zgrat | 8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f11bde1f33ddb5b4c398d4cc8b1c7c.exe
Size

1.4MB
MD5

61f11bde1f33ddb5b4c398d4cc8b1c7c
SHA1

614eaeab2931cc5b18f4d09afdf18fa95948ed90
SHA256

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159
SHA512

a2c33d12d345987be7cb2f53d321e738dd7b2b85672f674c317405313be4b3f13bfa99e9a0cda37b59563734871f299db33964a4576ee2a6e23e0dbdc7fab708
SSDEEP

24576:mj/Vhz2r7o+CE7cBOlZqevIhEvQQdFZUQpCqoIpO8TI76ze7lyJD5xKeVwGvn:q/Pz2rkzEYBOGGIsdFZUQpbVTIiEqD5Z

Score

10^/10

zgrat evasion execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 13 IoCs

resource	yara_rule
behavioral1/files/0x00220000000167ef-6.dat	family_zgrat_v1
behavioral1/files/0x0016000000016c26-19.dat	family_zgrat_v1
behavioral1/memory/2640-23-0x00000000000A0000-0x000000000024C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1036-89-0x0000000000D20000-0x0000000000ECC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2616-98-0x0000000000220000-0x00000000003CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1440-107-0x00000000003B0000-0x000000000055C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2036-116-0x0000000000ED0000-0x000000000107C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1288-125-0x0000000001290000-0x000000000143C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1604-150-0x0000000000370000-0x000000000051C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1944-159-0x0000000000320000-0x00000000004CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1832-168-0x0000000000860000-0x0000000000A0C000-memory.dmp	family_zgrat_v1
behavioral1/memory/792-177-0x0000000000CF0000-0x0000000000E9C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1484-186-0x0000000001110000-0x00000000012BC000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\", \"C:\\Program Files\\Microsoft Games\\Solitaire\\blockPortComdriverbroker.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\ShellNew\\audiodg.exe\", \"C:\\fontInto\\smss.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\", \"C:\\Program Files\\Microsoft Games\\Solitaire\\blockPortComdriverbroker.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\ShellNew\\audiodg.exe\", \"C:\\fontInto\\smss.exe\", \"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\", \"C:\\Program Files\\Microsoft Games\\Solitaire\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\", \"C:\\Program Files\\Microsoft Games\\Solitaire\\blockPortComdriverbroker.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\", \"C:\\Program Files\\Microsoft Games\\Solitaire\\blockPortComdriverbroker.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\ShellNew\\audiodg.exe\""	blockPortComdriverbroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1500	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1500	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
980	powershell.exe
2224	powershell.exe
2340	powershell.exe
1124	powershell.exe
608	powershell.exe
2988	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 14 IoCs

pid	Process
2568	1.exe
2640	blockPortComdriverbroker.exe
1036	audiodg.exe
2616	audiodg.exe
1440	audiodg.exe
2036	audiodg.exe
1288	audiodg.exe
2056	audiodg.exe
1452	audiodg.exe
1604	audiodg.exe
1944	audiodg.exe
1832	audiodg.exe
792	audiodg.exe
1484	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	cmd.exe
2548	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\dwm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ShellNew\\audiodg.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\fontInto\\smss.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\Program Files\\Windows Portable Devices\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\Program Files\\Microsoft Games\\Solitaire\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\Program Files\\Microsoft Games\\Solitaire\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Windows\\ShellNew\\audiodg.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\fontInto\\smss.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC8A9BFDE166A5477C9CA53654971304F.TMP	csc.exe
File created	\??\c:\Windows\System32\tcszo9.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Solitaire\blockPortComdriverbroker.exe	blockPortComdriverbroker.exe
File created	C:\Program Files\Microsoft Games\Solitaire\4e9e2aa52a435b	blockPortComdriverbroker.exe
File created	C:\Program Files\Windows Portable Devices\blockPortComdriverbroker.exe	blockPortComdriverbroker.exe
File created	C:\Program Files\Windows Portable Devices\4e9e2aa52a435b	blockPortComdriverbroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\audiodg.exe	blockPortComdriverbroker.exe
File created	C:\Windows\ShellNew\42af1c969fbb7b	blockPortComdriverbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2692	schtasks.exe
2816	schtasks.exe
2356	schtasks.exe
1576	schtasks.exe
2292	schtasks.exe
2132	schtasks.exe
3052	schtasks.exe
2452	schtasks.exe
1708	schtasks.exe
1680	schtasks.exe
1112	schtasks.exe
1040	schtasks.exe
2216	schtasks.exe
324	schtasks.exe
876	schtasks.exe
1732	schtasks.exe
1660	schtasks.exe
2052	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2436	reg.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2744	PING.EXE
628	PING.EXE
3060	PING.EXE
1724	PING.EXE
1656	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
2640	blockPortComdriverbroker.exe
608	powershell.exe
2340	powershell.exe
2988	powershell.exe
2224	powershell.exe
1124	powershell.exe
980	powershell.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe
1036	audiodg.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1036	audiodg.exe
Token: SeDebugPrivilege	2616	audiodg.exe
Token: SeDebugPrivilege	1440	audiodg.exe
Token: SeDebugPrivilege	2036	audiodg.exe
Token: SeDebugPrivilege	1288	audiodg.exe
Token: SeDebugPrivilege	2056	audiodg.exe
Token: SeDebugPrivilege	1452	audiodg.exe
Token: SeDebugPrivilege	1604	audiodg.exe
Token: SeDebugPrivilege	1944	audiodg.exe
Token: SeDebugPrivilege	1832	audiodg.exe
Token: SeDebugPrivilege	792	audiodg.exe
Token: SeDebugPrivilege	1484	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2568	2924	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe	28
PID 2924 wrote to memory of 2568	2924	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe	28
PID 2924 wrote to memory of 2568	2924	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe	28
PID 2924 wrote to memory of 2568	2924	61f11bde1f33ddb5b4c398d4cc8b1c7c.exe	28
PID 2568 wrote to memory of 2648	2568	1.exe	29
PID 2568 wrote to memory of 2648	2568	1.exe	29
PID 2568 wrote to memory of 2648	2568	1.exe	29
PID 2568 wrote to memory of 2648	2568	1.exe	29
PID 2648 wrote to memory of 2548	2648	WScript.exe	30
PID 2648 wrote to memory of 2548	2648	WScript.exe	30
PID 2648 wrote to memory of 2548	2648	WScript.exe	30
PID 2648 wrote to memory of 2548	2648	WScript.exe	30
PID 2548 wrote to memory of 2436	2548	cmd.exe	32
PID 2548 wrote to memory of 2436	2548	cmd.exe	32
PID 2548 wrote to memory of 2436	2548	cmd.exe	32
PID 2548 wrote to memory of 2436	2548	cmd.exe	32
PID 2548 wrote to memory of 2640	2548	cmd.exe	33
PID 2548 wrote to memory of 2640	2548	cmd.exe	33
PID 2548 wrote to memory of 2640	2548	cmd.exe	33
PID 2548 wrote to memory of 2640	2548	cmd.exe	33
PID 2640 wrote to memory of 1548	2640	blockPortComdriverbroker.exe	38
PID 2640 wrote to memory of 1548	2640	blockPortComdriverbroker.exe	38
PID 2640 wrote to memory of 1548	2640	blockPortComdriverbroker.exe	38
PID 1548 wrote to memory of 344	1548	csc.exe	40
PID 1548 wrote to memory of 344	1548	csc.exe	40
PID 1548 wrote to memory of 344	1548	csc.exe	40
PID 2640 wrote to memory of 2340	2640	blockPortComdriverbroker.exe	56
PID 2640 wrote to memory of 2340	2640	blockPortComdriverbroker.exe	56
PID 2640 wrote to memory of 2340	2640	blockPortComdriverbroker.exe	56
PID 2640 wrote to memory of 1124	2640	blockPortComdriverbroker.exe	57
PID 2640 wrote to memory of 1124	2640	blockPortComdriverbroker.exe	57
PID 2640 wrote to memory of 1124	2640	blockPortComdriverbroker.exe	57
PID 2640 wrote to memory of 608	2640	blockPortComdriverbroker.exe	59
PID 2640 wrote to memory of 608	2640	blockPortComdriverbroker.exe	59
PID 2640 wrote to memory of 608	2640	blockPortComdriverbroker.exe	59
PID 2640 wrote to memory of 2988	2640	blockPortComdriverbroker.exe	60
PID 2640 wrote to memory of 2988	2640	blockPortComdriverbroker.exe	60
PID 2640 wrote to memory of 2988	2640	blockPortComdriverbroker.exe	60
PID 2640 wrote to memory of 2224	2640	blockPortComdriverbroker.exe	62
PID 2640 wrote to memory of 2224	2640	blockPortComdriverbroker.exe	62
PID 2640 wrote to memory of 2224	2640	blockPortComdriverbroker.exe	62
PID 2640 wrote to memory of 980	2640	blockPortComdriverbroker.exe	64
PID 2640 wrote to memory of 980	2640	blockPortComdriverbroker.exe	64
PID 2640 wrote to memory of 980	2640	blockPortComdriverbroker.exe	64
PID 2640 wrote to memory of 1864	2640	blockPortComdriverbroker.exe	68
PID 2640 wrote to memory of 1864	2640	blockPortComdriverbroker.exe	68
PID 2640 wrote to memory of 1864	2640	blockPortComdriverbroker.exe	68
PID 1864 wrote to memory of 2860	1864	cmd.exe	70
PID 1864 wrote to memory of 2860	1864	cmd.exe	70
PID 1864 wrote to memory of 2860	1864	cmd.exe	70
PID 1864 wrote to memory of 2804	1864	cmd.exe	71
PID 1864 wrote to memory of 2804	1864	cmd.exe	71
PID 1864 wrote to memory of 2804	1864	cmd.exe	71
PID 1864 wrote to memory of 1036	1864	cmd.exe	72
PID 1864 wrote to memory of 1036	1864	cmd.exe	72
PID 1864 wrote to memory of 1036	1864	cmd.exe	72
PID 1036 wrote to memory of 2516	1036	audiodg.exe	73
PID 1036 wrote to memory of 2516	1036	audiodg.exe	73
PID 1036 wrote to memory of 2516	1036	audiodg.exe	73
PID 2516 wrote to memory of 2296	2516	cmd.exe	75
PID 2516 wrote to memory of 2296	2516	cmd.exe	75
PID 2516 wrote to memory of 2296	2516	cmd.exe	75
PID 2516 wrote to memory of 2744	2516	cmd.exe	76
PID 2516 wrote to memory of 2744	2516	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\61f11bde1f33ddb5b4c398d4cc8b1c7c.exe
"C:\Users\Admin\AppData\Local\Temp\61f11bde1f33ddb5b4c398d4cc8b1c7c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\fontInto\soby05K3uOljM.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2436
    - - C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto/blockPortComdriverbroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qaxxyi2b\qaxxyi2b.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EA2.tmp" "c:\Windows\System32\CSC8A9BFDE166A5477C9CA53654971304F.TMP"
        7⤵
        
        PID:344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\blockPortComdriverbroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\blockPortComdriverbroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\blockPortComdriverbroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qVjgaCwLo7.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2804
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2744
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9fn0Ky9lyW.bat"
        10⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:628
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat"
        12⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2728
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat"
        14⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:3060
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"
        16⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2824
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j04FsiQN01.bat"
        18⤵
        
        PID:1316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1872
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1XGPdNpiQu.bat"
        20⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:1724
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U9jP4iZUUm.bat"
        22⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1528
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MWkXPhK5zP.bat"
        24⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2296
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rln2uypvqA.bat"
        26⤵
        
        PID:1264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2836
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\va0LlUybli.bat"
        28⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:1656
        
        C:\Windows\ShellNew\audiodg.exe
        
        "C:\Windows\ShellNew\audiodg.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\blockPortComdriverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Solitaire\blockPortComdriverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Solitaire\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\fontInto\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\fontInto\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\fontInto\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 9 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbroker" /sc ONLOGON /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 12 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
2.0MB

MD5
e7197369aa79213cb20f49e31a6d0ff9

SHA1
c841bbcd0ce335b4cc10cff1c354be238b3c9338

SHA256
9e4af984c4b935ed29a62c1bf93672f5937f75324781bd266fed6d7d0d238620

SHA512
5ecaf7034e16249b7239c720588f40f673f49c247f2cb329bfe83fefae7d00b2c658e721e5ddc8d3d9d3ab5a039c36ac47d6279de3b36398b297435c918b402c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1XGPdNpiQu.bat

Filesize
159B

MD5
34c114409a7e1b21e525f4a27f4d1d0a

SHA1
1d96370cdc8a015496e3529502cc7138f1329683

SHA256
ed68af3e735376b51e32b087864b5ece9cca0e33ad874c647843bccfd510cb39

SHA512
daf7d7d9d37fe38ed1fcdd13049a529d17183bf0e7172a5f81ebe613ef97e3b2d1c905ef0f1e73350ca29b213874b40a4d8514feca1254c2931eb0df2ea96e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat

Filesize
159B

MD5
8f56072c5a209fb844d7a48d1f7d1c10

SHA1
ea169e357d75ebe9caa996cb356f1ab4d8e257f7

SHA256
a053267bdccf61566027357b264ab367265600c39f14817d1c756c31637b7cdf

SHA512
9e134213bf0d07a8850ef0996f40a9061a38a37d0124fd82e1400bd19d7c612e643a19fc4eda6ae17260582468b24b363a757888989368ac6001d2478d01e3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fn0Ky9lyW.bat

Filesize
159B

MD5
f30d93625a3cdab5a68211185eb81919

SHA1
49f77722d465fc5568c6e762911f2fcf48163b87

SHA256
647ab5c0ca228971f3e1fa8116fec3da258edfc0c01f245d7665adb4c86a9eb8

SHA512
e24a9f40499974497a7bbaa095b980df6cb6e12d34031ce52f7aea270df4ccfcd026aef043c2b825efc89e85821e4811aa0d14097ea5f28cab511f0d2988b266

Download Submit
C:\Users\Admin\AppData\Local\Temp\MWkXPhK5zP.bat

Filesize
207B

MD5
8a53780a415b43132b4f5f47caa5a658

SHA1
72ccfd3620990774f34433787759d9014bb3ded6

SHA256
2cef3d6cecef4c86b1d1b472f968bf43d978c4323fc0b783e8584e4d22ab1ee7

SHA512
eaa8564a4b76b13df321d2c450f807358014f673befc57bf8be819463a6040543b88252116cbdfdc5ec19d518a54cc71254d8042dd8235acd3e4185b3341854c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EA2.tmp

Filesize
1KB

MD5
0ae1470b3db4bcd38d84183ef98d80f0

SHA1
c67c254907ae5f746247dd6f71f76ccd9aa6de4b

SHA256
4ee1aed58909c1ac976a520441448080a690ea5067d0a2c3681f585b407edada

SHA512
8976cfcbc8eb74984d6d318b39ed9132181a3833ee03322905512c906449757d691ffa165ef6fb12a0d2783c48b9a49b66db1cf8471fb0dda5e0438535c83a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\U9jP4iZUUm.bat

Filesize
207B

MD5
05cc48ad773d28546e6efe4b0d5177b2

SHA1
df97ff1e5f31c5851e8c01b36c083728b0d1c9bb

SHA256
a63992b0be56b9dbbcfc1352e8108e5163d89a9bf890bf98713a3406d51ccc74

SHA512
fabc2c6e0a83bef263f7bf83709c3615856bd4d35e40c0cab92af2deae08392e9b23d1e1729cef1ebdfb15089636de0a41435eab4fe15d4d5572aeb337c373ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat

Filesize
207B

MD5
ba449e10ee024b2e69de3023f1a440f1

SHA1
f772e8d6067115555fd80d66fe82cc0ffc78d972

SHA256
8c337dd67db5b8a644444be4770aa23be7b05474d598187b107336fbae4713ce

SHA512
2a118744c593091e6d8047279f4dcd7719e79a3cd66c1e520dda77fe083342eea2f12065ae4f3c1c419977cad2195572dc6b4857a34f24eef0d81f3f3dbdfabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aRcytkisn9.bat

Filesize
159B

MD5
f024a29868f94188976f4e9d0310574e

SHA1
49a0cce25cbeb0c6060dcd826c6962bf38c50d45

SHA256
9384f4bcdc7f355ece3235893dbaef6f6d1aaa74282864db9592b9b990c61701

SHA512
9e1b78d2a52d5390320b2f6614e7965d86d3f79e3472a49a36e3783a23af1592e2732f52b5fb709e9eb8b310b601dd84e0ad17e2a6959b2a9aa5f7ccf75bda9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat

Filesize
207B

MD5
56117e43ca77a77626663bbdd4ed9018

SHA1
3961fc70ac3fbbd2190ee31eea437182827a5fbc

SHA256
916c873f3f2ca61973d1f13ab02a50bdca5d22582959fead0b4ebf056454c4be

SHA512
b9b18cd818c8012527b08cf547d313392410b523801229e86093ee1379ad363df6cf1b91f0d4260c29005369961fef7b2c436bdaddc7b7c843f05a41a972ad00

Download Submit
C:\Users\Admin\AppData\Local\Temp\j04FsiQN01.bat

Filesize
207B

MD5
fc39995df0d45c08a4412001dc91965f

SHA1
7051a5d4093a4449d228ba98cf5ce746acda2730

SHA256
cfbaf5f52d31bb0fac8992f639f8accf7fddb8aaa86d55b714c261fb85114bac

SHA512
5ec911414b21206f4ebeb9a02db0703572d93c08e82fcf789fcf1af3d1d3ab2623b9168811e69f432264382ef811b70630bc0db48b7c20992b7a3aaeddc2cdda

Download Submit
C:\Users\Admin\AppData\Local\Temp\qVjgaCwLo7.bat

Filesize
207B

MD5
705c6af592f272e4e1b639c01a7fc6f8

SHA1
9b93a185e6697a3f19b4e2ecd5a6c05b738c3475

SHA256
315502366ed31202eb5f1e98053b452a9629504c1e4f47964f87ca29764fbed9

SHA512
6e188f633a87aff09d117397891e96a192969b145dec78d6ee751488065f5707fc103b1d0571cc37baea049ec90b47d3efa3eef2632d4a75bb95009852ee4124

Download Submit
C:\Users\Admin\AppData\Local\Temp\rln2uypvqA.bat

Filesize
207B

MD5
c5dd8a51ce922ee0f9d48b74ce129b7c

SHA1
1ebe92bc98f4c2bfcacccf466f7404563db4f188

SHA256
931a2a31cb69812fa081e74829a8f6c6a1551ca683bb042f749f5f1f8eef4bf7

SHA512
ce0cca20ce021a41756b2333a3fbe15aecaf2b586ac42d327dc29d02f86ec3601b8d433ef2cf4800ad463035e76b25845c19a5d387368c9f9091f6c8493f2ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\va0LlUybli.bat

Filesize
159B

MD5
a4fabd4a5154d1d3a739b62d17912988

SHA1
f07c97e23db5864a068353caa2e754b7a9515f31

SHA256
33d7ee05ff12b0c9c166fe31aab7abb4e6a72123417e2e9c6bdb65b3159356f1

SHA512
17a674dbebfd2b33a9d3153b023b095f728de3536e2a16f88a87961049a6b96dca9f07a14468a6f5716c68afa5fe4e0f85587a371c523f19c47da9eb31c12764

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2BN52KOHT8PMSQW573O3.temp

Filesize
7KB

MD5
d891e3b58442684b3d17eed6fd14d969

SHA1
b615cf7a32ee64852640c9aee976884cbc087943

SHA256
9d148835391f93beb1158a26795b15c353d5f197530ed7ade36928df79a41802

SHA512
65bf42dd60da5b45d67a6c700060fead9dbee0013acbcc8bfc9e740a73aedb8d36cb90c3cd4983549212db8857c93cc68d90cca79c3ce7765edfb04c0cf025de

Download Submit
C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe

Filesize
200B

MD5
acd11feb4451a8f14fd6e2dc71164cf1

SHA1
9b645b0798b101fb04a565d3a1a5cef1155e0800

SHA256
cb0d496499709d17bacc28d5fb00b22e64af093062530c195ff03a69033fd9f0

SHA512
5db057a8957169c9e001c47577fcc8ec4cca145aa595946f31a5eaef71f2438d6f7a4d4758808db0c473b8542fc85801fa91ec2e02c7cfdc84f31c79e02fe72c

Download Submit
C:\fontInto\soby05K3uOljM.bat

Filesize
201B

MD5
ef94f890944f55d5b0719b9fe4578c48

SHA1
3de264c05e7b45bf65c676391d1e112184258f3b

SHA256
6bdf05e8f2ae2dc331d1f47fa7ff2d8da950f44d0e78a5e727c3c2058f7c8350

SHA512
29c9b9532c4b0e7eb7995916da0703637a43fd6afc5bf4eacce7eaf2d6d0ffa47b4e215b1ba305738719cab383edc48fad25f535c7210ff6698309a57c295302

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qaxxyi2b\qaxxyi2b.0.cs

Filesize
402B

MD5
47f6210785a93c0823cfe08612a857ae

SHA1
a7af75e3d581d1e60f091bdc3e122f8fd094a69b

SHA256
b195778c84d6a7d0501cdd858a05f0d93f81c3b77160d1fb84306bfe0c686d7e

SHA512
12160a5f1415de219197a3e11383170ae8759bf3fa92f7fceb8353607a95b58481ef21338a4a175c5fa77ea754ae9585827731fa8a98af52d1a739e07563ca69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qaxxyi2b\qaxxyi2b.cmdline

Filesize
235B

MD5
13e8d134b7455837fcd651ae78aac425

SHA1
8daa936c0bc80d71a11d728177b335c3011469b4

SHA256
f9e976840cd5ea4697993e8d431300ee20ec6578d80020673883761b3fd21ac1

SHA512
d0c915e430d8dfac6bb5c3ef62ddb487f4245585d01d7b0f41e576917fc507ed0d0890bc00d123972f7fa9b4c5f815111f0313d31ec99e2f3f1b762db7bbd449

Download Submit
\??\c:\Windows\System32\CSC8A9BFDE166A5477C9CA53654971304F.TMP

Filesize
1KB

MD5
d8db284f657dc7249f8d2e9798f16b87

SHA1
2c9e00cba50091d4239c90f375509c8d58408ec1

SHA256
67e68135a985b6d3a0d63df5c6795567cbc1d5b8f124d65662e463af4da65823

SHA512
4330f819da94bcb38b930d39f016c5989e68a20780b74de751f59b759e46de031244be9186261bb245507e9ca816c1655049575a03e85339b5fc596f5b7cfd39

Download Submit
\fontInto\blockPortComdriverbroker.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
memory/608-65-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/608-70-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/792-177-0x0000000000CF0000-0x0000000000E9C000-memory.dmp

Filesize
1.7MB

Download
memory/1036-89-0x0000000000D20000-0x0000000000ECC000-memory.dmp

Filesize
1.7MB

Download
memory/1288-125-0x0000000001290000-0x000000000143C000-memory.dmp

Filesize
1.7MB

Download
memory/1440-107-0x00000000003B0000-0x000000000055C000-memory.dmp

Filesize
1.7MB

Download
memory/1484-186-0x0000000001110000-0x00000000012BC000-memory.dmp

Filesize
1.7MB

Download
memory/1604-150-0x0000000000370000-0x000000000051C000-memory.dmp

Filesize
1.7MB

Download
memory/1832-168-0x0000000000860000-0x0000000000A0C000-memory.dmp

Filesize
1.7MB

Download
memory/1944-159-0x0000000000320000-0x00000000004CC000-memory.dmp

Filesize
1.7MB

Download
memory/2036-116-0x0000000000ED0000-0x000000000107C000-memory.dmp

Filesize
1.7MB

Download
memory/2616-98-0x0000000000220000-0x00000000003CC000-memory.dmp

Filesize
1.7MB

Download
memory/2640-23-0x00000000000A0000-0x000000000024C000-memory.dmp

Filesize
1.7MB

Download
memory/2640-25-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2640-27-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2924-8-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2924-1-0x0000000001210000-0x0000000001384000-memory.dmp

Filesize
1.5MB

Download
memory/2924-4-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download