zgrat | 8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f11bde1f33ddb5b4c398d4cc8b1c7c.exe
Size

1.4MB
MD5

61f11bde1f33ddb5b4c398d4cc8b1c7c
SHA1

614eaeab2931cc5b18f4d09afdf18fa95948ed90
SHA256

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159
SHA512

a2c33d12d345987be7cb2f53d321e738dd7b2b85672f674c317405313be4b3f13bfa99e9a0cda37b59563734871f299db33964a4576ee2a6e23e0dbdc7fab708
SSDEEP

24576:mj/Vhz2r7o+CE7cBOlZqevIhEvQQdFZUQpCqoIpO8TI76ze7lyJD5xKeVwGvn:q/Pz2rkzEYBOGGIsdFZUQpbVTIiEqD5Z

Score

10^/10

zgrat evasion execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x000a00000001ea83-6.dat	family_zgrat_v1
behavioral2/files/0x000900000002326a-23.dat	family_zgrat_v1
behavioral2/memory/432-25-0x00000000006A0000-0x000000000084C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\appcompat\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\MSBuild\\msedge.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\appcompat\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\MSBuild\\msedge.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dwm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\appcompat\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\MSBuild\\msedge.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dwm.exe\", \"C:\\Users\\Admin\\SendTo\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\appcompat\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\MSBuild\\msedge.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dwm.exe\", \"C:\\Users\\Admin\\SendTo\\System.exe\", \"C:\\Windows\\Globalization\\Time Zone\\Idle.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\appcompat\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\MSBuild\\msedge.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dwm.exe\", \"C:\\Users\\Admin\\SendTo\\System.exe\", \"C:\\Windows\\Globalization\\Time Zone\\Idle.exe\", \"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\appcompat\\OfficeClickToRun.exe\""	blockPortComdriverbroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6024	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	5568	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	5568	schtasks.exe	96

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1640	powershell.exe
6136	powershell.exe
4652	powershell.exe
6056	powershell.exe
5056	powershell.exe
5212	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	blockPortComdriverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 10 IoCs

pid	Process
1956	1.exe
432	blockPortComdriverbroker.exe
5600	dwm.exe
2908	dwm.exe
3976	dwm.exe
3180	dwm.exe
6036	dwm.exe
5292	dwm.exe
4832	dwm.exe
5056	dwm.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\SendTo\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Admin\\SendTo\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Globalization\\Time Zone\\Idle.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Globalization\\Time Zone\\Idle.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\appcompat\\OfficeClickToRun.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\MSBuild\\msedge.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dwm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\dwm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\appcompat\\OfficeClickToRun.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\MSBuild\\msedge.exe\""	blockPortComdriverbroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCFC162025537643CB874DDFF8A413C17.TMP	csc.exe
File created	\??\c:\Windows\System32\_iyiwy.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\61a52ddc9dd915	blockPortComdriverbroker.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCD404104D6A3841989365D82541457CF2.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe	blockPortComdriverbroker.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\6cb0b6c459d5d3	blockPortComdriverbroker.exe
File created	C:\Program Files (x86)\MSBuild\msedge.exe	blockPortComdriverbroker.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\appcompat\OfficeClickToRun.exe	blockPortComdriverbroker.exe
File created	C:\Windows\appcompat\e6c9b481da804f	blockPortComdriverbroker.exe
File created	C:\Windows\Globalization\Time Zone\Idle.exe	blockPortComdriverbroker.exe
File opened for modification	C:\Windows\Globalization\Time Zone\Idle.exe	blockPortComdriverbroker.exe
File created	C:\Windows\Globalization\Time Zone\6ccacd8608530f	blockPortComdriverbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4892	schtasks.exe
1480	schtasks.exe
2692	schtasks.exe
3396	schtasks.exe
3084	schtasks.exe
648	schtasks.exe
2472	schtasks.exe
3108	schtasks.exe
4388	schtasks.exe
1492	schtasks.exe
784	schtasks.exe
6140	schtasks.exe
6024	schtasks.exe
4492	schtasks.exe
3416	schtasks.exe
3532	schtasks.exe
2884	schtasks.exe
1864	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	1.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	blockPortComdriverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	dwm.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5808	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1924	PING.EXE
5344	PING.EXE
5356	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
432	blockPortComdriverbroker.exe
4652	powershell.exe
4652	powershell.exe
6136	powershell.exe
6136	powershell.exe
1640	powershell.exe
1640	powershell.exe
5212	powershell.exe
5212	powershell.exe
5056	powershell.exe
5056	powershell.exe
6056	powershell.exe
6056	powershell.exe
1640	powershell.exe
5212	powershell.exe
6056	powershell.exe
5056	powershell.exe
6136	powershell.exe
4652	powershell.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe
5600	dwm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	6136	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	6056	powershell.exe
Token: SeDebugPrivilege	5600	dwm.exe
Token: SeDebugPrivilege	2908	dwm.exe
Token: SeDebugPrivilege	3976	dwm.exe
Token: SeDebugPrivilege	3180	dwm.exe
Token: SeDebugPrivilege	6036	dwm.exe
Token: SeDebugPrivilege	5292	dwm.exe
Token: SeDebugPrivilege	4832	dwm.exe
Token: SeDebugPrivilege	5056	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 1956	4620	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe	91
PID 4620 wrote to memory of 1956	4620	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe	91
PID 4620 wrote to memory of 1956	4620	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe	91
PID 1956 wrote to memory of 5980	1956	1.exe	98
PID 1956 wrote to memory of 5980	1956	1.exe	98
PID 1956 wrote to memory of 5980	1956	1.exe	98
PID 5980 wrote to memory of 5384	5980	WScript.exe	102
PID 5980 wrote to memory of 5384	5980	WScript.exe	102
PID 5980 wrote to memory of 5384	5980	WScript.exe	102
PID 5384 wrote to memory of 5808	5384	cmd.exe	104
PID 5384 wrote to memory of 5808	5384	cmd.exe	104
PID 5384 wrote to memory of 5808	5384	cmd.exe	104
PID 5384 wrote to memory of 432	5384	cmd.exe	105
PID 5384 wrote to memory of 432	5384	cmd.exe	105
PID 432 wrote to memory of 4816	432	blockPortComdriverbroker.exe	109
PID 432 wrote to memory of 4816	432	blockPortComdriverbroker.exe	109
PID 4816 wrote to memory of 3564	4816	csc.exe	111
PID 4816 wrote to memory of 3564	4816	csc.exe	111
PID 432 wrote to memory of 3768	432	blockPortComdriverbroker.exe	112
PID 432 wrote to memory of 3768	432	blockPortComdriverbroker.exe	112
PID 3768 wrote to memory of 4496	3768	csc.exe	114
PID 3768 wrote to memory of 4496	3768	csc.exe	114
PID 432 wrote to memory of 6056	432	blockPortComdriverbroker.exe	130
PID 432 wrote to memory of 6056	432	blockPortComdriverbroker.exe	130
PID 432 wrote to memory of 6136	432	blockPortComdriverbroker.exe	131
PID 432 wrote to memory of 6136	432	blockPortComdriverbroker.exe	131
PID 432 wrote to memory of 1640	432	blockPortComdriverbroker.exe	132
PID 432 wrote to memory of 1640	432	blockPortComdriverbroker.exe	132
PID 432 wrote to memory of 5212	432	blockPortComdriverbroker.exe	133
PID 432 wrote to memory of 5212	432	blockPortComdriverbroker.exe	133
PID 432 wrote to memory of 4652	432	blockPortComdriverbroker.exe	134
PID 432 wrote to memory of 4652	432	blockPortComdriverbroker.exe	134
PID 432 wrote to memory of 5056	432	blockPortComdriverbroker.exe	135
PID 432 wrote to memory of 5056	432	blockPortComdriverbroker.exe	135
PID 432 wrote to memory of 5572	432	blockPortComdriverbroker.exe	142
PID 432 wrote to memory of 5572	432	blockPortComdriverbroker.exe	142
PID 5572 wrote to memory of 3700	5572	cmd.exe	144
PID 5572 wrote to memory of 3700	5572	cmd.exe	144
PID 5572 wrote to memory of 4488	5572	cmd.exe	145
PID 5572 wrote to memory of 4488	5572	cmd.exe	145
PID 5572 wrote to memory of 5600	5572	cmd.exe	146
PID 5572 wrote to memory of 5600	5572	cmd.exe	146
PID 5600 wrote to memory of 5812	5600	dwm.exe	147
PID 5600 wrote to memory of 5812	5600	dwm.exe	147
PID 5812 wrote to memory of 1508	5812	cmd.exe	149
PID 5812 wrote to memory of 1508	5812	cmd.exe	149
PID 5812 wrote to memory of 5540	5812	cmd.exe	150
PID 5812 wrote to memory of 5540	5812	cmd.exe	150
PID 5812 wrote to memory of 2908	5812	cmd.exe	151
PID 5812 wrote to memory of 2908	5812	cmd.exe	151
PID 2908 wrote to memory of 4160	2908	dwm.exe	152
PID 2908 wrote to memory of 4160	2908	dwm.exe	152
PID 4160 wrote to memory of 5184	4160	cmd.exe	154
PID 4160 wrote to memory of 5184	4160	cmd.exe	154
PID 4160 wrote to memory of 2036	4160	cmd.exe	155
PID 4160 wrote to memory of 2036	4160	cmd.exe	155
PID 4160 wrote to memory of 3976	4160	cmd.exe	156
PID 4160 wrote to memory of 3976	4160	cmd.exe	156
PID 3976 wrote to memory of 5128	3976	dwm.exe	157
PID 3976 wrote to memory of 5128	3976	dwm.exe	157
PID 5128 wrote to memory of 820	5128	cmd.exe	159
PID 5128 wrote to memory of 820	5128	cmd.exe	159
PID 5128 wrote to memory of 5124	5128	cmd.exe	160
PID 5128 wrote to memory of 5124	5128	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\61f11bde1f33ddb5b4c398d4cc8b1c7c.exe
"C:\Users\Admin\AppData\Local\Temp\61f11bde1f33ddb5b4c398d4cc8b1c7c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\fontInto\soby05K3uOljM.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5384
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:5808
    - - C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto/blockPortComdriverbroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j2b02bc5\j2b02bc5.cmdline"
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49A.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCD404104D6A3841989365D82541457CF2.TMP"
        7⤵
        
        PID:3564
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jaeivhtc\jaeivhtc.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES601.tmp" "c:\Windows\System32\CSCFC162025537643CB874DDFF8A413C17.TMP"
        7⤵
        
        PID:4496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\OfficeClickToRun.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Time Zone\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\blockPortComdriverbroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\klrkJh2DBx.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4488
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ndC0udATSD.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5540
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sMcwJl1juU.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2036
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5124
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ETZZ9TGUYL.bat"
        14⤵
        
        PID:5136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:5356
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ndC0udATSD.bat"
        16⤵
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:432
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k9Xkw6Am4N.bat"
        18⤵
        
        PID:6008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1924
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RVEN4vvioM.bat"
        20⤵
        
        PID:5608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:5344
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\appcompat\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\appcompat\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\Time Zone\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\Time Zone\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 12 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbroker" /sc ONLOGON /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 7 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
11aa02596ceccef38b448c52a899f470

SHA1
6da94dc9579e969d39d5e65c066af3a5251e39b4

SHA256
e778ec777a79a1a9c9a3b605ab9681558395d2f3ef46f6c34dca1e00dcd771fd

SHA512
5de4fd51ae76cce8de25c5257ee873a71668acdf407bc3351410f9f840a9b074099d4c018657d2cc8f33273e6fd03e4365165e4834ba12c052d735212bf5d0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
2.0MB

MD5
e7197369aa79213cb20f49e31a6d0ff9

SHA1
c841bbcd0ce335b4cc10cff1c354be238b3c9338

SHA256
9e4af984c4b935ed29a62c1bf93672f5937f75324781bd266fed6d7d0d238620

SHA512
5ecaf7034e16249b7239c720588f40f673f49c247f2cb329bfe83fefae7d00b2c658e721e5ddc8d3d9d3ab5a039c36ac47d6279de3b36398b297435c918b402c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ETZZ9TGUYL.bat

Filesize
193B

MD5
012285fb4ebb5c7c0320dc72f9c978db

SHA1
ac9e5ceebfa2399740d51a2dc4719e6233c8dff1

SHA256
3e244d00b6df96d119873b6cd8e6a720ea8ac5974826119d0fb06789d415d075

SHA512
d2ee318e9c0b589bcebed4a8cf69c1240142e4ab96ac2eeb03979123e5761ff85c2d3d7ffc34e9af970d2149bdb1aff19769617dc9f37f7202c024049aeb8737

Download Submit
C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat

Filesize
241B

MD5
d5baf572a2004501ee41016cbda59a2f

SHA1
c74a06296278de30fa01b1b2c3975aa82b82fc45

SHA256
6da4601ec9c1d69d74c1d49a5fecf675042628b45e19be064867084ee330fcd3

SHA512
7bb40f3808fe6b29346faad34bb7763dfa354c05151bb8b6e81448fec3ace671b8eec0202954ab1e12a8dc7593c0baecfa605db4876098e5bea7cfe52d80bcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49A.tmp

Filesize
1KB

MD5
ad8b6f3b5267a3856e92b0063f5bf457

SHA1
0157138327927d039de36d46e4939f1cd07adf68

SHA256
7cfc06a9b2e3b5484ba3915c7d7caa6b493f560448a27d9cfb3670372c30f37d

SHA512
ec98a0defe8155b4bd5781d00f08a95c616e1c59ace4a6ef00c2bb02a3a32040796e450e5443c63456c1b634f86ac3d0a505a0f9df8d73087d9a9e45eaa2146b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES601.tmp

Filesize
1KB

MD5
4269d12d2b8f46346a0140380232a1bb

SHA1
e6d1db1f381e32d969e93a0a592eab1e09476017

SHA256
b531aaa9f2e75453b25d3be170b8b67d0d778fcae5b4f47579c477c31c2467c2

SHA512
2e3e9f3feb3a27f464caba3332dd0b2ca85d938efdbad3fdae6affb885cae6731e23d66d61097dd3f614d9599d8392022a133e7a9a373f0229bad04e9242bb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVEN4vvioM.bat

Filesize
193B

MD5
59ddf641eb5ea60857539c3046e93590

SHA1
6cc7c011d9fa8d35e9fe0d01558f602f0e4385d4

SHA256
32e85dfc21be867c1e1abee0b671b0a1cadabe7aba16a77e6109f872e81bc76f

SHA512
01ebe48516b172dc69dc86b06f792a413e872c8c88e9b6286bcb2430f9f4038abfe6679e10e1654bcfd35cf6e3cb92ec8694c5752e45969d6a54eac0b67339b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvuhhssp.ut1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k9Xkw6Am4N.bat

Filesize
193B

MD5
ad990abda3ed11c0e6836a9b92fbe4a0

SHA1
e432f71d79b1a03c13d5beb2f4dd9cf61b8640d4

SHA256
c843d67b4056426114c4fff44e7e1521991c9461e817d9418490bb12b01c108a

SHA512
0436ea2aa684e110c02b2728dda24ebfd2ac606ede86e5fc314b0578ad927c563ed573727235481cb3caa15203c3ec677a8c1f646e9bf0b56a9c305c82ae7a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\klrkJh2DBx.bat

Filesize
241B

MD5
b13b8497beb073bcf3e4cae5b6edf6a7

SHA1
70046a90560c9fb5f0e6b9168f8f7e9ba8331191

SHA256
a92dc2ceeba528f810d8b9b3572580ae728c8530ba5a265372af4d241b5028f6

SHA512
ff48d003ae31e16f61674de8c1661c6a82f3fcda67fc592f03048649610061112ff3db889a035cfe4339f866d740f9747a9d61b8cdf715f23f50ae1b31e54c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndC0udATSD.bat

Filesize
241B

MD5
416b9e79dbbe6be84537cce4ad5a6caf

SHA1
6db38f467856b365822cdfe020ed45eae2eb5bf7

SHA256
b9b23c3aff463c7da3d9f133e16b9484a21716c46a92639b0640fadb03111ad4

SHA512
4a7f85908a054f15fd164c90e12bd7c601e850fb343bf427d803271bce2daea19a719b96d6e18dc0e5fbc861fcc80addc8c655971a6f4446f12d40d37a10d634

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMcwJl1juU.bat

Filesize
241B

MD5
8d75e1b6d1b05f166de5cf804f5e2078

SHA1
3f01ecf9d3260c5b60a6eedf4d68de1f29699555

SHA256
7d8dc47476360ed3b61408745a555ec8329d039ec02b54171731c3fd09684624

SHA512
40a1ffb062d38b22a5040ed8db750c16483282cc01ed279e8190e9680b82c3b46599d426c7ece44fb632b381eeba82fdc6cc9be32b3b8ad341c4c75ec11106ea

Download Submit
C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe

Filesize
200B

MD5
acd11feb4451a8f14fd6e2dc71164cf1

SHA1
9b645b0798b101fb04a565d3a1a5cef1155e0800

SHA256
cb0d496499709d17bacc28d5fb00b22e64af093062530c195ff03a69033fd9f0

SHA512
5db057a8957169c9e001c47577fcc8ec4cca145aa595946f31a5eaef71f2438d6f7a4d4758808db0c473b8542fc85801fa91ec2e02c7cfdc84f31c79e02fe72c

Download Submit
C:\fontInto\blockPortComdriverbroker.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
C:\fontInto\soby05K3uOljM.bat

Filesize
201B

MD5
ef94f890944f55d5b0719b9fe4578c48

SHA1
3de264c05e7b45bf65c676391d1e112184258f3b

SHA256
6bdf05e8f2ae2dc331d1f47fa7ff2d8da950f44d0e78a5e727c3c2058f7c8350

SHA512
29c9b9532c4b0e7eb7995916da0703637a43fd6afc5bf4eacce7eaf2d6d0ffa47b4e215b1ba305738719cab383edc48fad25f535c7210ff6698309a57c295302

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCD404104D6A3841989365D82541457CF2.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j2b02bc5\j2b02bc5.0.cs

Filesize
403B

MD5
2c043e5b0ce66b68c1f53f853b0996ee

SHA1
1a848e07ac38e93a51a7a2e7442e4a26a6f3f36b

SHA256
f1e57fd43fa0b9d14dcab603efc6f3a81a0f0190e92dc0bb69eb4fb847f94619

SHA512
3ede5e10a32b4499e685bc02a988aeb54d4ec3d7739c8d1770327d2922f2153ce60ea5257c484a1cd99151b755d12867ae187a547d1dbc8aa0fa339197ec1099

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j2b02bc5\j2b02bc5.cmdline

Filesize
265B

MD5
7aba50e6827fedc0b0d7c270179a4eb9

SHA1
59a9353d97665391c582cd8f776f88545abb5787

SHA256
f435e91e668594f9d6065ca89b9c24764702b06bf7585c532e85dbdc4afb87e4

SHA512
954148b63a64f0e97e06d05761c76e9ff513809917bb4c6ed23be576f8be717cab7d5395b5761c880697a08a9803dffc0265c6bbc5b910f39dedf5c2d5aaa3cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jaeivhtc\jaeivhtc.0.cs

Filesize
373B

MD5
3a26dfe80e77a79929e61ddb2b935365

SHA1
9d333df55cc899871a0404dfc37bb233b20df87f

SHA256
6baa08b8352c8d30a0aec002b7ba09e1f99acb215dcf5a31d647369a0cb02b64

SHA512
0ecc60614a807bfa14a8122d7ed86083dc8e62d799c99dd6730ecdcc4e4b132a84a20449d19fe2d0fdba9744bd45c50a6faa54a920ecd1daa6f0dd6baa1ed421

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jaeivhtc\jaeivhtc.cmdline

Filesize
235B

MD5
526bb970c4096f50e7372afaf6f07ba6

SHA1
b36963ac93007747916b3c6512542e2195ecdfc0

SHA256
2aedc1bfdad933945e32d8b5f196559876b693875c44de7c66177525ce8a4126

SHA512
139a9772c3731556a0f28aebeb8729b82ab6e4844c8c233050be242e2a4c5f0a081de6639f65c2d3f61f1a5248ef9606503533605d14b3681ef608f639c8e5c3

Download Submit
\??\c:\Windows\System32\CSCFC162025537643CB874DDFF8A413C17.TMP

Filesize
1KB

MD5
188249e3f31caa0264351fc374794895

SHA1
323a707d1a37ac8cbae6d6e502cc850f69ae2e15

SHA256
1bf68148c555d0e84720c497dcf3ad708da300ee7472df12c9307a3acd4abde1

SHA512
28a0d97e83b6b6d10c0114166e8f23845663a34c8f262aa5a31ffb885abe232badb6f95bba99b8688559cac81f8ff93c3609ac363d8903d35f535d7c5e1e02d5

Download Submit
memory/432-29-0x0000000002980000-0x000000000298C000-memory.dmp

Filesize
48KB

Download
memory/432-27-0x0000000002930000-0x000000000293E000-memory.dmp

Filesize
56KB

Download
memory/432-25-0x00000000006A0000-0x000000000084C000-memory.dmp

Filesize
1.7MB

Download
memory/432-116-0x000000001B8F0000-0x000000001B999000-memory.dmp

Filesize
676KB

Download
memory/432-126-0x000000001BDA0000-0x000000001BF49000-memory.dmp

Filesize
1.7MB

Download
memory/2908-162-0x0000000003220000-0x0000000003228000-memory.dmp

Filesize
32KB

Download
memory/2908-163-0x000000001BCF0000-0x000000001BD99000-memory.dmp

Filesize
676KB

Download
memory/3180-182-0x0000000001600000-0x0000000001608000-memory.dmp

Filesize
32KB

Download
memory/3180-183-0x000000001BA50000-0x000000001BAF9000-memory.dmp

Filesize
676KB

Download
memory/3976-172-0x0000000002C90000-0x0000000002C98000-memory.dmp

Filesize
32KB

Download
memory/3976-173-0x000000001C1B0000-0x000000001C259000-memory.dmp

Filesize
676KB

Download
memory/4620-1-0x0000000000060000-0x00000000001D4000-memory.dmp

Filesize
1.5MB

Download
memory/4620-0-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

Filesize
8KB

Download
memory/4620-11-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/4620-7-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/4832-212-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/4832-213-0x000000001B200000-0x000000001B2A9000-memory.dmp

Filesize
676KB

Download
memory/5292-202-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/5292-203-0x000000001B210000-0x000000001B2B9000-memory.dmp

Filesize
676KB

Download
memory/5600-151-0x0000000001A10000-0x0000000001A18000-memory.dmp

Filesize
32KB

Download
memory/5600-152-0x000000001C9A0000-0x000000001CA49000-memory.dmp

Filesize
676KB

Download
memory/6036-193-0x000000001BD60000-0x000000001BE09000-memory.dmp

Filesize
676KB

Download
memory/6036-192-0x0000000003270000-0x0000000003278000-memory.dmp

Filesize
32KB

Download
memory/6136-68-0x00000184E5DC0000-0x00000184E5DE2000-memory.dmp

Filesize
136KB

Download