zgrat | 747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

Analysis

max time kernel
142s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d6496f71fd24be93348c354faf7dfa6.exe
Size

1.6MB
MD5

0d6496f71fd24be93348c354faf7dfa6
SHA1

47f195a3996d4e3bd051d54e879d1ae68d2ed9a0
SHA256

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9
SHA512

0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c
SSDEEP

49152:TGJ95iN4KodXZCQRBHt268KDDljKrTrv:iJ9Z3dXLrHt2nYDKX

Score

10^/10

zgrat execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 13 IoCs

resource	yara_rule
behavioral1/memory/3040-1-0x0000000001300000-0x00000000014AC000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000015c83-21.dat	family_zgrat_v1
behavioral1/memory/2084-74-0x0000000001090000-0x000000000123C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-82-0x0000000001260000-0x000000000140C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2452-91-0x0000000000170000-0x000000000031C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1212-101-0x0000000000B90000-0x0000000000D3C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2904-110-0x0000000001000000-0x00000000011AC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2196-127-0x0000000001030000-0x00000000011DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2096-136-0x0000000001320000-0x00000000014CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2900-153-0x00000000002E0000-0x000000000048C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2916-162-0x00000000002F0000-0x000000000049C000-memory.dmp	family_zgrat_v1
behavioral1/memory/804-172-0x0000000000180000-0x000000000032C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1480-181-0x0000000000970000-0x0000000000B1C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\csrss.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\csrss.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0d6496f71fd24be93348c354faf7dfa6.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2540	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2540	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2948	powershell.exe
1796	powershell.exe
1420	powershell.exe
1444	powershell.exe
2756	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2084	csrss.exe
2312	csrss.exe
2452	csrss.exe
1212	csrss.exe
2904	csrss.exe
2088	csrss.exe
2196	csrss.exe
2096	csrss.exe
1220	csrss.exe
2900	csrss.exe
2916	csrss.exe
804	csrss.exe
1480	csrss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\system\\csrss.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\dwm.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\explorer.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\spoolsv.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\smss.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d6496f71fd24be93348c354faf7dfa6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0d6496f71fd24be93348c354faf7dfa6.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d6496f71fd24be93348c354faf7dfa6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0d6496f71fd24be93348c354faf7dfa6.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\system\\csrss.exe\""	0d6496f71fd24be93348c354faf7dfa6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC4C8AD0DB8CCB42A5AF4564E8EDC1D26B.TMP	csc.exe
File created	\??\c:\Windows\System32\slsogk.exe	csc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\csrss.exe	0d6496f71fd24be93348c354faf7dfa6.exe
File created	C:\Windows\system\886983d96e3d3e	0d6496f71fd24be93348c354faf7dfa6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1604	schtasks.exe
1740	schtasks.exe
1364	schtasks.exe
2480	schtasks.exe
2464	schtasks.exe
2432	schtasks.exe
2864	schtasks.exe
1192	schtasks.exe
2620	schtasks.exe
1824	schtasks.exe
1784	schtasks.exe
1624	schtasks.exe
1504	schtasks.exe
1736	schtasks.exe
2628	schtasks.exe
2968	schtasks.exe
1572	schtasks.exe
2644	schtasks.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1444	PING.EXE
2692	PING.EXE
1760	PING.EXE
1620	PING.EXE
2316	PING.EXE
2808	PING.EXE
1988	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
3040	0d6496f71fd24be93348c354faf7dfa6.exe
2948	powershell.exe
1796	powershell.exe
1444	powershell.exe
1420	powershell.exe
2836	powershell.exe
2756	powershell.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe
2084	csrss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	0d6496f71fd24be93348c354faf7dfa6.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2084	csrss.exe
Token: SeDebugPrivilege	2312	csrss.exe
Token: SeDebugPrivilege	2452	csrss.exe
Token: SeDebugPrivilege	1212	csrss.exe
Token: SeDebugPrivilege	2904	csrss.exe
Token: SeDebugPrivilege	2088	csrss.exe
Token: SeDebugPrivilege	2196	csrss.exe
Token: SeDebugPrivilege	2096	csrss.exe
Token: SeDebugPrivilege	1220	csrss.exe
Token: SeDebugPrivilege	2900	csrss.exe
Token: SeDebugPrivilege	2916	csrss.exe
Token: SeDebugPrivilege	804	csrss.exe
Token: SeDebugPrivilege	1480	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2716	3040	0d6496f71fd24be93348c354faf7dfa6.exe	32
PID 3040 wrote to memory of 2716	3040	0d6496f71fd24be93348c354faf7dfa6.exe	32
PID 3040 wrote to memory of 2716	3040	0d6496f71fd24be93348c354faf7dfa6.exe	32
PID 2716 wrote to memory of 2460	2716	csc.exe	34
PID 2716 wrote to memory of 2460	2716	csc.exe	34
PID 2716 wrote to memory of 2460	2716	csc.exe	34
PID 3040 wrote to memory of 1444	3040	0d6496f71fd24be93348c354faf7dfa6.exe	50
PID 3040 wrote to memory of 1444	3040	0d6496f71fd24be93348c354faf7dfa6.exe	50
PID 3040 wrote to memory of 1444	3040	0d6496f71fd24be93348c354faf7dfa6.exe	50
PID 3040 wrote to memory of 1420	3040	0d6496f71fd24be93348c354faf7dfa6.exe	51
PID 3040 wrote to memory of 1420	3040	0d6496f71fd24be93348c354faf7dfa6.exe	51
PID 3040 wrote to memory of 1420	3040	0d6496f71fd24be93348c354faf7dfa6.exe	51
PID 3040 wrote to memory of 1796	3040	0d6496f71fd24be93348c354faf7dfa6.exe	53
PID 3040 wrote to memory of 1796	3040	0d6496f71fd24be93348c354faf7dfa6.exe	53
PID 3040 wrote to memory of 1796	3040	0d6496f71fd24be93348c354faf7dfa6.exe	53
PID 3040 wrote to memory of 2948	3040	0d6496f71fd24be93348c354faf7dfa6.exe	54
PID 3040 wrote to memory of 2948	3040	0d6496f71fd24be93348c354faf7dfa6.exe	54
PID 3040 wrote to memory of 2948	3040	0d6496f71fd24be93348c354faf7dfa6.exe	54
PID 3040 wrote to memory of 2836	3040	0d6496f71fd24be93348c354faf7dfa6.exe	55
PID 3040 wrote to memory of 2836	3040	0d6496f71fd24be93348c354faf7dfa6.exe	55
PID 3040 wrote to memory of 2836	3040	0d6496f71fd24be93348c354faf7dfa6.exe	55
PID 3040 wrote to memory of 2756	3040	0d6496f71fd24be93348c354faf7dfa6.exe	56
PID 3040 wrote to memory of 2756	3040	0d6496f71fd24be93348c354faf7dfa6.exe	56
PID 3040 wrote to memory of 2756	3040	0d6496f71fd24be93348c354faf7dfa6.exe	56
PID 3040 wrote to memory of 2228	3040	0d6496f71fd24be93348c354faf7dfa6.exe	62
PID 3040 wrote to memory of 2228	3040	0d6496f71fd24be93348c354faf7dfa6.exe	62
PID 3040 wrote to memory of 2228	3040	0d6496f71fd24be93348c354faf7dfa6.exe	62
PID 2228 wrote to memory of 780	2228	cmd.exe	64
PID 2228 wrote to memory of 780	2228	cmd.exe	64
PID 2228 wrote to memory of 780	2228	cmd.exe	64
PID 2228 wrote to memory of 1620	2228	cmd.exe	65
PID 2228 wrote to memory of 1620	2228	cmd.exe	65
PID 2228 wrote to memory of 1620	2228	cmd.exe	65
PID 2228 wrote to memory of 2084	2228	cmd.exe	66
PID 2228 wrote to memory of 2084	2228	cmd.exe	66
PID 2228 wrote to memory of 2084	2228	cmd.exe	66
PID 2084 wrote to memory of 1272	2084	csrss.exe	67
PID 2084 wrote to memory of 1272	2084	csrss.exe	67
PID 2084 wrote to memory of 1272	2084	csrss.exe	67
PID 2312 wrote to memory of 2584	2312	csrss.exe	72
PID 2312 wrote to memory of 2584	2312	csrss.exe	72
PID 2312 wrote to memory of 2584	2312	csrss.exe	72
PID 2584 wrote to memory of 2456	2584	cmd.exe	74
PID 2584 wrote to memory of 2456	2584	cmd.exe	74
PID 2584 wrote to memory of 2456	2584	cmd.exe	74
PID 2584 wrote to memory of 2316	2584	cmd.exe	75
PID 2584 wrote to memory of 2316	2584	cmd.exe	75
PID 2584 wrote to memory of 2316	2584	cmd.exe	75
PID 2584 wrote to memory of 2452	2584	cmd.exe	76
PID 2584 wrote to memory of 2452	2584	cmd.exe	76
PID 2584 wrote to memory of 2452	2584	cmd.exe	76
PID 2452 wrote to memory of 2192	2452	csrss.exe	77
PID 2452 wrote to memory of 2192	2452	csrss.exe	77
PID 2452 wrote to memory of 2192	2452	csrss.exe	77
PID 2192 wrote to memory of 1648	2192	cmd.exe	79
PID 2192 wrote to memory of 1648	2192	cmd.exe	79
PID 2192 wrote to memory of 1648	2192	cmd.exe	79
PID 2192 wrote to memory of 944	2192	cmd.exe	80
PID 2192 wrote to memory of 944	2192	cmd.exe	80
PID 2192 wrote to memory of 944	2192	cmd.exe	80
PID 2192 wrote to memory of 1212	2192	cmd.exe	81
PID 2192 wrote to memory of 1212	2192	cmd.exe	81
PID 2192 wrote to memory of 1212	2192	cmd.exe	81
PID 1212 wrote to memory of 688	1212	csrss.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d6496f71fd24be93348c354faf7dfa6.exe
"C:\Users\Admin\AppData\Local\Temp\0d6496f71fd24be93348c354faf7dfa6.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v2swq0bm\v2swq0bm.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20AA.tmp" "c:\Windows\System32\CSC4C8AD0DB8CCB42A5AF4564E8EDC1D26B.TMP"
    3⤵
    PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d6496f71fd24be93348c354faf7dfa6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3PLr3tS9B8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:780
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1620
- - C:\Windows\system\csrss.exe
    "C:\Windows\system\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iN31mkcLsQ.bat"
      4⤵
      PID:1272
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1560
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2148
    - - C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PpUZInWQxB.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2316
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AC4J3hngkK.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:944
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Z0zJXQy9U.bat"
        10⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2808
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A3WMu9vzZU.bat"
        12⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1988
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M9klWf8770.bat"
        14⤵
        
        PID:2656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2852
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EWktresicd.bat"
        16⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:1444
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GOaFRNgcv9.bat"
        18⤵
        
        PID:2608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:540
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oR202sdZsO.bat"
        20⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2148
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat"
        22⤵
        
        PID:2512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2692
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\52fFI3PgWJ.bat"
        24⤵
        
        PID:1736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1724
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2nU7uS06N.bat"
        26⤵
        
        PID:1944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1184
        
        C:\Windows\system\csrss.exe
        
        "C:\Windows\system\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U7M87pfoGY.bat"
        28⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\system\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\system\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\system\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d6496f71fd24be93348c354faf7dfa60" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\0d6496f71fd24be93348c354faf7dfa6.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d6496f71fd24be93348c354faf7dfa6" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\0d6496f71fd24be93348c354faf7dfa6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0d6496f71fd24be93348c354faf7dfa60" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\0d6496f71fd24be93348c354faf7dfa6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3PLr3tS9B8.bat

Filesize
155B

MD5
616e7cc3669b533d319a7c04b7e1cd38

SHA1
7615d361c44f342ac0809d69869ef31002cda060

SHA256
dafb42ec5deaf203a4aff3ff97af1145cbc433bb876b0a45051aadd9d3c4fcb9

SHA512
f722cc5b645960529a9a406a9cd1e60e9d47b1b8e1163d19a6d339bf37dc8e1744f927adce1a4a291228f568e43237ac83fb8f0147da17e09331348c8122f8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Z0zJXQy9U.bat

Filesize
155B

MD5
0d10238b6ddb75d63cc8d6e6700f436c

SHA1
f27b15e3b5e2d0ee5cdf9d5309726b39136dcea5

SHA256
7040d9861d9e1297c43ee21fcbddd2707d39b4301d98eb93a7d86556def82e38

SHA512
e6109229cbaefc205f568c65c9749c980fa34ca08df529f3fe49aab4dc13915d1df7315ce0375379941c9fc99b3b35bc42b89ad30f6ba76dddde484405205f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\52fFI3PgWJ.bat

Filesize
203B

MD5
bcba9f2ecdd898d076cf230bbdf1a712

SHA1
da3867493a4b8041c09098dae9cdb473a214c5b8

SHA256
24df900423216517fc320f4acada0e623624672cc50d12f76c7f970c7aa39260

SHA512
303aee27bf6b1150f92d65c5380129bfc878385c94396634498e27e9cf696cedc5e85e48fd01e2c7bb971df6e2f675dbb4fc02ae4cb8234e74e75b2bca0aa474

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3WMu9vzZU.bat

Filesize
155B

MD5
762dbf107e4ad7c86be34048b8da3b84

SHA1
4492f2eaf56dacf6de1ba85d71f53311fe8dea61

SHA256
9651434dd18499afca6aef82342e13bf33d53c98300a7e628781f15c74a7c7cc

SHA512
a7fb2f8b4b0a864542342d1b4e04903e8ae22ff6166c396b477fe7d0706f34392f50aa7f4bedec81f4decc62963dbb4e3fd4994d8fef82d3d2502caff1bdfa4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC4J3hngkK.bat

Filesize
203B

MD5
e4755a888a87009b20fedb5a2476f1c1

SHA1
dbd759ee78b1bcc5da1b96c47db491878e8ddbf3

SHA256
bfdbe8dfbd27c7a31e488c7d19052dc4b8be5290df90d2334862d360c7f93d81

SHA512
cd7d2c75d21c66f2eb8ae22d851dc46c7bd5c405f78735c96736808b184925c7fe1734ebcd1d0ed1165803469bad5bb50517a670a4648250259caf2ea09b6a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWktresicd.bat

Filesize
155B

MD5
3d505bcb0cad20e6f66d119d68e5dad1

SHA1
d681cfa47713d1ad9b364910dfd07fea0083a0c9

SHA256
078e45b9fae1cd84c7b7341643b5739857d74cc7834cd96625269adf2376b033

SHA512
fa8edbf43cc5b7f1d6a1a6fb3ff04c47714d67f63343935dab86386d36f2f9b44a9bd3be0e940724f8c7459d3363531ee3505a1945e7d30d2bb6916cc9f8fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOaFRNgcv9.bat

Filesize
203B

MD5
513d84dcb87aefbfb18d921c2954e786

SHA1
92b15921a8cc3dfed6b53fa5647f3761dc5e5f02

SHA256
da9fc1c132bc98436d1e180c71972f1ab3455bb43e08e66595375dffc97eb2bf

SHA512
6f54062185f3dbb8c8b97feca1062e84c60d41ffc1f4c3c8c296099bbc66b55422be5203baf65d40f181eea93b67f8eda9f49cb9f52f006694c88829e94b1611

Download Submit
C:\Users\Admin\AppData\Local\Temp\M9klWf8770.bat

Filesize
203B

MD5
14b524d7b4167432c3a6b7e122774a98

SHA1
58f7ed8ede923f203bcef0e2e19841a074410c7e

SHA256
dde668a3af715935573cfb1a04f10cf3064f884bbc6de4661d6c0191230c6f6d

SHA512
08f21c85ad62e1aabf2828825391c127fde056f2b757ae48372c78d0b5c40c4789a1c49bf07dccceb6ce3ec5e3ec6015a7f43927268ebec51bf2e6b6cdff1c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PpUZInWQxB.bat

Filesize
155B

MD5
959e04def9343da5765d625d28e0b5eb

SHA1
c67c862b96fcd8cad8254eb9d17b63c609a63031

SHA256
9866935a32acc6757c9022520d63053fab4d3073d302949d23806240bd6d1d9e

SHA512
f18d896ce8e58b2e18a113d58d26c7f5920747eec51206381edeeebfaffc29c2d6d3655d1280dd8edba285eaa451658fcb1fa0427620e36d88ab5c909e743b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20AA.tmp

Filesize
1KB

MD5
9ddb053855621a2b7e83e27505bef128

SHA1
27c39ce0010abe47e0375cc92786a7a2db9635ca

SHA256
f1bbedcaa0988131aa43b50f16279b23ce6d900e7883413e11d05ec47d33bfc9

SHA512
006d2ee69696343dee9e9f7d2469c1c74c5f61515ec7a04fcda2b9a6c9304366e07015bb690a91f8f9e6961d7c9b2dfe91347e22dddb8cebed07dcf3d51214f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat

Filesize
155B

MD5
e8539b55343b3bbeabe5f2c4660080ed

SHA1
b352ae2e24dc61e21a27903ed8606870b0cc9f4f

SHA256
cb14a52554d0e7e5dd9ba14dd13a11dbe6e983ea9b5df86fc2d3155bb325e259

SHA512
217f542327a5e1a7a3281b4297241b349992e6b1b9e92526f075cef9ae5a7cbb1bfe1b0b4004d201801c1bd8b4f164db739f09a6d338edb92d52c35fe59be717

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7M87pfoGY.bat

Filesize
155B

MD5
e3c80cc0a87a38b3719941f8b8bba14f

SHA1
b4b8d3adc68b06d99074235b1c1bf2d8955cddb6

SHA256
d3b3ff8fb1e4bee37d62abcfbb378cb07963bf9c4ef80545e728f9ca7336de91

SHA512
a442f25eed5c07bf263e8669cfac3181255ab8ec62dd10dc88ad6b8ab2fe758fef2fc85096871296feed3f0de9594053b061e8d0cfc9555266e8908e07b496ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\oR202sdZsO.bat

Filesize
203B

MD5
e06e242d9e14c6ab9678d2bfb7505a5d

SHA1
5d0b48d3efe01495f5f2313c263afb535e6412e2

SHA256
5132a5cffacae710f70faf8e8028a7ac51820fcba03e2d64af75b28690bd5da5

SHA512
b2e2902a244390aa023a0fe85a573ac75888d61b5b86a45c425beac85fb8cea7f849a2b52eb40c08a6cc22ad8d8c149f16d94673082e2156a918040b03053076

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2nU7uS06N.bat

Filesize
203B

MD5
d704cbbf5c7d7bc73b9b310ff0764c1f

SHA1
9f08edff260e7e39f5c1b5af4d356381c57db52f

SHA256
8be00e61b68c4be3086163135295d574b1afea18756a8e886a9e601a29c431d9

SHA512
1c35b22fef97495ff18ade41f15bd528bf74ef3757ccbbed4aeef232311ce87c635cc3d77ed37ad82306f69b8abc07c91698505ca66551d56d2dd2440fa9ce8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d28f01e6a4ef99e0d5b6566bcba1941b

SHA1
e811bba5ad618be61fcbe7ef1f314b449c792cef

SHA256
ba8ad84c3902b86287214ac513469745af78fe1042009135b2665651431e9106

SHA512
e70f77db6934801a02536f0370c1aaa9e0c595fa15f97d1945a35678dad6e73017fd9bb2f6ce7edff0fba7d023f3a6b3bd6729b4b4fdb197b9498619bfe86fa1

Download Submit
C:\Windows\system\csrss.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v2swq0bm\v2swq0bm.0.cs

Filesize
359B

MD5
35c087de0cc4587c86c4e6c37b0edc88

SHA1
c23e3ce1991e2d5da24221351fd0185ddfedf794

SHA256
1940d9035cdeab563bb8d6416ae2a801ff3e724d4b949044f7f76afcce5925c0

SHA512
1cbf649cbc29683faea3b5d9856d8e9f95a78d321899ada42c9b5a940d0f0c2c77f3b523b63719c594415d89f06f645d2ffd69b9ade2bde00b6bd7ea0df9d626

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v2swq0bm\v2swq0bm.cmdline

Filesize
235B

MD5
c309400d6cc95d8369d04301f3232f10

SHA1
8ff25847ae18de9fbccc663748263ebc510939a6

SHA256
bc48afa10203f02b62dece8963fefcfc913055b93c345f3bbc85dfb703d764a0

SHA512
69903b8e5ece8b8825081591bf234f4c448694741f913278fc188759b48f554d286757046956824561b77f957a517dcefedd316016dc3c6c60329a3cd12d3f21

Download Submit
\??\c:\Windows\System32\CSC4C8AD0DB8CCB42A5AF4564E8EDC1D26B.TMP

Filesize
1KB

MD5
3fcb2bd8a227751c0367dff5940613bb

SHA1
bcca174ab4499de5713d836fbc368966aa1f5b2c

SHA256
aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c

SHA512
c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672

Download Submit
memory/804-172-0x0000000000180000-0x000000000032C000-memory.dmp

Filesize
1.7MB

Download
memory/1212-101-0x0000000000B90000-0x0000000000D3C000-memory.dmp

Filesize
1.7MB

Download
memory/1480-181-0x0000000000970000-0x0000000000B1C000-memory.dmp

Filesize
1.7MB

Download
memory/2084-74-0x0000000001090000-0x000000000123C000-memory.dmp

Filesize
1.7MB

Download
memory/2096-136-0x0000000001320000-0x00000000014CC000-memory.dmp

Filesize
1.7MB

Download
memory/2196-127-0x0000000001030000-0x00000000011DC000-memory.dmp

Filesize
1.7MB

Download
memory/2312-82-0x0000000001260000-0x000000000140C000-memory.dmp

Filesize
1.7MB

Download
memory/2452-91-0x0000000000170000-0x000000000031C000-memory.dmp

Filesize
1.7MB

Download
memory/2900-153-0x00000000002E0000-0x000000000048C000-memory.dmp

Filesize
1.7MB

Download
memory/2904-110-0x0000000001000000-0x00000000011AC000-memory.dmp

Filesize
1.7MB

Download
memory/2916-162-0x00000000002F0000-0x000000000049C000-memory.dmp

Filesize
1.7MB

Download
memory/2948-55-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2948-53-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/3040-9-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/3040-7-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-6-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/3040-10-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-4-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-70-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-3-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-11-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-2-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x0000000001300000-0x00000000014AC000-memory.dmp

Filesize
1.7MB

Download