zgrat | 6f7189376b953fd0a6e37f23d7f4bf6be70ff4d5cb39214a8d766bf9f6044511

Analysis

max time kernel
71s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fluxus Cracked.exe
Size

4.9MB
MD5

7a182d7bd6c9304ea5e2fa27e007becc
SHA1

2ff3ccdad179d5ad23a59fedab2cb7b284f51af3
SHA256

6f7189376b953fd0a6e37f23d7f4bf6be70ff4d5cb39214a8d766bf9f6044511
SHA512

cdb5e2bcbbe16619ec008069ac5350743e965b6b89d335b85f36b055baa54f7006c0313093cf435ffc0c84854bfc1600992e2be8512d6436161ae4c3192bb8b6
SSDEEP

98304:BFVqfd/eLhdGYhfl0CcnVNB5G6X4RutZhjltPY5tnJTJmjPduN7umo1YU:IeL9Ncn93X8Yhl8nxJpumo1d

Score

10^/10

zgrat execution rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-4.dat	family_zgrat_v1
behavioral2/files/0x0008000000023412-62.dat	family_zgrat_v1
behavioral2/memory/5084-63-0x00000000001D0000-0x00000000003CA000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2176	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2176	schtasks.exe	93

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe
2708	powershell.exe
4400	powershell.exe
4836	powershell.exe
2272	powershell.exe
2108	powershell.exe
3728	powershell.exe
1584	powershell.exe
3688	powershell.exe
1172	powershell.exe
576	powershell.exe
3748	powershell.exe
2444	powershell.exe
2532	powershell.exe
4372	powershell.exe
4264	powershell.exe
2612	powershell.exe
3888	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Fluxus Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	providerCrtdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 10 IoCs

pid	Process
2600	DCRatBuild.exe
4740	Fluxus V7.exe
5084	providerCrtdhcp.exe
5632	RuntimeBroker.exe
4952	RuntimeBroker.exe
3232	RuntimeBroker.exe
5140	RuntimeBroker.exe
5588	RuntimeBroker.exe
2172	RuntimeBroker.exe
2440	RuntimeBroker.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ipinfo.io
18	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	providerCrtdhcp.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	providerCrtdhcp.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Media\Delta\SearchApp.exe	providerCrtdhcp.exe
File opened for modification	C:\Windows\Media\Delta\SearchApp.exe	providerCrtdhcp.exe
File created	C:\Windows\Media\Delta\38384e6a620884	providerCrtdhcp.exe
File created	C:\Windows\assembly\GAC\services.exe	providerCrtdhcp.exe
File created	C:\Windows\assembly\GAC\c5b4cb5e9653cc	providerCrtdhcp.exe
File created	C:\Windows\rescache\cmd.exe	providerCrtdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	4740	WerFault.exe	84

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2344	schtasks.exe
3392	schtasks.exe
3576	schtasks.exe
4320	schtasks.exe
4356	schtasks.exe
3996	schtasks.exe
3488	schtasks.exe
4028	schtasks.exe
3456	schtasks.exe
4412	schtasks.exe
3276	schtasks.exe
3620	schtasks.exe
540	schtasks.exe
2524	schtasks.exe
2976	schtasks.exe
3052	schtasks.exe
1512	schtasks.exe
3304	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	providerCrtdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	RuntimeBroker.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2400	PING.EXE
3584	PING.EXE
2304	PING.EXE
1104	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	Fluxus V7.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe
5084	providerCrtdhcp.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	Fluxus V7.exe
Token: SeDebugPrivilege	5084	providerCrtdhcp.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	5632	RuntimeBroker.exe
Token: SeDebugPrivilege	4952	RuntimeBroker.exe
Token: SeDebugPrivilege	3232	RuntimeBroker.exe
Token: SeDebugPrivilege	5140	RuntimeBroker.exe
Token: SeDebugPrivilege	5588	RuntimeBroker.exe
Token: SeDebugPrivilege	2172	RuntimeBroker.exe
Token: SeDebugPrivilege	2440	RuntimeBroker.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4740	Fluxus V7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 2600	4252	Fluxus Cracked.exe	83
PID 4252 wrote to memory of 2600	4252	Fluxus Cracked.exe	83
PID 4252 wrote to memory of 2600	4252	Fluxus Cracked.exe	83
PID 4252 wrote to memory of 4740	4252	Fluxus Cracked.exe	84
PID 4252 wrote to memory of 4740	4252	Fluxus Cracked.exe	84
PID 4252 wrote to memory of 4740	4252	Fluxus Cracked.exe	84
PID 2600 wrote to memory of 4552	2600	DCRatBuild.exe	86
PID 2600 wrote to memory of 4552	2600	DCRatBuild.exe	86
PID 2600 wrote to memory of 4552	2600	DCRatBuild.exe	86
PID 4552 wrote to memory of 4936	4552	WScript.exe	90
PID 4552 wrote to memory of 4936	4552	WScript.exe	90
PID 4552 wrote to memory of 4936	4552	WScript.exe	90
PID 4936 wrote to memory of 5084	4936	cmd.exe	92
PID 4936 wrote to memory of 5084	4936	cmd.exe	92
PID 5084 wrote to memory of 3728	5084	providerCrtdhcp.exe	113
PID 5084 wrote to memory of 3728	5084	providerCrtdhcp.exe	113
PID 5084 wrote to memory of 4264	5084	providerCrtdhcp.exe	114
PID 5084 wrote to memory of 4264	5084	providerCrtdhcp.exe	114
PID 5084 wrote to memory of 2108	5084	providerCrtdhcp.exe	115
PID 5084 wrote to memory of 2108	5084	providerCrtdhcp.exe	115
PID 5084 wrote to memory of 2444	5084	providerCrtdhcp.exe	116
PID 5084 wrote to memory of 2444	5084	providerCrtdhcp.exe	116
PID 5084 wrote to memory of 2272	5084	providerCrtdhcp.exe	117
PID 5084 wrote to memory of 2272	5084	providerCrtdhcp.exe	117
PID 5084 wrote to memory of 4836	5084	providerCrtdhcp.exe	118
PID 5084 wrote to memory of 4836	5084	providerCrtdhcp.exe	118
PID 5084 wrote to memory of 3748	5084	providerCrtdhcp.exe	119
PID 5084 wrote to memory of 3748	5084	providerCrtdhcp.exe	119
PID 5084 wrote to memory of 2612	5084	providerCrtdhcp.exe	120
PID 5084 wrote to memory of 2612	5084	providerCrtdhcp.exe	120
PID 5084 wrote to memory of 1584	5084	providerCrtdhcp.exe	121
PID 5084 wrote to memory of 1584	5084	providerCrtdhcp.exe	121
PID 5084 wrote to memory of 4372	5084	providerCrtdhcp.exe	125
PID 5084 wrote to memory of 4372	5084	providerCrtdhcp.exe	125
PID 5084 wrote to memory of 3888	5084	providerCrtdhcp.exe	127
PID 5084 wrote to memory of 3888	5084	providerCrtdhcp.exe	127
PID 5084 wrote to memory of 4400	5084	providerCrtdhcp.exe	129
PID 5084 wrote to memory of 4400	5084	providerCrtdhcp.exe	129
PID 5084 wrote to memory of 2708	5084	providerCrtdhcp.exe	130
PID 5084 wrote to memory of 2708	5084	providerCrtdhcp.exe	130
PID 5084 wrote to memory of 576	5084	providerCrtdhcp.exe	131
PID 5084 wrote to memory of 576	5084	providerCrtdhcp.exe	131
PID 5084 wrote to memory of 1172	5084	providerCrtdhcp.exe	133
PID 5084 wrote to memory of 1172	5084	providerCrtdhcp.exe	133
PID 5084 wrote to memory of 3636	5084	providerCrtdhcp.exe	135
PID 5084 wrote to memory of 3636	5084	providerCrtdhcp.exe	135
PID 5084 wrote to memory of 3688	5084	providerCrtdhcp.exe	136
PID 5084 wrote to memory of 3688	5084	providerCrtdhcp.exe	136
PID 5084 wrote to memory of 2532	5084	providerCrtdhcp.exe	138
PID 5084 wrote to memory of 2532	5084	providerCrtdhcp.exe	138
PID 5084 wrote to memory of 3524	5084	providerCrtdhcp.exe	149
PID 5084 wrote to memory of 3524	5084	providerCrtdhcp.exe	149
PID 3524 wrote to memory of 6060	3524	cmd.exe	151
PID 3524 wrote to memory of 6060	3524	cmd.exe	151
PID 3524 wrote to memory of 5412	3524	cmd.exe	152
PID 3524 wrote to memory of 5412	3524	cmd.exe	152
PID 3524 wrote to memory of 5632	3524	cmd.exe	153
PID 3524 wrote to memory of 5632	3524	cmd.exe	153
PID 5632 wrote to memory of 5904	5632	RuntimeBroker.exe	154
PID 5632 wrote to memory of 5904	5632	RuntimeBroker.exe	154
PID 5904 wrote to memory of 5960	5904	cmd.exe	156
PID 5904 wrote to memory of 5960	5904	cmd.exe	156
PID 5904 wrote to memory of 5952	5904	cmd.exe	157
PID 5904 wrote to memory of 5952	5904	cmd.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fluxus Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus Cracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\BlockSurrogatefontMonitor\mU33YMZQGxUfzjmO0oI8Zrz6gJvOxY9asaKa7z6q8Tx1Sco7H6GDW.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\BlockSurrogatefontMonitor\3PJdJcQr3lygZCpzSTZp2eI0PMEBYXtL0AVL8ua0cyEJAoGxj.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe
        
        "C:\BlockSurrogatefontMonitor/providerCrtdhcp.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/BlockSurrogatefontMonitor/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Delta\SearchApp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auZv5rUG6P.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5412
        
        C:\Users\Admin\SendTo\RuntimeBroker.exe
        
        "C:\Users\Admin\SendTo\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5952
        
        C:\Users\Admin\SendTo\RuntimeBroker.exe
        
        "C:\Users\Admin\SendTo\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat"
        10⤵
        
        PID:920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2400
        
        C:\Users\Admin\SendTo\RuntimeBroker.exe
        
        "C:\Users\Admin\SendTo\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5cqYlxHIW.bat"
        12⤵
        
        PID:6092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1580
        
        C:\Users\Admin\SendTo\RuntimeBroker.exe
        
        "C:\Users\Admin\SendTo\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EWktresicd.bat"
        14⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:3584
        
        C:\Users\Admin\SendTo\RuntimeBroker.exe
        
        "C:\Users\Admin\SendTo\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat"
        16⤵
        
        PID:5496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:660
        
        C:\Users\Admin\SendTo\RuntimeBroker.exe
        
        "C:\Users\Admin\SendTo\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat"
        18⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\SendTo\RuntimeBroker.exe
        
        "C:\Users\Admin\SendTo\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat"
        20⤵
        
        PID:2160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:1104
- C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe
  "C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 3772
    3⤵
    - Program crash
    PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Delta\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Media\Delta\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Delta\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcpp" /sc MINUTE /mo 14 /tr "'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcp" /sc ONLOGON /tr "'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerCrtdhcpp" /sc MINUTE /mo 8 /tr "'C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4740 -ip 4740
1⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultae938e63h77d9h4d19hb1abh6d3215d5315e
1⤵
PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8f4b746f8,0x7ff8f4b74708,0x7ff8f4b74718
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,16406818686712825120,3804737134961920510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,16406818686712825120,3804737134961920510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,16406818686712825120,3804737134961920510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BlockSurrogatefontMonitor\3PJdJcQr3lygZCpzSTZp2eI0PMEBYXtL0AVL8ua0cyEJAoGxj.bat

Filesize
98B

MD5
ad2691ba31afed2f48c0f86fd9ce40ea

SHA1
20210915d87b554f022f94abaaef65a0b6b24b04

SHA256
ffb7a40e82071cd94d8482d8a48458ee8ee1ab7e6afa147505910a4d4bca4801

SHA512
32e813271d709fd578fc46e64ffa185e0ab63725bf294186a286f23185076f9aab7984a9c71b606754b2623d5299da61f0a3f7f51d7b450c932e5963aa8074bb

Download Submit
C:\BlockSurrogatefontMonitor\mU33YMZQGxUfzjmO0oI8Zrz6gJvOxY9asaKa7z6q8Tx1Sco7H6GDW.vbe

Filesize
252B

MD5
cd2eaebf959be410709c87c7b02382ed

SHA1
4b12369510c87ab57cbe424bd1c9d22c8acedf1a

SHA256
742a7fdad0768c63df86d1ebb28412d4fa77714d49d3ef8d3ddfbec4d9b65609

SHA512
afb769abd66ee360a5dc3f82a297ce3223059a31185364a8bd1cc22e97e1f3b3f970e9598b6ed48beff056c749919e07e3d2fd4ac99230759ebcc51c4eee656c

Download Submit
C:\BlockSurrogatefontMonitor\providerCrtdhcp.exe

Filesize
2.0MB

MD5
e96f7c0bf7d61148e00dae07be005de9

SHA1
f2a689a2b5e4225995fcfd31b587c3ad71651e21

SHA256
37e1d2d17840e5323c3d3dd88171eabbd6d5c14ccd008cd2ce832c8cd51e7f8c

SHA512
3911e368f4c36f5734297b74cae871aa5b1c8ab5b1308c79d44cabf4695970d3682b6f90f7e260087cd04d364a9def389999dfe038243586a717c2dc4ff6dd37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
7a7dd1e695790550e38cb160458687c9

SHA1
ca8425e79d183db9ba405e3a799c9b7592ed4618

SHA256
ced69c14422bf143608e1efb84c2131d5526cbc7203047ddd37337b9bf526fdb

SHA512
f3b621c8423a9cfe9409d16b80ac4225123a7cb9adddacbdd4f69c95375a9dc11aecc147d858eef50a44d7c3d517a2707e3fe6f1d8b7f0c6a35dd1e83daac3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6f8a8aba20f77959125151eb7ac67fc

SHA1
8a1b94298778620b5d8f06381503de86516017e6

SHA256
5d95f3c0ed153da78f5cdf7173d3b8959145ff84901383ab0c20fe5862dadb03

SHA512
448e4f8a1df5a3ebcbfbbcc8b901799d0abb6c71ba40c65ebc0f67f6a1b81b342c0804c1a2a2fbee91a2ad06715bb78b6f05fc8085b8a0dc4a100b2d97ea4f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ac28c34e815b880d8cdfb10b8e1661fa

SHA1
2ca1e7dc18433e339053c1bcdd8c1268414a098a

SHA256
356402a8b393e2f3fa6961494565063a03223fb23d7206aaa36fb9af54ddd30e

SHA512
4b5037d271a0e8d89e4deb6b30bc2c7297ca782f54c29569086e6487b345c8e9839ec6a975d6d8004d60b699159647c374c63244903a80c09f80a5cf6495f60b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.3MB

MD5
d341f3cd7398873faf25661504f90b56

SHA1
48e2617f2e46b20460decf7096942d1823bfb143

SHA256
34cbdce2fee0ae1eb578c4a97962d71c3edfe86685c5ae4f24f4f6276f696805

SHA512
482478705ef3ae79fdf4912e33925f6623d533d73b83e3b35eb176d39ed8db3a65bc84c84aabb2a2b570ec41436d6bbcc4b3be9020d5c50530282fa0c90d105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EWktresicd.bat

Filesize
167B

MD5
356782645c6daa5571df3bd890e1e812

SHA1
f1078567eb7a93abc8866d777df7737bed79655b

SHA256
37704f1f73b9a152d05a06b7363e0d2cc92b79941b4bc9eeeeca9dbe08ef0bbc

SHA512
aa1ac17a4b21fa97fb6b65887c633c1845f74ef5d4a52c78c902c559ee032345ae4031fe624c1d7259b352867083d116f5f59e18eb06adfb8530d3ca7ede5193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fluxus V7.exe

Filesize
3.9MB

MD5
aa5d196260f56a93d7a9ddf32d202112

SHA1
4abe547da7e38e9facb98523e4795a71af6b4600

SHA256
653eaa58999ff72cd9e858a9661c87b049fc66172d20fc9ae0f1e3b1e2af694b

SHA512
7cf76918a4d04c628cc4e7b3a7f2674c03b97104e98b98ab8407d2e12521e48dc61438d982cfdc9763deaa1b915e4432a972274dd6ac381a5a58f08e1ffd55d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyrbww4q.0c0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\auZv5rUG6P.bat

Filesize
215B

MD5
9eaeda0ce209e20b3e72c1d3e046da11

SHA1
008546a7ea0615afcae2655686b96394978cfa97

SHA256
6d69698c7d78d585b6b04e684e9662d2a719defc1dbbd309d7a681d1720e76c6

SHA512
9cb9a28402214d221b33f57b50605ed0bf59b88797acc46eb5fde9f78f725d05ba749a41c6fe7cb723cf98f12d0dad17590a4ffd4e0310546f28ad0398629df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5cqYlxHIW.bat

Filesize
215B

MD5
f18e9b560266e22d40f953766b69d7a1

SHA1
4dd097a7307e91810371d02e0917c783560be20c

SHA256
a870771eb2ac42d8afcbbf9b934db007983711c24728388407e8c42ef139fba8

SHA512
5e51b22d3640d7aa7dd226e5845cb6bd74cbbeaa1e413e2fdeba2663922828ebaeacded82e0c9786da685f79b2f254de3c47b0a9bca3f095b29e744259907c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m961u58njg.bat

Filesize
167B

MD5
3f453746d1fab3670cdfd0f711696a95

SHA1
021678a235eed93587dbbc2264848df1b1e21990

SHA256
882edd9698334bedbc0f837d7017a72e8a9623706b2d526d14655e8603216953

SHA512
dd8e18646bb794376e92a283dfe12d9c851d837682875d1fa9c2e782b1285089c1b927ecbfe801ac33dfa6825c144f45e237fd32d9194cf7120f33b3d9bdf55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat

Filesize
215B

MD5
d955498e66def0523e6bbcadfa38bbc8

SHA1
46647e0a87f69436612430b21ec9d5acde57321d

SHA256
cf2300a059bc191e935371de1321d9e41ec56b67fddd642728ca5cdbda0fdac8

SHA512
e2a8226b376474a7c0038ef90fecf552b7ef82fec60a4f95474d4b1d29ad038f49f129c936cc400f1b58e45ecee9a34d43f4fd5a959452bc15f51956f1be4995

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat

Filesize
167B

MD5
d7237923e4d3c656941e5766e1bdf891

SHA1
f82ed62353a6ac88c10218d2a40397ed0ece5eac

SHA256
f66309e711038285a09ae35b29c356565002354120d88358b8cdbb19e1c084ed

SHA512
bcc358b48f796a2f84f4794fdd53ec2c268dac67293009ea5047f7146d74203c00e48f6868ecad23f8131b5a128f40839da91346b81dd20813ec59e828508915

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYh8fPsglb.bat

Filesize
215B

MD5
9713d63c7fc6c97197430399c7142911

SHA1
0e3873c49f0737c94f0e7d9b62295f4f886fc7a1

SHA256
0de6ede269767f864bdb9403db30cdee380ced6838c50388379c0a4f891c9a35

SHA512
8345b281da184780495670bb9b34d08159d5c3036a7abfe4034a3990968678e2b463d98c66d880a200420c8c7bad87bc31bfe2ebbd7ffbc9ca9c4de3f8e58ec9

Download Submit
memory/2708-129-0x00000272E29A0000-0x00000272E29C2000-memory.dmp

Filesize
136KB

Download
memory/4740-51-0x000000000C3A0000-0x000000000C3C2000-memory.dmp

Filesize
136KB

Download
memory/4740-331-0x000000000D6C0000-0x000000000D6D2000-memory.dmp

Filesize
72KB

Download
memory/4740-21-0x0000000072BFE000-0x0000000072BFF000-memory.dmp

Filesize
4KB

Download
memory/4740-73-0x000000000E820000-0x000000000E83E000-memory.dmp

Filesize
120KB

Download
memory/4740-74-0x000000000E840000-0x000000000E8E3000-memory.dmp

Filesize
652KB

Download
memory/4740-75-0x000000000E930000-0x000000000E93A000-memory.dmp

Filesize
40KB

Download
memory/4740-76-0x000000000E950000-0x000000000E961000-memory.dmp

Filesize
68KB

Download
memory/4740-29-0x0000000000C30000-0x0000000001024000-memory.dmp

Filesize
4.0MB

Download
memory/4740-31-0x0000000072BF0000-0x00000000733A0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-32-0x0000000006190000-0x0000000006734000-memory.dmp

Filesize
5.6MB

Download
memory/4740-33-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/4740-34-0x000000000A380000-0x000000000A388000-memory.dmp

Filesize
32KB

Download
memory/4740-35-0x000000000A720000-0x000000000A758000-memory.dmp

Filesize
224KB

Download
memory/4740-36-0x000000000A390000-0x000000000A39E000-memory.dmp

Filesize
56KB

Download
memory/4740-37-0x000000000BCF0000-0x000000000C318000-memory.dmp

Filesize
6.2MB

Download
memory/4740-47-0x000000000BCA0000-0x000000000BCBA000-memory.dmp

Filesize
104KB

Download
memory/4740-94-0x000000000E980000-0x000000000E98E000-memory.dmp

Filesize
56KB

Download
memory/4740-95-0x000000000EC60000-0x000000000EC74000-memory.dmp

Filesize
80KB

Download
memory/4740-96-0x000000000ECA0000-0x000000000ECBA000-memory.dmp

Filesize
104KB

Download
memory/4740-97-0x000000000ECC0000-0x000000000ECC8000-memory.dmp

Filesize
32KB

Download
memory/4740-98-0x000000000D320000-0x000000000D328000-memory.dmp

Filesize
32KB

Download
memory/4740-57-0x000000000D0D0000-0x000000000D0F2000-memory.dmp

Filesize
136KB

Download
memory/4740-56-0x000000000C9B0000-0x000000000CA16000-memory.dmp

Filesize
408KB

Download
memory/4740-55-0x0000000006750000-0x0000000006AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4740-54-0x000000000C5A0000-0x000000000C5EA000-memory.dmp

Filesize
296KB

Download
memory/4740-53-0x000000000C3F0000-0x000000000C40E000-memory.dmp

Filesize
120KB

Download
memory/4740-52-0x000000000C4E0000-0x000000000C546000-memory.dmp

Filesize
408KB

Download
memory/4740-50-0x000000000C440000-0x000000000C4D6000-memory.dmp

Filesize
600KB

Download
memory/4740-49-0x000000000CA20000-0x000000000D09A000-memory.dmp

Filesize
6.5MB

Download
memory/4740-48-0x000000000C360000-0x000000000C396000-memory.dmp

Filesize
216KB

Download
memory/4740-330-0x000000000A460000-0x000000000A46A000-memory.dmp

Filesize
40KB

Download
memory/4740-58-0x000000000D2A0000-0x000000000D2EC000-memory.dmp

Filesize
304KB

Download
memory/4740-332-0x0000000072BF0000-0x00000000733A0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-93-0x000000001AF50000-0x000000001AF5C000-memory.dmp

Filesize
48KB

Download
memory/5084-91-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/5084-89-0x0000000002410000-0x000000000241C000-memory.dmp

Filesize
48KB

Download
memory/5084-87-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/5084-85-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/5084-83-0x000000001AF30000-0x000000001AF48000-memory.dmp

Filesize
96KB

Download
memory/5084-81-0x000000001AF80000-0x000000001AFD0000-memory.dmp

Filesize
320KB

Download
memory/5084-80-0x000000001AF10000-0x000000001AF2C000-memory.dmp

Filesize
112KB

Download
memory/5084-78-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/5084-63-0x00000000001D0000-0x00000000003CA000-memory.dmp

Filesize
2.0MB

Download