize
228B

MD5
96e13d8ac21ae27b028752ca19c62520

SHA1
3aaba5fbcb570e836e04d9e6defd4e2c9a53cf31

SHA256
13891ea7b2a91671069e47267924e4fc032c400bebb8e1f389f7dbf96954310a

SHA512
5582d1f1a2ad805fc15ea674953f43d03a40a12080eb27ad4ed836d1405c3664b262210eb017087467736870f25f9ab3fe7b7a2d795a2a893f9b524926fc457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsFcJDxdf6.bat

Filesize
228B

MD5
57c781959e2acc36a29f8b2a1b02f090

SHA1
3b0d4df22bfb09340e1ed373b5a6b3bc6e3937c4

SHA256
f806d6c9dcc2411278f87694c4a2afb8e2af71ccb405ca31fbdb919fae6e8492

SHA512
ddc8e00ad03a5cd88c1dd6b64029633ffd232501a4c3a78319fa777a3531cda5c7954e64bc392c0877caac1f4a038c725b152bf635957ba8df1599c813dee7b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
228B

MD5
a5dcfe9a07f135a13c22a14c29ad14ff

SHA1
3c3d0299e0f46203ba9a143537dbe924133956d2

SHA256
d28b625bb04280ae4ca0e2e71bbf5c4ad98f239dc92e7e0ddf85a584f91cd199

SHA512
cac7b3222a22249b750afa72b6aec51794194330c11f696960107b0832caba7878d963bb7ea7638e08e78603d0f3777165f55923e9154c1398e00d66fecd40b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
228B

MD5
ccfbff43476f4538d0272f34c6773ba8

SHA1
d88bdabef40fd15bd8eaf80e15b7d49ba24ead0c

SHA256
945bfbcf5d5013580a7bc165cd06e070191aaa3f320166f8e13ae5257472eae4

SHA512
d53e452233f53764db2d8c7074c08aa60f5ecba713e885d953afa4034a0f6b436c3bbb4208cd88f4d3231172a7104949c998a7a54939fde756c6313c20c547ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
228B

MD5
7bcfa2ef74fe17472ae88af6fb080736

SHA1
47f08eb20e22d8b1d8b658a9aeb5d364ced1cd2f

SHA256
baa3483e4d144cc4a037cf01820d60990c10097c7bbb818d3e02aed7419b088c

SHA512
70cd16eadf77499987deb903be079b482a2ac98b72dc9fd48e569932ca411c9338a3fc51df88753f59b6f3084e9f8a898bd77bebf38945d8824da9b51e74e4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat

Filesize
228B

MD5
ac49bde5db2e0c1402ee0e5d981339a8

SHA1
a72b6709db093c28ff330aa23c64bb8a59210560

SHA256
8459bbcd5f6f828b2c595158d80aad89250b1dcbdaa368bf983ebb546cbab373

SHA512
7f876dd6e2907ca6b2418cf38e566686947d7cd9551e1cd43426ebc0fbccd3e9409dee23f4a0dd424b5f091ad0e6ae62b73b1d762dbb9df3281bd3fd1d34c893

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
228B

MD5
1353e26d9aebe56874b93d4f25452d7a

SHA1
d28dfb27ddfc7352b6d6a1b9ffc7b643bd01d410

SHA256
f438c11f6f0f05f0c667f93feb91aa593dc8a27f23bdd9436e6a1079806e9dea

SHA512
9ef9a0be558998024492565f0ec7ba4d6c1cd7ac033eef2c017a699fbb2b6687687580470a952f9767d41e8313d0a1c26a58c47196b6347a093f8518f2396375

Download Submit
memory/328-70-0x000000001D640000-0x000000001D7AA000-memory.dmp

Filesize
1.4MB

Download
memory/1380-110-0x000000001D480000-0x000000001D5EA000-memory.dmp

Filesize
1.4MB

Download
memory/2176-80-0x000000001CE80000-0x000000001CFEA000-memory.dmp

Filesize
1.4MB

Download
memory/2960-15-0x00007FFB4C033000-0x00007FFB4C035000-memory.dmp

Filesize
8KB

Download
memory/2960-16-0x0000000000870000-0x0000000000946000-memory.dmp

Filesize
856KB

Download
memory/3672-90-0x000000001D580000-0x000000001D6EA000-memory.dmp

Filesize
1.4MB

Download
memory/3764-130-0x000000001D580000-0x000000001D6EA000-memory.dmp

Filesize
1.4MB

Download
memory/4012-60-0x000000001D680000-0x000000001D7EA000-memory.dmp

Filesize
1.4MB

Download
memory/4428-50-0x000000001D640000-0x000000001D7AA000-memory.dmp

Filesize
1.4MB

Download
memory/4580-140-0x000000001CD40000-0x000000001CEAA000-memory.dmp

Filesize
1.4MB

Download
memory/4640-120-0x000000001CF80000-0x000000001D0EA000-memory.dmp

Filesize
1.4MB

Download
memory/4992-39-0x000000001D040000-0x000000001D1AA000-memory.dmp

Filesize
1.4MB

Download
memory/5056-100-0x000000001DD00000-0x000000001DE6A000-memory.dmp

Filesize
1.4MB

Download