dcrat | 1fd77f0721116863f5799d464f0f125e3ea188eac0352952538fa294011e6faf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader.exe
Size

22.4MB
MD5

960a95f44c437750c49fa69a4383e05d
SHA1

2b4200ebc741deb52214fea69ad2c8e262354b15
SHA256

1fd77f0721116863f5799d464f0f125e3ea188eac0352952538fa294011e6faf
SHA512

2e395157a0833a9b8444b48692a249facb8e435b071002fa3ac731e133e2864b715aee50a8ef7f6b32d76402565e86c226950e9d72a31ed445543c76ae9ba938
SSDEEP

393216:6ZXLruFNpetm1NbM59wDVJnlv3n8K6iyUJ+Ey4GaLJ1XQGBtOs:SXLrWNpPU59I50K4OV2a/BY

Score

10^/10

dcrat umbral infostealer rat stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000002338c-14.dat	family_umbral
behavioral1/memory/2548-21-0x00000135DBCA0000-0x00000135DBCE0000-memory.dmp	family_umbral

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4628	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	4628	schtasks.exe	93

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000c000000023386-7.dat	dcrat
behavioral1/files/0x0007000000023429-519.dat	dcrat
behavioral1/memory/3844-520-0x00000000008C0000-0x00000000009F2000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WebSessionhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	ExLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	softcheck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 30 IoCs

pid	Process
2448	softcheck.exe
2548	afdg.exe
4088	ExLoader_Installer.exe
4728	ExLoader_Installer.exe
3844	WebSessionhost.exe
1076	fontdrvhost.exe
4524	fontdrvhost.exe
3404	fontdrvhost.exe
2096	fontdrvhost.exe
3996	fontdrvhost.exe
5048	fontdrvhost.exe
4660	fontdrvhost.exe
1192	fontdrvhost.exe
4532	fontdrvhost.exe
4416	fontdrvhost.exe
1636	fontdrvhost.exe
4052	fontdrvhost.exe
748	fontdrvhost.exe
2932	fontdrvhost.exe
4352	fontdrvhost.exe
448	fontdrvhost.exe
4844	fontdrvhost.exe
2540	fontdrvhost.exe
4644	fontdrvhost.exe
4040	fontdrvhost.exe
668	fontdrvhost.exe
64	fontdrvhost.exe
5100	fontdrvhost.exe
4000	fontdrvhost.exe
4412	fontdrvhost.exe

Loads dropped DLL 6 IoCs

pid	Process
4728	ExLoader_Installer.exe
4728	ExLoader_Installer.exe
4728	ExLoader_Installer.exe
4728	ExLoader_Installer.exe
4728	ExLoader_Installer.exe
4728	ExLoader_Installer.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\ebf1f9fa8afd6d	WebSessionhost.exe
File created	C:\Program Files\Windows Portable Devices\dwm.exe	WebSessionhost.exe
File created	C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3	WebSessionhost.exe
File created	C:\Program Files (x86)\WindowsPowerShell\dllhost.exe	WebSessionhost.exe
File created	C:\Program Files (x86)\WindowsPowerShell\5940a34987c991	WebSessionhost.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe	WebSessionhost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\OfficeClickToRun.exe	WebSessionhost.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\e6c9b481da804f	WebSessionhost.exe
File created	C:\Windows\Resources\SearchApp.exe	WebSessionhost.exe
File created	C:\Windows\Resources\38384e6a620884	WebSessionhost.exe
File created	C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe	WebSessionhost.exe
File created	C:\Windows\Performance\WinSAT\DataStore\9e8d7a4ca61bd9	WebSessionhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2964	schtasks.exe
3568	schtasks.exe
4160	schtasks.exe
464	schtasks.exe
4876	schtasks.exe
4504	schtasks.exe
3960	schtasks.exe
4464	schtasks.exe
3044	schtasks.exe
4268	schtasks.exe
3564	schtasks.exe
2084	schtasks.exe
2016	schtasks.exe
2616	schtasks.exe
4432	schtasks.exe
2444	schtasks.exe
3404	schtasks.exe
1580	schtasks.exe
4396	schtasks.exe
4520	schtasks.exe
3128	schtasks.exe
3516	schtasks.exe
2560	schtasks.exe
3884	schtasks.exe
3596	schtasks.exe
2992	schtasks.exe
1664	schtasks.exe
3488	schtasks.exe
4872	schtasks.exe
3920	schtasks.exe
2732	schtasks.exe
5056	schtasks.exe
1612	schtasks.exe
3064	schtasks.exe
812	schtasks.exe
4552	schtasks.exe
4824	schtasks.exe
2600	schtasks.exe
3448	schtasks.exe
5024	schtasks.exe
5088	schtasks.exe
1636	schtasks.exe
2372	schtasks.exe
1540	schtasks.exe
4112	schtasks.exe
4428	schtasks.exe
116	schtasks.exe
4148	schtasks.exe
3800	schtasks.exe
1504	schtasks.exe
2276	schtasks.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	WebSessionhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	softcheck.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
3844	WebSessionhost.exe
1076	fontdrvhost.exe
4524	fontdrvhost.exe
3404	fontdrvhost.exe
2096	fontdrvhost.exe
3996	fontdrvhost.exe
5048	fontdrvhost.exe
4660	fontdrvhost.exe
1192	fontdrvhost.exe
4532	fontdrvhost.exe
4416	fontdrvhost.exe
1636	fontdrvhost.exe
4052	fontdrvhost.exe
748	fontdrvhost.exe
2932	fontdrvhost.exe
4352	fontdrvhost.exe
448	fontdrvhost.exe
4844	fontdrvhost.exe
4644	fontdrvhost.exe
4040	fontdrvhost.exe
668	fontdrvhost.exe
64	fontdrvhost.exe
5100	fontdrvhost.exe
4000	fontdrvhost.exe
4412	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	afdg.exe
Token: SeDebugPrivilege	3844	WebSessionhost.exe
Token: SeDebugPrivilege	1076	fontdrvhost.exe
Token: SeDebugPrivilege	4524	fontdrvhost.exe
Token: SeDebugPrivilege	3404	fontdrvhost.exe
Token: SeDebugPrivilege	2096	fontdrvhost.exe
Token: SeDebugPrivilege	3996	fontdrvhost.exe
Token: SeDebugPrivilege	5048	fontdrvhost.exe
Token: SeDebugPrivilege	4660	fontdrvhost.exe
Token: SeDebugPrivilege	1192	fontdrvhost.exe
Token: SeDebugPrivilege	4532	fontdrvhost.exe
Token: SeDebugPrivilege	4416	fontdrvhost.exe
Token: SeDebugPrivilege	1636	fontdrvhost.exe
Token: SeDebugPrivilege	4052	fontdrvhost.exe
Token: SeDebugPrivilege	748	fontdrvhost.exe
Token: SeDebugPrivilege	2932	fontdrvhost.exe
Token: SeDebugPrivilege	4352	fontdrvhost.exe
Token: SeDebugPrivilege	448	fontdrvhost.exe
Token: SeDebugPrivilege	4844	fontdrvhost.exe
Token: SeDebugPrivilege	4644	fontdrvhost.exe
Token: SeDebugPrivilege	4040	fontdrvhost.exe
Token: SeDebugPrivilege	668	fontdrvhost.exe
Token: SeDebugPrivilege	64	fontdrvhost.exe
Token: SeDebugPrivilege	5100	fontdrvhost.exe
Token: SeDebugPrivilege	4000	fontdrvhost.exe
Token: SeDebugPrivilege	4412	fontdrvhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4728	ExLoader_Installer.exe
4728	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 2448	4268	ExLoader.exe	85
PID 4268 wrote to memory of 2448	4268	ExLoader.exe	85
PID 4268 wrote to memory of 2448	4268	ExLoader.exe	85
PID 4268 wrote to memory of 2548	4268	ExLoader.exe	86
PID 4268 wrote to memory of 2548	4268	ExLoader.exe	86
PID 4268 wrote to memory of 4088	4268	ExLoader.exe	87
PID 4268 wrote to memory of 4088	4268	ExLoader.exe	87
PID 2448 wrote to memory of 2908	2448	softcheck.exe	88
PID 2448 wrote to memory of 2908	2448	softcheck.exe	88
PID 2448 wrote to memory of 2908	2448	softcheck.exe	88
PID 4088 wrote to memory of 4728	4088	ExLoader_Installer.exe	89
PID 4088 wrote to memory of 4728	4088	ExLoader_Installer.exe	89
PID 2908 wrote to memory of 2904	2908	WScript.exe	90
PID 2908 wrote to memory of 2904	2908	WScript.exe	90
PID 2908 wrote to memory of 2904	2908	WScript.exe	90
PID 2904 wrote to memory of 3844	2904	cmd.exe	92
PID 2904 wrote to memory of 3844	2904	cmd.exe	92
PID 3844 wrote to memory of 2760	3844	WebSessionhost.exe	145
PID 3844 wrote to memory of 2760	3844	WebSessionhost.exe	145
PID 2760 wrote to memory of 4772	2760	cmd.exe	147
PID 2760 wrote to memory of 4772	2760	cmd.exe	147
PID 2760 wrote to memory of 1076	2760	cmd.exe	148
PID 2760 wrote to memory of 1076	2760	cmd.exe	148
PID 1076 wrote to memory of 4888	1076	fontdrvhost.exe	149
PID 1076 wrote to memory of 4888	1076	fontdrvhost.exe	149
PID 4888 wrote to memory of 4464	4888	cmd.exe	151
PID 4888 wrote to memory of 4464	4888	cmd.exe	151
PID 4888 wrote to memory of 4524	4888	cmd.exe	152
PID 4888 wrote to memory of 4524	4888	cmd.exe	152
PID 4524 wrote to memory of 3556	4524	fontdrvhost.exe	153
PID 4524 wrote to memory of 3556	4524	fontdrvhost.exe	153
PID 3556 wrote to memory of 3800	3556	cmd.exe	155
PID 3556 wrote to memory of 3800	3556	cmd.exe	155
PID 3556 wrote to memory of 3404	3556	cmd.exe	157
PID 3556 wrote to memory of 3404	3556	cmd.exe	157
PID 3404 wrote to memory of 4060	3404	fontdrvhost.exe	158
PID 3404 wrote to memory of 4060	3404	fontdrvhost.exe	158
PID 4060 wrote to memory of 3304	4060	cmd.exe	160
PID 4060 wrote to memory of 3304	4060	cmd.exe	160
PID 4060 wrote to memory of 2096	4060	cmd.exe	164
PID 4060 wrote to memory of 2096	4060	cmd.exe	164
PID 2096 wrote to memory of 5108	2096	fontdrvhost.exe	165
PID 2096 wrote to memory of 5108	2096	fontdrvhost.exe	165
PID 5108 wrote to memory of 4820	5108	cmd.exe	167
PID 5108 wrote to memory of 4820	5108	cmd.exe	167
PID 5108 wrote to memory of 3996	5108	cmd.exe	171
PID 5108 wrote to memory of 3996	5108	cmd.exe	171
PID 3996 wrote to memory of 4792	3996	fontdrvhost.exe	172
PID 3996 wrote to memory of 4792	3996	fontdrvhost.exe	172
PID 4792 wrote to memory of 4964	4792	cmd.exe	174
PID 4792 wrote to memory of 4964	4792	cmd.exe	174
PID 4792 wrote to memory of 5048	4792	cmd.exe	175
PID 4792 wrote to memory of 5048	4792	cmd.exe	175
PID 5048 wrote to memory of 764	5048	fontdrvhost.exe	176
PID 5048 wrote to memory of 764	5048	fontdrvhost.exe	176
PID 764 wrote to memory of 4548	764	cmd.exe	178
PID 764 wrote to memory of 4548	764	cmd.exe	178
PID 764 wrote to memory of 4660	764	cmd.exe	179
PID 764 wrote to memory of 4660	764	cmd.exe	179
PID 4660 wrote to memory of 3840	4660	fontdrvhost.exe	180
PID 4660 wrote to memory of 3840	4660	fontdrvhost.exe	180
PID 3840 wrote to memory of 3704	3840	cmd.exe	182
PID 3840 wrote to memory of 3704	3840	cmd.exe	182
PID 3840 wrote to memory of 1192	3840	cmd.exe	183

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ExLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\softcheck.exe
  "C:\Users\Admin\AppData\Local\Temp\softcheck.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Perfnet\pcwfnmokkxtJ3Iyb.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Perfnet\6BXg6z.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Perfnet\WebSessionhost.exe
        
        "C:\Perfnet\WebSessionhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ZBj3afm70.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4772
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4464
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3800
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3304
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4820
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4964
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4548
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3704
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat"
        22⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4432
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        24⤵
        
        PID:372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3304
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        26⤵
        
        PID:3664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2804
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        28⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3028
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
        30⤵
        
        PID:4512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2224
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        32⤵
        
        PID:8
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4036
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"
        34⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:876
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSSqGJyhfL.bat"
        36⤵
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:3528
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        38⤵
        
        PID:4648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:1248
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"
        40⤵
        
        PID:4912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:4424
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        42⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:2096
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"
        44⤵
        
        PID:4820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:4828
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"
        46⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:4052
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        48⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:1452
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"
        50⤵
        
        PID:4792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:536
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"
        52⤵
        
        PID:5048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:2908
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
        54⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2372
        
        C:\Perfnet\fontdrvhost.exe
        
        "C:\Perfnet\fontdrvhost.exe"
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"
        56⤵
        
        PID:1224
- C:\Users\Admin\AppData\Local\Temp\afdg.exe
  "C:\Users\Admin\AppData\Local\Temp\afdg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Resources\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\OneDrive\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afdga" /sc MINUTE /mo 14 /tr "'C:\Perfnet\afdg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afdg" /sc ONLOGON /tr "'C:\Perfnet\afdg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "afdga" /sc MINUTE /mo 10 /tr "'C:\Perfnet\afdg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\ExLoader_Installer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_Installer" /sc ONLOGON /tr "'C:\Users\Default\Templates\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebSessionhostW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Pictures\WebSessionhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebSessionhost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\WebSessionhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebSessionhostW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Documents\My Pictures\WebSessionhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Perfnet\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Perfnet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Perfnet\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Perfnet\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Perfnet\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Perfnet\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Perfnet\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Perfnet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Perfnet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\ExLoader_Installer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_Installer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\Download\SharedFileCache\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Perfnet\6BXg6z.bat

Filesize
31B

MD5
3076d7d9c9deac080fbfcd12e945f009

SHA1
133d81d6216447dadb8d059e5df0bfa2df859ba4

SHA256
9333737accaf07c57f50d70be7b06c4c60fad33035c71112dcc610fbc8913440

SHA512
4efadeee2b208cf938edffaaef5fedfd0f0011761ae138d314f6c3ced3561efff10a68db458d1c356e7ade7e06dff524c72bd7cc19f9a5858699f7c9c3479b21

Download Submit
C:\Perfnet\WebSessionhost.exe

Filesize
1.2MB

MD5
40b198e7b7da71056b8972df9c95024f

SHA1
76dd178bb42182fb76e8aa7e3fbb30457f195397

SHA256
29343e96342523dd16e657266758de5d584ce53510fce30c303e062e670a79cf

SHA512
1803afb1e091899912419f46c46ee187ed3e863294d5948c3d6a2d41107e393927f9bb512c74c36d7230d80909ffdb9ff20592527ce1dc04d31695af0d014ef6

Download Submit
C:\Perfnet\pcwfnmokkxtJ3Iyb.vbe

Filesize
190B

MD5
adf6d6e4a70236f9b1dc8091a11b4f35

SHA1
5d8806d907a881cec768e8175c40ed83dcc5f794

SHA256
c248e5c444ee9f19482070f3abee66c52862e5edaf02899d58dd8d7e7e06beeb

SHA512
411be798e4de069f2941c863738d170ff22a6377bed8ea5900abe7def8ecf55fd851e9e00c6cccd93b7c98fc07efe2306b277c69baaf2cbaa29f1110cb01bd2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
191B

MD5
454a134e2285637323c2b0acd3c65937

SHA1
7cedbb3cf258c3631c8014e0ca083d58c17e4153

SHA256
8a1f25891f5411a7303d1fa27723062bc99f9d01a29a2345e8b48ca5e83ab21a

SHA512
cc5cfcb48bec0c068dda9d436ae55728a5ccf9116c6016d9ce94ff4ce5e49b212022432fe4c6d99236fbb3f4c6607df4f5a8a7921d55924ac1a4a8478847aecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ZBj3afm70.bat

Filesize
191B

MD5
eb576c1d4fdc05c807ada4c9de3ac3f5

SHA1
7484ca55cce2bcda11760b58a42bcc266b6052bc

SHA256
34105b604f5d7c1be3dbf540730e7257c0d47825bd67149701f16a1fcdbfec20

SHA512
c89b39079cfd88910e3940a24d897c2145a768a485ce0f221e81c789ff33e021f2fd58a1a355d7e962da8c427dc24736967973b00d16039d62f1d77857191e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
191B

MD5
82d9922f7f7ee29fb019c1de8b62c45a

SHA1
da909e0d350c2743ecca7b640de501e419a95a6d

SHA256
ca52d99eab1d0fb9499fc6f0d301a24ed1bddf6ff8f618f29f2626f5c4ca59ca

SHA512
da2022173dc7cd3f8b5c519e891384cb5038f8eab196abe646a935d3c754e1ca3e8a6811ec03fcbf8b34079c3d67ddffb2dc891254ee2a0871977b7f0b76f492

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
191B

MD5
00e5e652b03a7e123bc422938244cabc

SHA1
5d0f96aa6739d5891a559d6e30e236ec69c64be8

SHA256
d9cae84ca17d255cca256e6fff98a4b9586ef68199c8d63a50c4a0a3be6c8792

SHA512
b4c2bc6013a56a0be76de344aa646367cfa6660512caa81d57802f1f3fba2662e412955a25997e3c1adac8e4c048476e278111238933223e1b36ec83cdff2eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
191B

MD5
6697c859b294e4b936390d126e42cf35

SHA1
334f86a15357d9b84fc4ca9c637024677b3fffa7

SHA256
dbda099afcd21a5cd0b70f626f437057890a60c240b48fad541ad63decc66ed1

SHA512
1a386a5c22991e660dd21d9274cf9628bc3562e16965c6c74f2ba8d1b4e662e1d614fd454c262ad09adbd025aa7c0254a9d03f71536470d2ed0ca4d045f577ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
191B

MD5
933301d6d606b16c8c85744b02de2b9f

SHA1
04ff726b277dec7e2e5051a928dacf1e9cfb6eae

SHA256
f8d4dd5468a496c2f4d906c7d41e0b19b6eab75db69eff4f190ddcfa17b4b7fe

SHA512
17e86119bc2ea8556e2c9aa548b9327ea1240b16f377692d315371f61cd248c31148736cef9a8a84ee21af6a9c9de7f9ff75e150087116fcef3637b36b1ddf04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

Filesize
21.5MB

MD5
01deeaf6a3ac4ecea37fd6f21c3ea66a

SHA1
2767ec1e576b7639c38b3d75bca5a99146ffda95

SHA256
fae28755d742035f89e0cf73e9c46c7b7c2b625b3dcfab379dc135b9fa79dbb9

SHA512
d6e959987be4f69a890fa1ba62700ae5f7612e0a4919e58491bbdc96f60ebfbf5fe34806a2413b5724459576ab96e007d8edfe393ea9d12bf003f0df9e5fc9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
191B

MD5
3254d90de1b07bce97564b28a5b8e54f

SHA1
1f508189859444364c4d59b72f6edac8844e5e77

SHA256
5fe5d93d2680207f76c85f09b732613d0415d1569ce69cca2dbfe3998090df0a

SHA512
65fce79e90eae6711ba9fbd018a22fef27fec0286fcad76dc9e25f35398b56068cab4a9d8c7d2670f5e8c860b608f8778fe24fce3d38df20a6d71f6d564f130f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

Filesize
191B

MD5
3354fc6e928dad3d75f484a8fc3d1361

SHA1
2b6be7901f299e7a58980aa18bfaf9ea248cf4f4

SHA256
17984a4f45cb4492e4ef46dede7b1329b15af6003e46cc899a5334f8eb49ae12

SHA512
a50300e940197659b2b29d8dd430349eaf894af92cb474a5d926f3136d0ea1249113caf25eb357f7821266aee83ef28d02408e674bd410caef3f8360e7def937

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
183KB

MD5
afaa67445bd6bc3377cd5c56fdb934d0

SHA1
68e4f2cefda7f58478468c5adeeedef3378abae1

SHA256
53f5c7bab6cdb50b104882f9ac8ee9e5929b58ef0b392dc5f48c1622f737f002

SHA512
db5c7d7e5881ede8a9a6e4d09771dad592a68e7367a42700919cd37ad443badb8c0729cbcc75b9ac25ff65cdc06246b9e72962ebbcbddb1c24a522f8e5c7cd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
13.3MB

MD5
935a9bb3e32863ec80f0a1708ca4bbc6

SHA1
05c7927c554ec0602be364b093088a5374fc3302

SHA256
5af71dcf454c0964d10be8a060475b7dae0435c2f97a458735ad92ffba51dd4f

SHA512
be0f63a120ee503a54d095078744208028e353f7708818146ab1aa90492b1d82c68b3ba0fa1b2946c46f9829b4db61d33c8734c11a4efce364e145ea6a406c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
14KB

MD5
4e304eaf6a0fe86df52d2b7e269b37ba

SHA1
8ac2a261522eed0c8e8b42f248b809bc657cc704

SHA256
5ed623d8a439b6b4a3f85edd7970bbc47e8040a5379e999d80161b087b3c795d

SHA512
d51b943122c135b6ea56ebc7ce54dd2efd28a05cbdc7664d195e29cf2337b8ac0f4e0c442ba0f89f527404fa3930f50607083f69cffef41910883a9c33efc162

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
413B

MD5
fb1230bb41c3c1290008b9e44059dd39

SHA1
66493d0f8a6a112d8376cd296b05c277b111dca1

SHA256
2429b610ba9010211d18626d311d3dea7274473c2dd50fae833ed739b67b1292

SHA512
d5ae9b9124a7c7f8c3d04c4750459c9bc620e3aeb84f5d56a64308eb9b343d4fb62f8b3e03210e04ad90b91bbbb35dd1a56148d06dbcc0872f99e9b1b9d37c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

Filesize
93KB

MD5
babd1b019be8944f7ef6c64c8194bc8d

SHA1
702a50d3e3a0933db4dc1f37423bca3b5c52acde

SHA256
71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76

SHA512
6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Bold.otf

Filesize
46KB

MD5
e57b6bc24b970a377574124e026a7c01

SHA1
00184aedd4ee4d2ca6b5c87cf41e78f64304c89b

SHA256
b012d85155925bbe2106b20234b96522dec7914f03b09bc6e2fff71554f31bf6

SHA512
c162cd8a7130d2c94dac5c3dad58794f368436cbf782e8063c245d4cae405af6aa25c2f381549defd520c3f7cdbc04a27f891798697e9c291317d3b3ba82efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Light.otf

Filesize
45KB

MD5
d10d77b03ba3abe6ccc1c142d9852595

SHA1
6108edf0cfb3d5f25e3c593949c301c5c2aa5f25

SHA256
3c9ef459625f995c62b993b64da299204b741e153ba8e6d988463aaa86b1aa44

SHA512
71c4fc3b6f43b4125c5ea5ae09297d72446de81ffc2928fee33aef386754e60dab11cc170c4d6689dd6eeac451f2a57b9d3372278f750dca6ed39ec82fcf9368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Medium.otf

Filesize
46KB

MD5
df63e8855d04ab0e25d2bb6a0b1fabfb

SHA1
5512dc285f36cdf7da5ba5eabaca128ca3442537

SHA256
a728e91375dcadbdf6ef6d7e3cd0bbf5c56fb992d5b1be6640b83214c9d015ed

SHA512
eba8afd3289089841e4eda4abd992c2e2020d18d44741733b5a51a2a1e0c0982ffd9da187aa56ba3b891bc259398ec156e08e45265f7218e87eb914794ca69d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Regular.otf

Filesize
45KB

MD5
d969db6adb881f1dfa91a5b7ec0154d9

SHA1
d7b44b20eb246b0ff5c41147c0d0fb96fde47c48

SHA256
c7fc6d9f2ff611073fa09a6c61a8c086da0ebe8da841a9f4ec4087a3e9b52152

SHA512
2a225a8c12b46aa14e14dd547c6a55c80aef6bfe8cc791dcf60a14ef91994eddc4dec473d856f7c2446d62a41d017d256b64b603d87ae45e75fdeb2230deb5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-SemiBold.otf

Filesize
46KB

MD5
5177edfb54762b59df676052d11b363d

SHA1
fa18815bf4914b93d587c2758b65e234ad51b38b

SHA256
50000ce2f0f8bf3018f1d04aa5c6716583b808ca05c802c46a9de4f084a91f7d

SHA512
7475fe248eafd528a05acab94f3973eeeb0d169203769ee6b42d007b5fa0605a58a290e145d74d57e17486367bacffed22e4a88e576fa9f65d000e487aa78e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\cloud-off.svg

Filesize
1KB

MD5
e99140f842b471d330fc27cd73817c4c

SHA1
9957147463f586824b65bc7bfb121d33a9523a96

SHA256
0f4cb470185e3c6c26ae033a3a88e3995340bb08a63432dd9ebb82b73dd665ae

SHA512
f579aef41980539675609c62ff4d80dde22bad59917d439dbd4d325173bed3f24534a72e9903aef58c6ee5d4b03fcb7d0a7be8c93c35da6dbb2e1e046b7da0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\window-minimize.svg

Filesize
151B

MD5
d47255b6d3e685cac4804eb58207d0b6

SHA1
7fe02211cf6b77f3971522a3b3888460491ae153

SHA256
29bc4875912360fac26586adaca21449026cc2cf6479f9d9bbb066abe2dd2640

SHA512
b39c96fd2479585b32146a3b33a5419f665391f1b1857b08896c8254b48fdb733551bd9974a3c7dcfb679cbb5b35ed9b8f538f5c44156d399b02b8d0d4fe95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
798KB

MD5
da48e432fe61f451154f0715b2a7b174

SHA1
51b6add0bbc4e0b5200b01deca5d009f1daf9f39

SHA256
65ea729083128dfce1c00726ba932b91aaaf5e48736b5644dd37478e5f2875ac

SHA512
5af9c1e43b52536272a575ca400a9eee830a8fcecb83bb1a490515851bef48957d8de669b9f77b8614eb586838af23385e1afce622edb82a90ec7549f882d381

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
cf1901e6b6a138422e4eb765ec20e098

SHA1
3cbde7f32504cbc0795e536a024e61fa2185ced2

SHA256
615038c51ea1655b6b8f057ac16f725d51b395efe76fa96cfb97924b0d908297

SHA512
82e19d116db7ae553d66511c2255728d1651919ffe83ca87f79a9e00f7d7085665ce5303c48729e7941e33aa91f65ad4d17fd30101e9865e76c8a2540d0af7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat

Filesize
191B

MD5
e2003b7eb522c4c87286f9fa4ef0bff5

SHA1
d249fa3ef9c694c0f5b70e12ac676658f977bfd4

SHA256
f87698ba693eb9be20742f3c0065c30ae6601d2ac73b273af51ee458aaf14b85

SHA512
50953445565d5bb67f8c406aea66208e62735eef0c20dcdc9d72a2c170a9b7c6b5ea323ceebdeb7f4b50bef43fac6d88ad2bba7ac35bf149e37a40407aaa5052

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
191B

MD5
56fff7bd64ce526834f827fb6c0e900d

SHA1
7e3d7f4479e691a9cf48a3b69080b7dff1589dba

SHA256
9c1c7d39899ad19314a4f8527b3fe85e34fdf0da44a35315086c3c125e17d60f

SHA512
39af587663ce8dc78290d9923f9c1badbc659ce27d6801d97c48ada2e0c91d91c2cb82013a15166420bc4e4d99cd137bd79d4f07b977e255fbdc47ffb7656894

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

Filesize
191B

MD5
bb854d64e4f99332fea45fd04ae3e894

SHA1
7df433c22200969ac0f2fc2bea73996ee94bd0f2

SHA256
ae20d3b310127e38dc83adf0c443cb62e2d4251eddd7bab7276d26ce7c621e66

SHA512
74636ea0b75cefe3f1405d5743ec54e2029a54ce149cff3d897e8426f4687acb38787ac25d011353ca60c5c4fed0d6072d20102738b64d983a57c72fe95408f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
191B

MD5
a86a349cdd0f43ad8cfd5ba93a73368c

SHA1
b93baf001df21c151c8352cdc2236006422e60d3

SHA256
e10de46082d863909ddb1a204bb03047bc840af7d14f6d897a708581785b8a08

SHA512
a72d15113b74f0851a7bc70a5b8905740709b6d0653b90d09b9fd8d8acfa132eac98424f39df0bf3ed438ea89e46e9c74ea391232fae1eeb74266aa0caf335ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\afdg.exe

Filesize
229KB

MD5
03400301f58b640d2270f7e031de2709

SHA1
1ec27e75bf4fb7c5acc3b46eb542f5769047c6a6

SHA256
4bb46d9afffc0744a176ff631b1676e23af6f6f1776adc064f5d0ae9dd3b6a66

SHA512
7f682ff2eca030edc92ca67c5e6cdcd8a70a8be3ad123cb0388cb06039b8153d54128ce85945c42792dea86b4812b8d0ba7fc627dd0b57560e6859e1c416b518

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
191B

MD5
b61b15aa38899c57f8562cad0f7443b2

SHA1
ed858fa08a2b12ad1459ba9ef691eb659c87289a

SHA256
a4ca4fad1d9df512b2dd75b67ca6b9a928b7563c60f84b03ec95ab06fb8614c5

SHA512
64601333e92e0a19bad799b4bc72f45f2b90766f07b39cc98cd822257692c93c654c90f513cfede40f1b0b05aec95ce0e3176a7c103f27abbdb2ce8e73b44c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\softcheck.exe

Filesize
1.5MB

MD5
836ec0990b84d743fe6b1ede5562a296

SHA1
e20ea1e584d09c30aa18f72280aedd4caf02df56

SHA256
4dc98610abc00825a886fd1df758c458170ed2442b1e5a096b4c0b3b70031a26

SHA512
3b33d7fb3266e669b38155c770fc6909702321434fe55ba0be83e8e82a7cf8d9cc19a2eff943ee60d77b810dcd194ef9cc6fe76972c7e5865cc5d306076d29ea

Download Submit
memory/2548-581-0x00007FFDE5D70000-0x00007FFDE6831000-memory.dmp

Filesize
10.8MB

Download
memory/2548-21-0x00000135DBCA0000-0x00000135DBCE0000-memory.dmp

Filesize
256KB

Download
memory/2548-23-0x00007FFDE5D70000-0x00007FFDE6831000-memory.dmp

Filesize
10.8MB

Download
memory/3844-522-0x000000001B570000-0x000000001B5C0000-memory.dmp

Filesize
320KB

Download
memory/3844-523-0x000000001B520000-0x000000001B536000-memory.dmp

Filesize
88KB

Download
memory/3844-521-0x000000001B500000-0x000000001B51C000-memory.dmp

Filesize
112KB

Download
memory/3844-524-0x000000001B540000-0x000000001B54C000-memory.dmp

Filesize
48KB

Download
memory/3844-520-0x00000000008C0000-0x00000000009F2000-memory.dmp

Filesize
1.2MB

Download
memory/4268-3-0x00007FFDE5D70000-0x00007FFDE6831000-memory.dmp

Filesize
10.8MB

Download
memory/4268-0-0x00007FFDE5D73000-0x00007FFDE5D75000-memory.dmp

Filesize
8KB

Download
memory/4268-40-0x00007FFDE5D70000-0x00007FFDE6831000-memory.dmp

Filesize
10.8MB

Download
memory/4268-1-0x0000000000B40000-0x00000000021B4000-memory.dmp

Filesize
22.5MB

Download
memory/4728-480-0x000001F874350000-0x000001F874351000-memory.dmp

Filesize
4KB

Download
memory/4728-481-0x000001F876500000-0x000001F877251000-memory.dmp

Filesize
13.3MB

Download
memory/4728-484-0x000001F876370000-0x000001F876371000-memory.dmp

Filesize
4KB

Download
memory/4728-482-0x000001F876500000-0x000001F877251000-memory.dmp

Filesize
13.3MB

Download
memory/4728-483-0x000001F876500000-0x000001F877251000-memory.dmp

Filesize
13.3MB

Download