zgrat | 747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Size

1.6MB
MD5

0d6496f71fd24be93348c354faf7dfa6
SHA1

47f195a3996d4e3bd051d54e879d1ae68d2ed9a0
SHA256

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9
SHA512

0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c
SSDEEP

49152:TGJ95iN4KodXZCQRBHt268KDDljKrTrv:iJ9Z3dXLrHt2nYDKX

Score

10^/10

zgrat execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/380-1-0x0000000000ED0000-0x000000000107C000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0008000000023317-20.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\sppsvc.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\sppsvc.exe\", \"C:\\Users\\Public\\Documents\\fontdrvhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\sppsvc.exe\", \"C:\\Users\\Public\\Documents\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\Idle.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\sppsvc.exe\", \"C:\\Users\\Public\\Documents\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\Idle.exe\", \"C:\\Users\\Public\\Pictures\\dllhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\sppsvc.exe\", \"C:\\Users\\Public\\Documents\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\Idle.exe\", \"C:\\Users\\Public\\Pictures\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\sppsvc.exe\", \"C:\\Users\\Public\\Documents\\fontdrvhost.exe\", \"C:\\Users\\Public\\Desktop\\Idle.exe\", \"C:\\Users\\Public\\Pictures\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3916	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	3916	schtasks.exe	92

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3412	powershell.exe
1832	powershell.exe
3808	powershell.exe
3616	powershell.exe
3484	powershell.exe
2204	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Executes dropped EXE 1 IoCs

pid	Process
1148	msedge.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\sppsvc.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Google\\sppsvc.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\Documents\\fontdrvhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Desktop\\Idle.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Public\\Desktop\\Idle.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Pictures\\dllhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Public\\Pictures\\dllhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Public\\Documents\\fontdrvhost.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9FAF6E7A6944E0A80B81F783C92F8.TMP	csc.exe
File created	\??\c:\Windows\System32\jpzkqk.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\sppsvc.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files (x86)\Google\0a1fd5f707cd16	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCA3041ADC39D1419AAEC8187DCAF0F61E.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
884	schtasks.exe
5072	schtasks.exe
940	schtasks.exe
2764	schtasks.exe
2172	schtasks.exe
4016	schtasks.exe
4600	schtasks.exe
4548	schtasks.exe
4628	schtasks.exe
3100	schtasks.exe
4328	schtasks.exe
2144	schtasks.exe
3772	schtasks.exe
4188	schtasks.exe
2788	schtasks.exe
3400	schtasks.exe
1164	schtasks.exe
5008	schtasks.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
940	PING.EXE
1832	PING.EXE
4208	PING.EXE
2788	PING.EXE
4884	PING.EXE
3780	PING.EXE
5092	PING.EXE
2500	PING.EXE
3628	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
3484	powershell.exe
3484	powershell.exe
3412	powershell.exe
3412	powershell.exe
2204	powershell.exe
2204	powershell.exe
3808	powershell.exe
3808	powershell.exe
3616	powershell.exe
3616	powershell.exe
1832	powershell.exe
1832	powershell.exe
3808	powershell.exe
3412	powershell.exe
3484	powershell.exe
2204	powershell.exe
3616	powershell.exe
1832	powershell.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	3080	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	1300	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	4896	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	3340	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	2176	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	864	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	4896	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	1108	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	4916	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	4980	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	4692	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	3936	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	3552	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	4504	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 2220	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	96
PID 380 wrote to memory of 2220	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	96
PID 2220 wrote to memory of 4220	2220	csc.exe	99
PID 2220 wrote to memory of 4220	2220	csc.exe	99
PID 380 wrote to memory of 2968	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	100
PID 380 wrote to memory of 2968	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	100
PID 2968 wrote to memory of 1244	2968	csc.exe	102
PID 2968 wrote to memory of 1244	2968	csc.exe	102
PID 380 wrote to memory of 1832	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	119
PID 380 wrote to memory of 1832	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	119
PID 380 wrote to memory of 3412	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	120
PID 380 wrote to memory of 3412	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	120
PID 380 wrote to memory of 3616	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	121
PID 380 wrote to memory of 3616	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	121
PID 380 wrote to memory of 3484	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	122
PID 380 wrote to memory of 3484	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	122
PID 380 wrote to memory of 2204	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	124
PID 380 wrote to memory of 2204	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	124
PID 380 wrote to memory of 3808	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	127
PID 380 wrote to memory of 3808	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	127
PID 380 wrote to memory of 4640	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	130
PID 380 wrote to memory of 4640	380	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	130
PID 4640 wrote to memory of 2052	4640	cmd.exe	133
PID 4640 wrote to memory of 2052	4640	cmd.exe	133
PID 4640 wrote to memory of 3956	4640	cmd.exe	134
PID 4640 wrote to memory of 3956	4640	cmd.exe	134
PID 4640 wrote to memory of 1040	4640	cmd.exe	137
PID 4640 wrote to memory of 1040	4640	cmd.exe	137
PID 1040 wrote to memory of 4628	1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	138
PID 1040 wrote to memory of 4628	1040	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	138
PID 4628 wrote to memory of 1840	4628	cmd.exe	140
PID 4628 wrote to memory of 1840	4628	cmd.exe	140
PID 4628 wrote to memory of 4936	4628	cmd.exe	141
PID 4628 wrote to memory of 4936	4628	cmd.exe	141
PID 4628 wrote to memory of 3080	4628	cmd.exe	142
PID 4628 wrote to memory of 3080	4628	cmd.exe	142
PID 3080 wrote to memory of 3928	3080	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	143
PID 3080 wrote to memory of 3928	3080	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	143
PID 3928 wrote to memory of 4324	3928	cmd.exe	145
PID 3928 wrote to memory of 4324	3928	cmd.exe	145
PID 3928 wrote to memory of 1832	3928	cmd.exe	146
PID 3928 wrote to memory of 1832	3928	cmd.exe	146
PID 3928 wrote to memory of 1300	3928	cmd.exe	147
PID 3928 wrote to memory of 1300	3928	cmd.exe	147
PID 1300 wrote to memory of 4480	1300	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	148
PID 1300 wrote to memory of 4480	1300	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	148
PID 4480 wrote to memory of 4884	4480	cmd.exe	150
PID 4480 wrote to memory of 4884	4480	cmd.exe	150
PID 4480 wrote to memory of 3780	4480	cmd.exe	151
PID 4480 wrote to memory of 3780	4480	cmd.exe	151
PID 4480 wrote to memory of 4896	4480	cmd.exe	153
PID 4480 wrote to memory of 4896	4480	cmd.exe	153
PID 4896 wrote to memory of 1752	4896	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	154
PID 4896 wrote to memory of 1752	4896	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	154
PID 1752 wrote to memory of 2868	1752	cmd.exe	156
PID 1752 wrote to memory of 2868	1752	cmd.exe	156
PID 1752 wrote to memory of 4208	1752	cmd.exe	157
PID 1752 wrote to memory of 4208	1752	cmd.exe	157
PID 1752 wrote to memory of 4076	1752	cmd.exe	159
PID 1752 wrote to memory of 4076	1752	cmd.exe	159
PID 4076 wrote to memory of 1040	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	160
PID 4076 wrote to memory of 1040	4076	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	160
PID 1040 wrote to memory of 228	1040	cmd.exe	162
PID 1040 wrote to memory of 228	1040	cmd.exe	162

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
"C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vsrkchzz\vsrkchzz.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF915.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCA3041ADC39D1419AAEC8187DCAF0F61E.TMP"
    3⤵
    PID:4220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcjzyudf\wcjzyudf.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp" "c:\Windows\System32\CSC9FAF6E7A6944E0A80B81F783C92F8.TMP"
    3⤵
    PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3P2x3CCSCP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2052
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3956
- - C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
    "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Iv7oqRV3w.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4628
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1840
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1aRjLYSwTB.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p1UdTmuiiU.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        9⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JKWSf9zRCT.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        11⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        13⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JKWSf9zRCT.bat"
        14⤵
        
        PID:3256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        15⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        16⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        17⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nXpNUGu1Ke.bat"
        18⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        19⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat"
        20⤵
        
        PID:4624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        22⤵
        
        PID:4208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        23⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
        24⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        25⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrsChc0jod.bat"
        26⤵
        
        PID:4016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
        28⤵
        
        PID:4944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        29⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrsChc0jod.bat"
        30⤵
        
        PID:4088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        31⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\omfVy1urWZ.bat"
        32⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
        33⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fc24Cr0sci.bat"
        34⤵
        
        PID:4276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:3752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:8
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\sppsvc.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
6158a06e08beb65d39f0bdb4d888b4f4

SHA1
736fda0aed009f89e9084f6a3e0c6af184f097bf

SHA256
030e47ba989f97aa7d08cb395efdbea78d832e7a9c8d5ad3932085fd1db8f17f

SHA512
a47d61ce69433685cdd1f16baa58607bbb8fee95cdfc4a647cb966eb3779326d47c500021a561b438dd6b617fff7c4f3cccdd02923861fe8c3804608af9f1b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe.log

Filesize
1KB

MD5
4ef3ab577fdbd5c7dd815e496ecd5601

SHA1
8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

SHA256
72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

SHA512
ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\1aRjLYSwTB.bat

Filesize
230B

MD5
5518901e3393769bbd15230fc1174635

SHA1
fc90a04fb098842e78584f4a92ba5a19662f63c7

SHA256
a80feb4b688f7cae989de8340e145363828d8cfbe282b7cf3735028fcdd36499

SHA512
2cb29b0ab629b0b0d7e0189ee69ea845bc5a7ec4dae1b3d1993c44e55cc26a5fe1d4d5c84b620f8ab52d73d304a77568148709125e84a3fc2a5e0469e9e73c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

Filesize
278B

MD5
e42e0b3647e368f6abce278a2716623c

SHA1
5ea939b7172689835818ecea952e95ec09d073ff

SHA256
58452392a8aaed176f23865a0f3d39a344e093882bb99ae5bdf77b31f70acd00

SHA512
8cc327ebd0652c1bca680361c4315ac609215674ca8806dcf07d0c80d62db20da6f9010327361410852f31596864aaa21d6a30a0372fc2694ff5ca4c017f2afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3P2x3CCSCP.bat

Filesize
278B

MD5
a7a3ae88914f31fc95cf2ba8daf0cb71

SHA1
ba0794387f49de089fafcb035406e58f665b0156

SHA256
a24257c40ac023dbc8ad5a42755946b107fdba62ce7ce447f6bcdb43e96617c6

SHA512
aea195425006be41a37aef7f9eb72f9d2066850a08b6ee9b42fc7ff19054624e4e691f329c41c3c0852a97d9fc3dcc066129ee05605dc21e9f9010da79137a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Iv7oqRV3w.bat

Filesize
278B

MD5
44bc2d0cda530f6e1fbae46bdf7bfca5

SHA1
6025ef9ba49dd9cc7b7476f7a88ca055f9890de7

SHA256
2fec41bceb957e2658054852245050a47ee0088a7baab5dc29876dca2e23e0c6

SHA512
112ebf5a55eb97488f2b862e79b56b5d573e365228f04ebf87780ec2e1d158403da37b926dc9099bbc663a2526ddc6e3afcc33dc50b9f1e77c2f59a363429ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fc24Cr0sci.bat

Filesize
278B

MD5
da9eecb2bee4aed52803b2b3217eb252

SHA1
a46d46121d5882be522ef5962a0ae5af6250682d

SHA256
bfe03b854e120cc12ba79b70b7a477fee4a44dba836a3e7b54f06d0e255aa5d7

SHA512
1acb31056e1439e9aeacbc232865cb19cb226bd0927d3ef50a2f22facce48c86293a174c6dddb4addd744d87278980a60e602c119983b2690c3d9cf76e1f0c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrsChc0jod.bat

Filesize
230B

MD5
b5a2e16acb32dbcba4d7b3223b184fe6

SHA1
8e7f3f4fe6531b8e3d29ac614a52f4a86b8a5a8f

SHA256
5cf10a1ee66195a902d3ffd8d4c0d5321e73d84d7da623eaad54ae3c89193010

SHA512
5205ff3df0d5b84acde759fcb86822620f05d5e8be63f464e46602258e6069b140d623aa47b908329fc52ae9f22fcb6ad8eb6926ba9f35fb93712394c203d2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKWSf9zRCT.bat

Filesize
230B

MD5
372188be08b8838abb9a3872fddc8498

SHA1
4581dce87c12152677be4022693929f3b291012c

SHA256
1808813be193e9a954ea231d809a7684d9cbd13855f4b6cf10a9135e955df72b

SHA512
f2db8b2ded3c2aca310b4c59e3d60efc7e8090eaa662cd9942c019c202c0afe3a5f3bcb0fa8bed742ffe0580de7ea770de1d71bef413ad03f37568477141b776

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF915.tmp

Filesize
1KB

MD5
9bfd5015773e4dd2ea8e0dbaa281cc16

SHA1
c590c013d4519f5afc2f0e624becbf6f0c40ce8e

SHA256
1e2fe76b76a81e15ae992b970af5528a9e6ec3791d5dbdf44f676a111a96355b

SHA512
7b43c659f5f42d44d533ecb734b3bb6df45643031a14bac69db459c6cda7aaa83a823ee445d866960171e5b1a1c2613232e425492cbb519628e071e6eb0a93a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp

Filesize
1KB

MD5
732e4d5f33c155b0ec88bc544eb27f61

SHA1
f889c3df860ac8364ec11d3557bdfa1d65bcf444

SHA256
846e6f6fdb9e9bd3585d539259ea59a2738cf2649bd03aefd1875e647827969c

SHA512
4d89e6e67f805b42f64cc65de1fa8c4ff092733ad12e2b5d4a13e97c53e7ad2d78cfeb8ac8f78e8251451978ddcaf7b677891e4f59e1bd5d149210cd3ae44e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43scissm.njk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\czppXKEUSU.bat

Filesize
278B

MD5
01f935b1e18b0292ebc1cbb16d5aa790

SHA1
479bca19a7feae82a5a4ed41fdabbc913bccfdbf

SHA256
735dba1df090fdb38f1da65afe639ff3c82be2998777551612556bfad14d5d27

SHA512
ffe8a2ccaecd58b8477c2cf4eb7dcf63cbcce4e5c175faaf63cf56ca2a21ec8ff88f4175027c2c8a45c430623fb67dce2a862c5061b484cf106cff869e3bb671

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYHSyFVcIa.bat

Filesize
278B

MD5
246eca2a330c1365a53f674de85694ae

SHA1
7e5393f89ab40cf7951d51675beb52c33dda14d9

SHA256
afa5dfed076bad23c94e54e062a361b5bd02b91d3e38e7457e2bdf4b47c78279

SHA512
401fbacb4306c6083ac51d88c72acb93ad1864e15b62fc6e00bfab49032bc6347bd82c84c950c803c340b204eebe0e606fbc4e9eb6edc92bdf28f65dbe20cc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat

Filesize
230B

MD5
c50dd40861cd346f15808265d90640d3

SHA1
73bf3317b878763841603f1d2e2d965bad9e036c

SHA256
ea628366cca0dd86e9c1c9d8737a112f0fb70755dbd075259808deff621bb4bc

SHA512
29024c93a19e33a2055ef0b7d45117713f57a8d3251823ed646ef9120d0f41d5b685446e5d20c1f1bbecb3b46b505e42fba84ac125580b242460c1a437f45881

Download Submit
C:\Users\Admin\AppData\Local\Temp\nXpNUGu1Ke.bat

Filesize
278B

MD5
3633a5f6501ef77271a81da39befe529

SHA1
1e3aef62357749ec383551db1643a8b076632054

SHA256
8c76df391561152d979bb0b1d32d163ae35e3ebbe9c83213c026bc9686238cb7

SHA512
84e15953dc5351e9ba1834f0cb3bf46d423327605c27562ad5fe216859377409b4835a701cb5b432895cfe68573c26fad93519288207bc27278942716e62d486

Download Submit
C:\Users\Admin\AppData\Local\Temp\omfVy1urWZ.bat

Filesize
230B

MD5
69749daeda06f17ab9b4760933582ec6

SHA1
f80aefc3d04ada40bf67da9aead2a3af934798e5

SHA256
2afc0f941c782d87896dca54f7aa5e852db1039a2460af3c2cf55b3e2007deff

SHA512
6112ba251b5ee603956cb5bb3c30c09642efd1a02658c4ac7e1603e7bbda4a24bae9a705d69d0f206c9947c17151d01cc9123b15f8c001b947d22d1ff145dca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\p1UdTmuiiU.bat

Filesize
230B

MD5
22ba3845dbc3604d6c848e79b4615084

SHA1
10e3e7d6188397aabd9ee43985361e3cdd0138d3

SHA256
8066cd62f5142f3be00045d8633e736264f9b760ca8ef9df1b6798d0ff03839a

SHA512
6a858423c8977ca02607d174af3dc322199fea1376a4ddd933733c9d6d4ef7032459f91b10b9e61255cd4f5041c93776a851fe1796bf5eecd2b08b10f2fdac02

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCA3041ADC39D1419AAEC8187DCAF0F61E.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vsrkchzz\vsrkchzz.0.cs

Filesize
402B

MD5
c63f61ae3c365e05f9402dcb13f032ff

SHA1
4c290126c04a0abc059ac5741850950c0bbb99cc

SHA256
0a36f49c678afd8d3980c8e47e1f7cb1be4440c9a8ede2e8e3d22f3db9ce9365

SHA512
934d8d24a11718e12755d50963ea4b62328896ffd50b01860a7ca711794c69d8a82590213ba840c0c4ce821c281bc32c212c4c71056fb474de16755232b3ec22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vsrkchzz\vsrkchzz.cmdline

Filesize
265B

MD5
d2912b4802987f20ad1522b85217b26e

SHA1
0a7f786951722d125dae42f91982015c0133ae30

SHA256
a845316237ec83a108ff7e9c1d1aae91b35178059b5e55bb2644afb9f0e2deb0

SHA512
652ac8720901ae20f561ebeab0a4524c817c3ff839bf158af466fd83549590ef4899cec042109b134bc72ba0edc13ba847f06816d49e9286f4c101a90634a16e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcjzyudf\wcjzyudf.0.cs

Filesize
372B

MD5
e08b953ab21fbfc2aa39eae282cf9c28

SHA1
fea182e2882ba054fca49ddddde73670fbb651b1

SHA256
0e50fbe0c17d1627458c12135ed08af434e4646f44f8fb3a571cd58c196757ca

SHA512
c46f1c0ef3f6475b946a153333a90f7c14333db1bd29c47264882bc11f5adbf2fad8029d47984b1ebf2898c3b9af4b6681b4b534b2b40e45f5594d3456809f0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcjzyudf\wcjzyudf.cmdline

Filesize
235B

MD5
98aa02a6da4eb334675e3300904637ef

SHA1
2fcdaac1e6fa2e27b8b2b20fbe49c38d180d2575

SHA256
d9bc040c8b9a1975f7eb0ef018baed499bde1b924187f211591d2f21875f7f08

SHA512
ad33cfe29f945d06ad32f48432367add4f9bfe02b31086a32ab31a3ae4fad77777b576ac84ae5447222d465606ca0d350b1e7e8929debf5ec6fceb38f7cbc1e6

Download Submit
\??\c:\Windows\System32\CSC9FAF6E7A6944E0A80B81F783C92F8.TMP

Filesize
1KB

MD5
01dc60b32f9121b11b30ff8d8e3ed9bd

SHA1
d4c7beabbb4b96239ff85348a9cd1957a10c27ab

SHA256
bbedf7b9680a97b0ebd09540310951791296334e7d8a3056b73ad564c55556ea

SHA512
0bc2dfe0549f8f0fc70c68df1fc61abf21f0c05954220ab1df7375d15f9a4d332cdccb5aefdef705a88f801c9e5e792815287f27674263db7dcb6a2f086429be

Download Submit
memory/380-10-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-9-0x00000000031A0000-0x00000000031AC000-memory.dmp

Filesize
48KB

Download
memory/380-0-0x00007FFCBBCD3000-0x00007FFCBBCD5000-memory.dmp

Filesize
8KB

Download
memory/380-1-0x0000000000ED0000-0x000000000107C000-memory.dmp

Filesize
1.7MB

Download
memory/380-2-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-3-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-24-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-4-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-23-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-6-0x0000000001850000-0x000000000185E000-memory.dmp

Filesize
56KB

Download
memory/380-22-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-7-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-56-0x00007FFCBBCD0000-0x00007FFCBC791000-memory.dmp

Filesize
10.8MB

Download
memory/380-55-0x000000001C2F0000-0x000000001C399000-memory.dmp

Filesize
676KB

Download
memory/864-189-0x000000001ADE0000-0x000000001AE89000-memory.dmp

Filesize
676KB

Download
memory/1040-133-0x000000001B9F0000-0x000000001BA99000-memory.dmp

Filesize
676KB

Download
memory/1108-205-0x000000001C4A0000-0x000000001C549000-memory.dmp

Filesize
676KB

Download
memory/1300-149-0x000000001BF20000-0x000000001BFC9000-memory.dmp

Filesize
676KB

Download
memory/2176-181-0x000000001B990000-0x000000001BA39000-memory.dmp

Filesize
676KB

Download
memory/3080-141-0x000000001C620000-0x000000001C6C9000-memory.dmp

Filesize
676KB

Download
memory/3340-173-0x000000001BBE0000-0x000000001BC89000-memory.dmp

Filesize
676KB

Download
memory/3412-71-0x00000186B4E30000-0x00000186B4E52000-memory.dmp

Filesize
136KB

Download
memory/3552-245-0x000000001D7A0000-0x000000001D849000-memory.dmp

Filesize
676KB

Download
memory/3936-237-0x000000001D1C0000-0x000000001D269000-memory.dmp

Filesize
676KB

Download
memory/4076-165-0x000000001BAB0000-0x000000001BB59000-memory.dmp

Filesize
676KB

Download
memory/4504-253-0x000000001D530000-0x000000001D5D9000-memory.dmp

Filesize
676KB

Download
memory/4692-229-0x000000001C650000-0x000000001C6F9000-memory.dmp

Filesize
676KB

Download
memory/4896-157-0x000000001BBC0000-0x000000001BC69000-memory.dmp

Filesize
676KB

Download
memory/4896-197-0x000000001BD90000-0x000000001BE39000-memory.dmp

Filesize
676KB

Download
memory/4916-213-0x000000001B770000-0x000000001B819000-memory.dmp

Filesize
676KB

Download
memory/4980-221-0x000000001C3A0000-0x000000001C449000-memory.dmp

Filesize
676KB

Download