zgrat | 8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe
Size

1.4MB
MD5

61f11bde1f33ddb5b4c398d4cc8b1c7c
SHA1

614eaeab2931cc5b18f4d09afdf18fa95948ed90
SHA256

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159
SHA512

a2c33d12d345987be7cb2f53d321e738dd7b2b85672f674c317405313be4b3f13bfa99e9a0cda37b59563734871f299db33964a4576ee2a6e23e0dbdc7fab708
SSDEEP

24576:mj/Vhz2r7o+CE7cBOlZqevIhEvQQdFZUQpCqoIpO8TI76ze7lyJD5xKeVwGvn:q/Pz2rkzEYBOGGIsdFZUQpbVTIiEqD5Z

Score

10^/10

zgrat evasion execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023256-7.dat	family_zgrat_v1
behavioral2/files/0x000900000002325e-23.dat	family_zgrat_v1
behavioral2/memory/4536-25-0x0000000000060000-0x000000000020C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\fontInto\\sppsvc.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\fontInto\\sppsvc.exe\", \"C:\\odt\\dllhost.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\fontInto\\sppsvc.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\fontInto\\msedge.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\fontInto\\sppsvc.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\fontInto\\msedge.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\", \"C:\\fontInto\\sppsvc.exe\", \"C:\\odt\\dllhost.exe\", \"C:\\fontInto\\msedge.exe\", \"C:\\Users\\Default User\\StartMenuExperienceHost.exe\", \"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1524	schtasks.exe	98
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1524	schtasks.exe	98

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023256-7.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000900000002325e-23.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/4536-25-0x0000000000060000-0x000000000020C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4712	powershell.exe
4140	powershell.exe
1008	powershell.exe
2308	powershell.exe
3952	powershell.exe
1332	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	blockPortComdriverbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 12 IoCs

pid	Process
3592	1.exe
4536	blockPortComdriverbroker.exe
2436	msedge.exe
3380	sppsvc.exe
1632	sppsvc.exe
3848	sppsvc.exe
976	sppsvc.exe
5072	sppsvc.exe
2252	sppsvc.exe
3100	sppsvc.exe
756	sppsvc.exe
4748	sppsvc.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\fontInto\\msedge.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\WindowsRE\\WmiPrvSE.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\fontInto\\sppsvc.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\fontInto\\sppsvc.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\odt\\dllhost.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\fontInto\\msedge.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default User\\StartMenuExperienceHost.exe\""	blockPortComdriverbroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE4C9F7F22F8A4E468BD51CBD3109053.TMP	csc.exe
File created	\??\c:\Windows\System32\_iyiwy.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC3EFDA0EAA00745FEAF82172AF560164.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5072	schtasks.exe
2216	schtasks.exe
4408	schtasks.exe
4700	schtasks.exe
3424	schtasks.exe
3648	schtasks.exe
616	schtasks.exe
752	schtasks.exe
3828	schtasks.exe
1468	schtasks.exe
1664	schtasks.exe
960	schtasks.exe
2548	schtasks.exe
60	schtasks.exe
4748	schtasks.exe
3724	schtasks.exe
3236	schtasks.exe
2196	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	1.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	blockPortComdriverbroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	sppsvc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3228	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2156	PING.EXE
2236	PING.EXE
3392	PING.EXE
3232	PING.EXE
1332	PING.EXE
1844	PING.EXE
3048	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4536	blockPortComdriverbroker.exe
4140	powershell.exe
4140	powershell.exe
4712	powershell.exe
4712	powershell.exe
2308	powershell.exe
2308	powershell.exe
1008	powershell.exe
1008	powershell.exe
3952	powershell.exe
3952	powershell.exe
1332	powershell.exe
1332	powershell.exe
2308	powershell.exe
1008	powershell.exe
4140	powershell.exe
4712	powershell.exe
3952	powershell.exe
1332	powershell.exe
3380	sppsvc.exe
3380	sppsvc.exe
3380	sppsvc.exe
3380	sppsvc.exe
3380	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	3380	sppsvc.exe
Token: SeDebugPrivilege	1632	sppsvc.exe
Token: SeDebugPrivilege	3848	sppsvc.exe
Token: SeDebugPrivilege	976	sppsvc.exe
Token: SeDebugPrivilege	5072	sppsvc.exe
Token: SeDebugPrivilege	2252	sppsvc.exe
Token: SeDebugPrivilege	3100	sppsvc.exe
Token: SeDebugPrivilege	756	sppsvc.exe
Token: SeDebugPrivilege	4748	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3592	868	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	93
PID 868 wrote to memory of 3592	868	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	93
PID 868 wrote to memory of 3592	868	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	93
PID 3592 wrote to memory of 1824	3592	1.exe	94
PID 3592 wrote to memory of 1824	3592	1.exe	94
PID 3592 wrote to memory of 1824	3592	1.exe	94
PID 1824 wrote to memory of 1620	1824	WScript.exe	103
PID 1824 wrote to memory of 1620	1824	WScript.exe	103
PID 1824 wrote to memory of 1620	1824	WScript.exe	103
PID 1620 wrote to memory of 3228	1620	cmd.exe	105
PID 1620 wrote to memory of 3228	1620	cmd.exe	105
PID 1620 wrote to memory of 3228	1620	cmd.exe	105
PID 1620 wrote to memory of 4536	1620	cmd.exe	106
PID 1620 wrote to memory of 4536	1620	cmd.exe	106
PID 4536 wrote to memory of 4420	4536	blockPortComdriverbroker.exe	110
PID 4536 wrote to memory of 4420	4536	blockPortComdriverbroker.exe	110
PID 4420 wrote to memory of 4188	4420	csc.exe	112
PID 4420 wrote to memory of 4188	4420	csc.exe	112
PID 4536 wrote to memory of 3252	4536	blockPortComdriverbroker.exe	113
PID 4536 wrote to memory of 3252	4536	blockPortComdriverbroker.exe	113
PID 3252 wrote to memory of 2756	3252	csc.exe	115
PID 3252 wrote to memory of 2756	3252	csc.exe	115
PID 4536 wrote to memory of 4712	4536	blockPortComdriverbroker.exe	131
PID 4536 wrote to memory of 4712	4536	blockPortComdriverbroker.exe	131
PID 4536 wrote to memory of 1332	4536	blockPortComdriverbroker.exe	132
PID 4536 wrote to memory of 1332	4536	blockPortComdriverbroker.exe	132
PID 4536 wrote to memory of 1008	4536	blockPortComdriverbroker.exe	133
PID 4536 wrote to memory of 1008	4536	blockPortComdriverbroker.exe	133
PID 4536 wrote to memory of 4140	4536	blockPortComdriverbroker.exe	134
PID 4536 wrote to memory of 4140	4536	blockPortComdriverbroker.exe	134
PID 4536 wrote to memory of 3952	4536	blockPortComdriverbroker.exe	135
PID 4536 wrote to memory of 3952	4536	blockPortComdriverbroker.exe	135
PID 4536 wrote to memory of 2308	4536	blockPortComdriverbroker.exe	136
PID 4536 wrote to memory of 2308	4536	blockPortComdriverbroker.exe	136
PID 4536 wrote to memory of 2680	4536	blockPortComdriverbroker.exe	143
PID 4536 wrote to memory of 2680	4536	blockPortComdriverbroker.exe	143
PID 2680 wrote to memory of 720	2680	cmd.exe	145
PID 2680 wrote to memory of 720	2680	cmd.exe	145
PID 2680 wrote to memory of 1160	2680	cmd.exe	146
PID 2680 wrote to memory of 1160	2680	cmd.exe	146
PID 2680 wrote to memory of 3380	2680	cmd.exe	148
PID 2680 wrote to memory of 3380	2680	cmd.exe	148
PID 3380 wrote to memory of 4640	3380	sppsvc.exe	149
PID 3380 wrote to memory of 4640	3380	sppsvc.exe	149
PID 4640 wrote to memory of 1620	4640	cmd.exe	151
PID 4640 wrote to memory of 1620	4640	cmd.exe	151
PID 4640 wrote to memory of 3392	4640	cmd.exe	152
PID 4640 wrote to memory of 3392	4640	cmd.exe	152
PID 4640 wrote to memory of 1632	4640	cmd.exe	153
PID 4640 wrote to memory of 1632	4640	cmd.exe	153
PID 1632 wrote to memory of 4924	1632	sppsvc.exe	154
PID 1632 wrote to memory of 4924	1632	sppsvc.exe	154
PID 4924 wrote to memory of 3824	4924	cmd.exe	156
PID 4924 wrote to memory of 3824	4924	cmd.exe	156
PID 4924 wrote to memory of 3232	4924	cmd.exe	157
PID 4924 wrote to memory of 3232	4924	cmd.exe	157
PID 4924 wrote to memory of 3848	4924	cmd.exe	158
PID 4924 wrote to memory of 3848	4924	cmd.exe	158
PID 3848 wrote to memory of 2412	3848	sppsvc.exe	159
PID 3848 wrote to memory of 2412	3848	sppsvc.exe	159
PID 2412 wrote to memory of 4772	2412	cmd.exe	161
PID 2412 wrote to memory of 4772	2412	cmd.exe	161
PID 2412 wrote to memory of 1332	2412	cmd.exe	162
PID 2412 wrote to memory of 1332	2412	cmd.exe	162

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe
"C:\Users\Admin\AppData\Local\Temp\8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\fontInto\soby05K3uOljM.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3228
    - - C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto/blockPortComdriverbroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htkxk35j\htkxk35j.cmdline"
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80E3.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC3EFDA0EAA00745FEAF82172AF560164.TMP"
        7⤵
        
        PID:4188
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e5c0t0wq\e5c0t0wq.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES821C.tmp" "c:\Windows\System32\CSCE4C9F7F22F8A4E468BD51CBD3109053.TMP"
        7⤵
        
        PID:2756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\msedge.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\blockPortComdriverbroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yL3sy8cSXr.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1160
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3392
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aUnIbwK7qQ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:3232
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aUnIbwK7qQ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1332
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kTLD8xjVtV.bat"
        14⤵
        
        PID:1008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1844
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HVsQnaolwE.bat"
        16⤵
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:3048
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat"
        18⤵
        
        PID:3476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2156
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat"
        20⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4568
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WmJu8eLYHf.bat"
        22⤵
        
        PID:3688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1544
        
        C:\fontInto\sppsvc.exe
        
        "C:\fontInto\sppsvc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat"
        24⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\fontInto\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\fontInto\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\fontInto\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\fontInto\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\fontInto\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\fontInto\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 14 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbroker" /sc ONLOGON /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 14 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
- Executes dropped EXE
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
e5c74585ed211e4a56f3be56047dba3a

SHA1
269bcff4b30fea0ea9fc05fe6c8a8753582f1e17

SHA256
b4cab04c87a9484d98ae5e39a1b62123c3769d9a4338ea559357f50866b27f9c

SHA512
174c35ea8dc15624592d8fba97327d062bc72e20dbed08c7e906821460c2cc299f79df1334f8b928f1a9b861625616f495b1f610b669bc8c17616cec3c1a813a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
11aa02596ceccef38b448c52a899f470

SHA1
6da94dc9579e969d39d5e65c066af3a5251e39b4

SHA256
e778ec777a79a1a9c9a3b605ab9681558395d2f3ef46f6c34dca1e00dcd771fd

SHA512
5de4fd51ae76cce8de25c5257ee873a71668acdf407bc3351410f9f840a9b074099d4c018657d2cc8f33273e6fd03e4365165e4834ba12c052d735212bf5d0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
2.0MB

MD5
e7197369aa79213cb20f49e31a6d0ff9

SHA1
c841bbcd0ce335b4cc10cff1c354be238b3c9338

SHA256
9e4af984c4b935ed29a62c1bf93672f5937f75324781bd266fed6d7d0d238620

SHA512
5ecaf7034e16249b7239c720588f40f673f49c247f2cb329bfe83fefae7d00b2c658e721e5ddc8d3d9d3ab5a039c36ac47d6279de3b36398b297435c918b402c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat

Filesize
198B

MD5
ed981e9a765742e21fc60d754729efee

SHA1
55449c61b3ee7a168fc8f49f7cba6141e090a6fa

SHA256
c51240d50f4470e271ff431cbc495e4e1868cec02ebdde061e9b997c19346170

SHA512
54b2386e93579ffce3d64f0806ab6f6dba0906752f1daab9aaa8140dd644f47b1b3cbbb1c04961af21fe4fc259788e201b6071438e5d80efb55b4dce389abc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat

Filesize
150B

MD5
8711a524a03d816b8c8d0e90c7840f69

SHA1
43de36a55436497559eb87132de24eff8298045a

SHA256
49dd720e1a17ae8a259a0842bbb47a42b1b33c236bf850f8286a567c59ca398b

SHA512
6a01ab87bab2b41925c34208555930e4181daa44422244f734d6722df661eddda941f7142b334ec5113951eb596aa073ee86b4d37396e5ec4472a9210804e3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVsQnaolwE.bat

Filesize
150B

MD5
feed8521e6d5a1f7aadac83e21452035

SHA1
badb11d08e8706d6f414866e0ba6c9e176a8fbe4

SHA256
0802908c56e8080825cc395a82c8f08606a7e77cb975d1e13faf4e857e5c114d

SHA512
04bfaf246e6151942cbc5082af7f507281a18a83673821c6f6e3e9bfa6d0e7a3f95e5e8c7459986ecc14c959a001f9f19b047011dba674ef598d53e02532f62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ng14EOm2tp.bat

Filesize
150B

MD5
41156b506ea91d98088f5a32605ed10e

SHA1
7628c0853dd93c40b58f1ec2202cb1d6aa7d4043

SHA256
e4920205487968bd7c1cc4664303362af79680c0f23916229e4d01433fe7eec9

SHA512
52f4b87e91f2bc1c70786e5eb5f4dae5ff2dcf1733597c4483f5d46fe8712825cedc2c553e73a5fbb9a8615c4fc79a370b5b157850792e1eba7a60c80aaae4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80E3.tmp

Filesize
1KB

MD5
7c6a9402c9d9c45611232cf23e272f43

SHA1
2b93eeee384b37b189430a19effba56762227050

SHA256
5b77bebf3e1d316564d3c348a1d3614df81fa4212deeb2c85d86fc0f03e864ca

SHA512
febed536d1df389460a01ff7144ba840f60af79ad5b6128a65764f1e62d51e7e9a373ece603a030bc73b7c03f1cf2a2dcc9a14160741a0ef30bef58a1a7b0b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES821C.tmp

Filesize
1KB

MD5
dbda1e2b692e0a83bf0df826ee9b3070

SHA1
75e6e4e865c10622faf7c83d0bde9b1795f27be9

SHA256
d7b406e21c407b4f18fa422080038bb574a2c4aa314dba5953f8b16cf29748c4

SHA512
3c68e95d7d3b7cbc1323359f63cfe908ee1d83d7944793c5adc0caec2f4b74d60bd44654115d265f148d7acfe53e1ed816a2b1dd03688ec344406c6b9a7d877c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmJu8eLYHf.bat

Filesize
198B

MD5
856b82467588629dfeba08d19dbc8de5

SHA1
86039e1180985eb11f6917118ae281da0cf7ca78

SHA256
3a5cd422c0729efd98c6e5db9bd31a77a69f5f817cb588c89356b3d451db10c0

SHA512
0849cdbd655fc7de52523898a76e8f1986f3294eb36c347bbefe70052b04ced94ceb890dce41776d07d0cdf44984518c04f3ec376e5a92e04ad0b95c20087bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xafp2ouo.ihx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUnIbwK7qQ.bat

Filesize
150B

MD5
f88a0306e4956f7bcbfde3c85c7eb15d

SHA1
ec6b549a0b25b8edfd57973317e4e74bf287190c

SHA256
ac9349458cb3a55701685782fcd29d6695ce630e08d7b97f8e606f8f814832ba

SHA512
7a8e5c5ce3c9fae666939ac22334f81c1809d14069b4433835c730ed99f99057084c66f987a02343c14fe69369cdcbab6f790bd6615d5124ce8b61247acc9b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kTLD8xjVtV.bat

Filesize
150B

MD5
5c4a3189d826a8da085fb6c941f556a0

SHA1
aad5179cf04bb9b73fa4c01bc15baa118033d30f

SHA256
8d61f218032823990dfc97a14534c91469a5ce4d0f9fa2ec604a415099444afa

SHA512
c1c3e85a3efdc6a7314d6f2a449606fda73dabc111f3b54c907cd190953f5651716c20a8bc0699c77b09de0453b6eda9f9fcb54f01cbccd8cdbd77f3310a8ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yL3sy8cSXr.bat

Filesize
198B

MD5
7d60c3200a92e57924ac580011f86b88

SHA1
4678eab8000050a31add9aca335c6c2f181ddacf

SHA256
0ff9709de6f737a0ea96975db2bf85a3c3835e095468d70da408ba8cccc5579e

SHA512
c75da91b03ce3896f2905c5c12eed64e7ee15adc701cc7230b2560dafa71a3bbfe8271348e6d4cc2e142fd66e68ecaaf0e0b6560e5ead65fd4b997612dcc8cbc

Download Submit
C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe

Filesize
200B

MD5
acd11feb4451a8f14fd6e2dc71164cf1

SHA1
9b645b0798b101fb04a565d3a1a5cef1155e0800

SHA256
cb0d496499709d17bacc28d5fb00b22e64af093062530c195ff03a69033fd9f0

SHA512
5db057a8957169c9e001c47577fcc8ec4cca145aa595946f31a5eaef71f2438d6f7a4d4758808db0c473b8542fc85801fa91ec2e02c7cfdc84f31c79e02fe72c

Download Submit
C:\fontInto\blockPortComdriverbroker.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
C:\fontInto\soby05K3uOljM.bat

Filesize
201B

MD5
ef94f890944f55d5b0719b9fe4578c48

SHA1
3de264c05e7b45bf65c676391d1e112184258f3b

SHA256
6bdf05e8f2ae2dc331d1f47fa7ff2d8da950f44d0e78a5e727c3c2058f7c8350

SHA512
29c9b9532c4b0e7eb7995916da0703637a43fd6afc5bf4eacce7eaf2d6d0ffa47b4e215b1ba305738719cab383edc48fad25f535c7210ff6698309a57c295302

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC3EFDA0EAA00745FEAF82172AF560164.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5c0t0wq\e5c0t0wq.0.cs

Filesize
366B

MD5
5d6619f3f4caea9cfa809ab326a24e9d

SHA1
10ddb6103cce46d478a628dc539d9b80b3a38101

SHA256
89b7a4e953d338e1a16af906d1038ece6d090c859078edd84296f9220aa32477

SHA512
e2b8c9a36679c2e5b10bda2361d8e0e1efa567e4c82da3fc1f8fce3318ebd128b11cd10ef86aeef7e8577f5429fa1571d9d28030063993b497c14a571ed73d12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5c0t0wq\e5c0t0wq.cmdline

Filesize
235B

MD5
e77059b87a39fe4f27bf2148bea3be1d

SHA1
2496c23e0606b3592f0f0529372c4b6f3dfd471e

SHA256
6c295faf6de4140aa427e2f92835ac8268918a20a6df3a64a684795a1e2ee5fe

SHA512
5ca3ebeee2e1b3f6946e464f6a9e4a7e86ba12dffe68e43b305f018f9f8bfffdf770a8e230b9fe56c36aa6ba18540e5caae50cccaab9f92388a54512489bb99c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htkxk35j\htkxk35j.0.cs

Filesize
396B

MD5
a0a3577c2a452840364d06b9f590e05e

SHA1
5be4a2ec9dc661c736cbc4568d1d4f7f4264338e

SHA256
cfb5bd6179fac40e06f1a783752e51940b2155a68b0f86f1c94ef615564c8d0b

SHA512
c7b6809bdf0f2b58523df3189b729ea44741553ea5b8272cf1a5d851d967bdfe792b2f4f8618e29fe092d92270b0befa29f523454e3f9f56e6a6a8863970da1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htkxk35j\htkxk35j.cmdline

Filesize
265B

MD5
1cb6312409b090e6de9e988dd4fc9bcf

SHA1
9bfc49524e07f2b8d2c176435ab19713061febf6

SHA256
48be2a3f83dba17a347874aaaf499faefda173e2457d3b5671e7a6d8ed165fc1

SHA512
157152a0552356377ef8bc7149fbd2502e43d14b6030d3aa0ac1650b4e91e1957c7dded2bd2a308b358cbc33f75cc0132f891efe33231966f1f592f3ced135f5

Download Submit
\??\c:\Windows\System32\CSCE4C9F7F22F8A4E468BD51CBD3109053.TMP

Filesize
1KB

MD5
188249e3f31caa0264351fc374794895

SHA1
323a707d1a37ac8cbae6d6e502cc850f69ae2e15

SHA256
1bf68148c555d0e84720c497dcf3ad708da300ee7472df12c9307a3acd4abde1

SHA512
28a0d97e83b6b6d10c0114166e8f23845663a34c8f262aa5a31ffb885abe232badb6f95bba99b8688559cac81f8ff93c3609ac363d8903d35f535d7c5e1e02d5

Download Submit
memory/868-0-0x00007FFDB9F93000-0x00007FFDB9F95000-memory.dmp

Filesize
8KB

Download
memory/868-11-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

Filesize
10.8MB

Download
memory/868-5-0x00007FFDB9F90000-0x00007FFDBAA51000-memory.dmp

Filesize
10.8MB

Download
memory/868-1-0x0000000000580000-0x00000000006F4000-memory.dmp

Filesize
1.5MB

Download
memory/1008-78-0x0000017D3ADB0000-0x0000017D3ADD2000-memory.dmp

Filesize
136KB

Download
memory/4536-29-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/4536-27-0x0000000000B20000-0x0000000000B2E000-memory.dmp

Filesize
56KB

Download
memory/4536-25-0x0000000000060000-0x000000000020C000-memory.dmp

Filesize
1.7MB

Download