zgrat | 8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe
Size

1.4MB
MD5

61f11bde1f33ddb5b4c398d4cc8b1c7c
SHA1

614eaeab2931cc5b18f4d09afdf18fa95948ed90
SHA256

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159
SHA512

a2c33d12d345987be7cb2f53d321e738dd7b2b85672f674c317405313be4b3f13bfa99e9a0cda37b59563734871f299db33964a4576ee2a6e23e0dbdc7fab708
SSDEEP

24576:mj/Vhz2r7o+CE7cBOlZqevIhEvQQdFZUQpCqoIpO8TI76ze7lyJD5xKeVwGvn:q/Pz2rkzEYBOGGIsdFZUQpbVTIiEqD5Z

Score

10^/10

zgrat evasion execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 12 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000153cf-7.dat	family_zgrat_v1
behavioral1/files/0x0035000000015c7c-19.dat	family_zgrat_v1
behavioral1/memory/2412-23-0x0000000000380000-0x000000000052C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2348-88-0x0000000000030000-0x00000000001DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2420-97-0x00000000011E0000-0x000000000138C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2692-106-0x0000000000170000-0x000000000031C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1100-115-0x00000000008D0000-0x0000000000A7C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1572-124-0x0000000000370000-0x000000000051C000-memory.dmp	family_zgrat_v1
behavioral1/memory/580-133-0x0000000000130000-0x00000000002DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/788-142-0x0000000000E20000-0x0000000000FCC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2572-168-0x0000000000FA0000-0x000000000114C000-memory.dmp	family_zgrat_v1
behavioral1/memory/816-177-0x0000000000200000-0x00000000003AC000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\fontInto\\lsass.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Program Files (x86)\\Google\\System.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\", \"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\fontInto\\lsass.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\fontInto\\lsass.exe\", \"C:\\Users\\Default User\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\fontInto\\lsass.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Program Files (x86)\\Google\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\fontInto\\lsass.exe\", \"C:\\Users\\Default User\\System.exe\", \"C:\\Program Files (x86)\\Google\\System.exe\", \"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\""	blockPortComdriverbroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2932	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 12 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000153cf-7.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0035000000015c7c-19.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2412-23-0x0000000000380000-0x000000000052C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2348-88-0x0000000000030000-0x00000000001DC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2420-97-0x00000000011E0000-0x000000000138C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2692-106-0x0000000000170000-0x000000000031C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1100-115-0x00000000008D0000-0x0000000000A7C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1572-124-0x0000000000370000-0x000000000051C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/580-133-0x0000000000130000-0x00000000002DC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/788-142-0x0000000000E20000-0x0000000000FCC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2572-168-0x0000000000FA0000-0x000000000114C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/816-177-0x0000000000200000-0x00000000003AC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
1456	powershell.exe
1916	powershell.exe
2268	powershell.exe
2356	powershell.exe
616	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 13 IoCs

pid	Process
3068	1.exe
2412	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2420	blockPortComdriverbroker.exe
2692	blockPortComdriverbroker.exe
1100	blockPortComdriverbroker.exe
1572	blockPortComdriverbroker.exe
580	blockPortComdriverbroker.exe
788	blockPortComdriverbroker.exe
2184	blockPortComdriverbroker.exe
2148	blockPortComdriverbroker.exe
2572	blockPortComdriverbroker.exe
816	blockPortComdriverbroker.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	cmd.exe
2444	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default User\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\fontInto\\lsass.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\fontInto\\lsass.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Google\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Google\\CrashReports\\services.exe\""	blockPortComdriverbroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDBBB561B5BAF4AEA8E6E8680864BE8B.TMP	csc.exe
File created	\??\c:\Windows\System32\tcszo9.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\services.exe	blockPortComdriverbroker.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\services.exe	blockPortComdriverbroker.exe
File created	C:\Program Files (x86)\Google\CrashReports\c5b4cb5e9653cc	blockPortComdriverbroker.exe
File created	C:\Program Files (x86)\Google\System.exe	blockPortComdriverbroker.exe
File created	C:\Program Files (x86)\Google\27d1bcfc3c54e0	blockPortComdriverbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1572	schtasks.exe
2936	schtasks.exe
2280	schtasks.exe
112	schtasks.exe
2724	schtasks.exe
1228	schtasks.exe
2144	schtasks.exe
680	schtasks.exe
2584	schtasks.exe
2060	schtasks.exe
1864	schtasks.exe
1840	schtasks.exe
2064	schtasks.exe
2376	schtasks.exe
1716	schtasks.exe
2036	schtasks.exe
1696	schtasks.exe
1236	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2392	reg.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2884	PING.EXE
1548	PING.EXE
2220	PING.EXE
2064	PING.EXE
884	PING.EXE
1540	PING.EXE
2352	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2412	blockPortComdriverbroker.exe
2268	powershell.exe
2356	powershell.exe
888	powershell.exe
1456	powershell.exe
616	powershell.exe
1916	powershell.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2348	blockPortComdriverbroker.exe
2420	blockPortComdriverbroker.exe
2420	blockPortComdriverbroker.exe
2420	blockPortComdriverbroker.exe
2420	blockPortComdriverbroker.exe
2420	blockPortComdriverbroker.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2348	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	2420	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	2692	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	1100	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	1572	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	580	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	788	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	2184	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	2148	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	2572	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	816	blockPortComdriverbroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3068	2148	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 2148 wrote to memory of 3068	2148	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 2148 wrote to memory of 3068	2148	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 2148 wrote to memory of 3068	2148	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 3068 wrote to memory of 2552	3068	1.exe	29
PID 3068 wrote to memory of 2552	3068	1.exe	29
PID 3068 wrote to memory of 2552	3068	1.exe	29
PID 3068 wrote to memory of 2552	3068	1.exe	29
PID 2552 wrote to memory of 2444	2552	WScript.exe	30
PID 2552 wrote to memory of 2444	2552	WScript.exe	30
PID 2552 wrote to memory of 2444	2552	WScript.exe	30
PID 2552 wrote to memory of 2444	2552	WScript.exe	30
PID 2444 wrote to memory of 2392	2444	cmd.exe	32
PID 2444 wrote to memory of 2392	2444	cmd.exe	32
PID 2444 wrote to memory of 2392	2444	cmd.exe	32
PID 2444 wrote to memory of 2392	2444	cmd.exe	32
PID 2444 wrote to memory of 2412	2444	cmd.exe	33
PID 2444 wrote to memory of 2412	2444	cmd.exe	33
PID 2444 wrote to memory of 2412	2444	cmd.exe	33
PID 2444 wrote to memory of 2412	2444	cmd.exe	33
PID 2412 wrote to memory of 852	2412	blockPortComdriverbroker.exe	38
PID 2412 wrote to memory of 852	2412	blockPortComdriverbroker.exe	38
PID 2412 wrote to memory of 852	2412	blockPortComdriverbroker.exe	38
PID 852 wrote to memory of 2648	852	csc.exe	40
PID 852 wrote to memory of 2648	852	csc.exe	40
PID 852 wrote to memory of 2648	852	csc.exe	40
PID 2412 wrote to memory of 2268	2412	blockPortComdriverbroker.exe	56
PID 2412 wrote to memory of 2268	2412	blockPortComdriverbroker.exe	56
PID 2412 wrote to memory of 2268	2412	blockPortComdriverbroker.exe	56
PID 2412 wrote to memory of 2356	2412	blockPortComdriverbroker.exe	57
PID 2412 wrote to memory of 2356	2412	blockPortComdriverbroker.exe	57
PID 2412 wrote to memory of 2356	2412	blockPortComdriverbroker.exe	57
PID 2412 wrote to memory of 616	2412	blockPortComdriverbroker.exe	59
PID 2412 wrote to memory of 616	2412	blockPortComdriverbroker.exe	59
PID 2412 wrote to memory of 616	2412	blockPortComdriverbroker.exe	59
PID 2412 wrote to memory of 888	2412	blockPortComdriverbroker.exe	60
PID 2412 wrote to memory of 888	2412	blockPortComdriverbroker.exe	60
PID 2412 wrote to memory of 888	2412	blockPortComdriverbroker.exe	60
PID 2412 wrote to memory of 1456	2412	blockPortComdriverbroker.exe	61
PID 2412 wrote to memory of 1456	2412	blockPortComdriverbroker.exe	61
PID 2412 wrote to memory of 1456	2412	blockPortComdriverbroker.exe	61
PID 2412 wrote to memory of 1916	2412	blockPortComdriverbroker.exe	63
PID 2412 wrote to memory of 1916	2412	blockPortComdriverbroker.exe	63
PID 2412 wrote to memory of 1916	2412	blockPortComdriverbroker.exe	63
PID 2412 wrote to memory of 980	2412	blockPortComdriverbroker.exe	68
PID 2412 wrote to memory of 980	2412	blockPortComdriverbroker.exe	68
PID 2412 wrote to memory of 980	2412	blockPortComdriverbroker.exe	68
PID 980 wrote to memory of 1896	980	cmd.exe	70
PID 980 wrote to memory of 1896	980	cmd.exe	70
PID 980 wrote to memory of 1896	980	cmd.exe	70
PID 980 wrote to memory of 2196	980	cmd.exe	71
PID 980 wrote to memory of 2196	980	cmd.exe	71
PID 980 wrote to memory of 2196	980	cmd.exe	71
PID 980 wrote to memory of 2348	980	cmd.exe	72
PID 980 wrote to memory of 2348	980	cmd.exe	72
PID 980 wrote to memory of 2348	980	cmd.exe	72
PID 2348 wrote to memory of 2624	2348	blockPortComdriverbroker.exe	73
PID 2348 wrote to memory of 2624	2348	blockPortComdriverbroker.exe	73
PID 2348 wrote to memory of 2624	2348	blockPortComdriverbroker.exe	73
PID 2624 wrote to memory of 2328	2624	cmd.exe	75
PID 2624 wrote to memory of 2328	2624	cmd.exe	75
PID 2624 wrote to memory of 2328	2624	cmd.exe	75
PID 2624 wrote to memory of 1548	2624	cmd.exe	76
PID 2624 wrote to memory of 1548	2624	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe
"C:\Users\Admin\AppData\Local\Temp\8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\fontInto\soby05K3uOljM.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2392
    - - C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto/blockPortComdriverbroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\knr2jdqc\knr2jdqc.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6ED9.tmp" "c:\Windows\System32\CSCDBBB561B5BAF4AEA8E6E8680864BE8B.TMP"
        7⤵
        
        PID:2648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\blockPortComdriverbroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Su2pQ3jpgP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2196
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mESeKRNGrE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2328
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1548
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5xIcrgADPl.bat"
        10⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2748
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DqZM2URRQk.bat"
        12⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:2220
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9QW9oB7wRt.bat"
        14⤵
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:2064
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZj4RhEvd.bat"
        16⤵
        
        PID:752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:776
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\72DWG1NhBc.bat"
        18⤵
        
        PID:2864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:884
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wle9X4LEtL.bat"
        20⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:1540
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z3scJZvfCA.bat"
        22⤵
        
        PID:1856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1676
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NbfRo2XZmG.bat"
        24⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2352
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lbSQETZDjd.bat"
        26⤵
        
        PID:2420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1488
        
        C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto\blockPortComdriverbroker.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9Anfm3pCF.bat"
        28⤵
        
        PID:1196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\fontInto\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\fontInto\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\fontInto\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 7 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbroker" /sc ONLOGON /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 10 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
2.0MB

MD5
e7197369aa79213cb20f49e31a6d0ff9

SHA1
c841bbcd0ce335b4cc10cff1c354be238b3c9338

SHA256
9e4af984c4b935ed29a62c1bf93672f5937f75324781bd266fed6d7d0d238620

SHA512
5ecaf7034e16249b7239c720588f40f673f49c247f2cb329bfe83fefae7d00b2c658e721e5ddc8d3d9d3ab5a039c36ac47d6279de3b36398b297435c918b402c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xIcrgADPl.bat

Filesize
216B

MD5
e3cbb64c08d0a9cbbb6e8560c8102e7c

SHA1
d84d7cdecf7226c26d6d7b8ddf662dacfb1e2a71

SHA256
c5e8554ac2c03a2125619ec0997af2e652bd5d6ba28e8673bbec2358a0137a59

SHA512
528d3bc11ee2221dfe45a1969b7bb52d343e46aa5dc70308fec6d8103cc790aa507f1443d1a48195b7f3a2a34b89fa1e43bf5801837653d797a12ee53021f4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\72DWG1NhBc.bat

Filesize
168B

MD5
2fc975544e71347d83e7172a0393acd7

SHA1
679e8a38c8766a9f5f7fa5773a2a8d55e110bc84

SHA256
a1f329ee623b30371af91fb53118f7ac8af6adf3b8e8e370c601bbeda8d422cc

SHA512
5c6493df253d86819a1b05dbd6e03793de02fe75af50cdf330e70b7d9211b526c91040f0114d0269030027e0835c8d1f853a6e2c31d3e1872ffc7b47623e5247

Download Submit
C:\Users\Admin\AppData\Local\Temp\9QW9oB7wRt.bat

Filesize
168B

MD5
bcd031c1091457faab70f8887320a7f6

SHA1
ccf508c31ea2aa473b154c05807e5cdd684219c6

SHA256
e9eceefb5f5501e1cef15c3618951265ecbf59ae623fe0b2fe2eeba36f2b933f

SHA512
084aeeade1f2e66853f451a42dd6eeb12a7078d3657b5fe83df01f34be16c6bbd0a1eced735154df090c5ad497682bf91796fdff1093292bd7b9f621e82d962b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DqZM2URRQk.bat

Filesize
168B

MD5
8e14045cd617acd7b5e720b3150efaa2

SHA1
c54a94b84d54d2776634743165b381bf8c37cf9e

SHA256
2f2be13f99af0aea947b82bb30541bfe1babe3940846d2872410cea512d75597

SHA512
f07b411f341fe89594d09313e82642614586f4eaa866d62183636117a3a22f1b17c81765a514da40f2cf3fcea1583f57d14fe3bc0587ca79196def3b9c25a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NbfRo2XZmG.bat

Filesize
168B

MD5
4b376ac0e144ebf056814699f2acf171

SHA1
4bcba42685650c6097edb7ad58b7dd03948ae964

SHA256
e2c912677493edcd7164eaa8c12f582f40071a694f5a17d8d4d18b8acff7bbd4

SHA512
b20273cc003ca0369fc2f06be11a8bc3c798bd481928786c4350a5a8e3f23a7f302dd617515392f8ede7964d4299a54d1551ae385505f374a7fbd2c0679e9214

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6ED9.tmp

Filesize
1KB

MD5
e64016a4930f83bab2069a41e9c8f37e

SHA1
9d64a3224280c2bda837310618ce3bda9bf115f8

SHA256
6f2984da07443ff0f1985d9aef10a6a22b5852baecf4ccd6a328957993edba66

SHA512
0ecf56418acaaad6f0660eebd96b56c2e40647a077256f7cd5b4eab693fe693954825b52fd7462787c9bd8a134a1896cfc8fc3fc82bd64188f4657a7a898cfd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Su2pQ3jpgP.bat

Filesize
216B

MD5
026e9dcdac454875f1c80e0a964cf4c8

SHA1
1d19c892c86d1d6fdc8e0aa4a101dc9402a35a16

SHA256
265c72db185f2aee36b4a9ebfe03af63c4e6297153e2b58a050a03816b99557e

SHA512
efe5b4ad53e2516ff9c5cdbae85ddbfa661bc3c5a17ac6121914a4de8c5b4539f976e45aec7b760d675c3f552e740eb914ea00da58c3086432feef594d2c2eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z3scJZvfCA.bat

Filesize
216B

MD5
da9b40ad74edafd60594f353d0172a3c

SHA1
dc42446bacf431b79898a1b9159e1172d05d7f5c

SHA256
075b5ef2008ce8497cd42db28ae869f3bc69b2ae6e4528bcde5289da850f194c

SHA512
f4ed8305e70d90063a4792f64a53282624a54b132f419121beeb02ae1e4fa5dcd3185a619e134e9292a9e3b1201e8dbcf9f972fc7d4ff54a5eb9d83ba09aacb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9Anfm3pCF.bat

Filesize
168B

MD5
2f2901af196a44236b222fffa928b746

SHA1
c71c3b0f36ac06af2f7797af7442cc58ba957cfe

SHA256
b9d3118dc9b427a19c69dda27248b5338f3ab35237f8a78ad3e1cb65443dbe2a

SHA512
c8d2af42278dd9224e630651ec8412c84ed2d74e5c0856053f15770e8de80568d806a573972b7c8cec7e1524ff0220a796020e56f027235c6ff2e187f586ab09

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbSQETZDjd.bat

Filesize
216B

MD5
bb5895cbc4eb1da58a593c4e0fd3296c

SHA1
ec8d4b76d5e30487d4a51b95b787be5f2c08c173

SHA256
c08f54a4e3405f3a975f85639b9291dc266c33c9e0fd90dba3e7ef026266fb49

SHA512
c6e7522bfe1018edc27b8fafebec281dfc9099a2bf25cb0efaea75ddbfcecad97dc1508bbea09cce1f3fa6467f0c2bfabdb673703cf8c285b2987b0cdb08f186

Download Submit
C:\Users\Admin\AppData\Local\Temp\mESeKRNGrE.bat

Filesize
168B

MD5
7fac9e205e1fb1c59d6f0889007535c9

SHA1
fda9aa52a5a1d16f108986567caf48ab38323773

SHA256
a8898bb3a192a05df695a8574b16cb848d2c5af9ed59b5148bdf1f58fb25f694

SHA512
b40c79a7c155074d7a3cdcf2d79471b0a3ee4d47dcd29ee852fc8065fbd41f888de97a30883569f28c5b57c074cbf94d4b7cb66c9be47d87651b285008114719

Download Submit
C:\Users\Admin\AppData\Local\Temp\owZj4RhEvd.bat

Filesize
216B

MD5
99817b6dbcbe29369c9e945cb6621fc0

SHA1
00d706cf6e4e1e5d7addca4a60cf9cb0f74efb28

SHA256
125d40c85af19900b81a56d71edd721c9131faf746852cf24342771c616b5d21

SHA512
f6f2939142885eb0f608a2b17900d6fc677db62ff5aed9c0b9647ec6e9e638f8e11d264699e4ac2bd10631d526d56ce37a99e6681166994452f9b7d19beebf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wle9X4LEtL.bat

Filesize
168B

MD5
e79f2ae547c8828d9e8130a433584378

SHA1
4681011abfa3052846aef371fa13190e7f08fdcc

SHA256
61f30ce679c7831197232533d289490a1a542d95102ea1c6717c4d30556a08d9

SHA512
ddf960b95605c35b3fff94e6c398cdeb6eebb1ef639e68c4daa10d72bcce6b688af6303c6fbde97c2fc3cd6af70694b067a819557c705ec96ea3469d8356fdf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
73d714ef6dd4d00b7ae9eb305fe7f0bf

SHA1
9c7fdbdb05f4b8caa1c270bf789166d80bdfe6d6

SHA256
ce7c58568b3a41b5f62a5da6445a38051c7c43087f16f98c4b88e74034254d11

SHA512
3611335079da12835a7b067ecaba4d8dbc6e541c25942297f6e0fe37d7461f640b78d5861b34281b9351d5207eec56681c4b2a8a999b25a8f093e5d577149ba3

Download Submit
C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe

Filesize
200B

MD5
acd11feb4451a8f14fd6e2dc71164cf1

SHA1
9b645b0798b101fb04a565d3a1a5cef1155e0800

SHA256
cb0d496499709d17bacc28d5fb00b22e64af093062530c195ff03a69033fd9f0

SHA512
5db057a8957169c9e001c47577fcc8ec4cca145aa595946f31a5eaef71f2438d6f7a4d4758808db0c473b8542fc85801fa91ec2e02c7cfdc84f31c79e02fe72c

Download Submit
C:\fontInto\soby05K3uOljM.bat

Filesize
201B

MD5
ef94f890944f55d5b0719b9fe4578c48

SHA1
3de264c05e7b45bf65c676391d1e112184258f3b

SHA256
6bdf05e8f2ae2dc331d1f47fa7ff2d8da950f44d0e78a5e727c3c2058f7c8350

SHA512
29c9b9532c4b0e7eb7995916da0703637a43fd6afc5bf4eacce7eaf2d6d0ffa47b4e215b1ba305738719cab383edc48fad25f535c7210ff6698309a57c295302

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knr2jdqc\knr2jdqc.0.cs

Filesize
365B

MD5
94c8a7609450648748029af8bbc41fde

SHA1
e827f3adf0f60fb67ea1efd361128dbc7c348705

SHA256
3219f43b86ca82921280c05addd7561e3ca86162cc7c926f0feb6d93435f8139

SHA512
5eead66475a2bd69cba31e2bec79d69a093a1195b2eb8e894d2f8d13971b38bf2bb691b4946599269d6aef3f66b4076a12516d2de90f44a2e065a60a475b0b8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\knr2jdqc\knr2jdqc.cmdline

Filesize
235B

MD5
51b0c330b69a2292a7c7dc54b6aaec52

SHA1
f47db4bf9eb084cac9bc12a019651beaea973bfb

SHA256
ee8fdd4ade21122648e1a7513cd0086ddcf1a5cd853a8da5a7afb1f54639327d

SHA512
06dd55ca772c08e84f7d7ce22de707e2125a68c665ca97e28b2fa799744b6144fea5a98987130843ab2455703ccb24767b4f2b671c23d19309442e4c980059a8

Download Submit
\??\c:\Windows\System32\CSCDBBB561B5BAF4AEA8E6E8680864BE8B.TMP

Filesize
1KB

MD5
d8db284f657dc7249f8d2e9798f16b87

SHA1
2c9e00cba50091d4239c90f375509c8d58408ec1

SHA256
67e68135a985b6d3a0d63df5c6795567cbc1d5b8f124d65662e463af4da65823

SHA512
4330f819da94bcb38b930d39f016c5989e68a20780b74de751f59b759e46de031244be9186261bb245507e9ca816c1655049575a03e85339b5fc596f5b7cfd39

Download Submit
\fontInto\blockPortComdriverbroker.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
memory/580-133-0x0000000000130000-0x00000000002DC000-memory.dmp

Filesize
1.7MB

Download
memory/788-142-0x0000000000E20000-0x0000000000FCC000-memory.dmp

Filesize
1.7MB

Download
memory/816-177-0x0000000000200000-0x00000000003AC000-memory.dmp

Filesize
1.7MB

Download
memory/1100-115-0x00000000008D0000-0x0000000000A7C000-memory.dmp

Filesize
1.7MB

Download
memory/1572-124-0x0000000000370000-0x000000000051C000-memory.dmp

Filesize
1.7MB

Download
memory/2148-1-0x0000000000BE0000-0x0000000000D54000-memory.dmp

Filesize
1.5MB

Download
memory/2148-4-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2148-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2148-8-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2268-64-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-65-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2348-88-0x0000000000030000-0x00000000001DC000-memory.dmp

Filesize
1.7MB

Download
memory/2412-27-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/2412-25-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/2412-23-0x0000000000380000-0x000000000052C000-memory.dmp

Filesize
1.7MB

Download
memory/2420-97-0x00000000011E0000-0x000000000138C000-memory.dmp

Filesize
1.7MB

Download
memory/2572-168-0x0000000000FA0000-0x000000000114C000-memory.dmp

Filesize
1.7MB

Download
memory/2692-106-0x0000000000170000-0x000000000031C000-memory.dmp

Filesize
1.7MB

Download