zgrat | 8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe
Size

1.4MB
MD5

61f11bde1f33ddb5b4c398d4cc8b1c7c
SHA1

614eaeab2931cc5b18f4d09afdf18fa95948ed90
SHA256

8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159
SHA512

a2c33d12d345987be7cb2f53d321e738dd7b2b85672f674c317405313be4b3f13bfa99e9a0cda37b59563734871f299db33964a4576ee2a6e23e0dbdc7fab708
SSDEEP

24576:mj/Vhz2r7o+CE7cBOlZqevIhEvQQdFZUQpCqoIpO8TI76ze7lyJD5xKeVwGvn:q/Pz2rkzEYBOGGIsdFZUQpbVTIiEqD5Z

Score

10^/10

zgrat evasion execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 12 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015f7a-6.dat	family_zgrat_v1
behavioral1/files/0x000a000000016be2-19.dat	family_zgrat_v1
behavioral1/memory/1940-23-0x0000000001020000-0x00000000011CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2668-89-0x00000000001B0000-0x000000000035C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2172-98-0x0000000000BC0000-0x0000000000D6C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1552-107-0x0000000001320000-0x00000000014CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/240-116-0x0000000001390000-0x000000000153C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1200-125-0x00000000000C0000-0x000000000026C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1924-135-0x0000000000970000-0x0000000000B1C000-memory.dmp	family_zgrat_v1
behavioral1/memory/652-144-0x0000000000C00000-0x0000000000DAC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2788-162-0x0000000001330000-0x00000000014DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2836-179-0x0000000000190000-0x000000000033C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontInto\\cmd.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontInto\\cmd.exe\", \"C:\\fontInto\\wininit.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontInto\\cmd.exe\", \"C:\\fontInto\\wininit.exe\", \"C:\\fontInto\\lsm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontInto\\cmd.exe\", \"C:\\fontInto\\wininit.exe\", \"C:\\fontInto\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontInto\\cmd.exe\", \"C:\\fontInto\\wininit.exe\", \"C:\\fontInto\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\fontInto\\cmd.exe\", \"C:\\fontInto\\wininit.exe\", \"C:\\fontInto\\lsm.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\System.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\", \"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	3040	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1076	powershell.exe
1820	powershell.exe
668	powershell.exe
852	powershell.exe
1044	powershell.exe
1528	powershell.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 13 IoCs

pid	Process
2068	1.exe
1940	blockPortComdriverbroker.exe
2668	System.exe
2172	System.exe
1552	System.exe
240	System.exe
1200	System.exe
1924	System.exe
652	System.exe
1628	System.exe
2788	System.exe
1904	System.exe
2836	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	cmd.exe
2684	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\ADO.NET\\v1.0\\System.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\wininit.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\fontInto\\cmd.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\fontInto\\cmd.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\fontInto\\wininit.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\fontInto\\wininit.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\fontInto\\lsm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\fontInto\\lsm.exe\""	blockPortComdriverbroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\blockPortComdriverbroker = "\"C:\\fontInto\\blockPortComdriverbroker.exe\""	blockPortComdriverbroker.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC32F0814EACB8467E9E324837F28646.TMP	csc.exe
File created	\??\c:\Windows\System32\slsogk.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe	blockPortComdriverbroker.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\27d1bcfc3c54e0	blockPortComdriverbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3060	schtasks.exe
716	schtasks.exe
2568	schtasks.exe
2824	schtasks.exe
2456	schtasks.exe
956	schtasks.exe
1584	schtasks.exe
1216	schtasks.exe
572	schtasks.exe
472	schtasks.exe
1916	schtasks.exe
3004	schtasks.exe
2916	schtasks.exe
968	schtasks.exe
3068	schtasks.exe
1708	schtasks.exe
1796	schtasks.exe
608	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2580	reg.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
1436	PING.EXE
2028	PING.EXE
2676	PING.EXE
2876	PING.EXE
904	PING.EXE
2772	PING.EXE
2740	PING.EXE
2384	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
1940	blockPortComdriverbroker.exe
668	powershell.exe
1044	powershell.exe
1820	powershell.exe
1076	powershell.exe
852	powershell.exe
1528	powershell.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe
2668	System.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	blockPortComdriverbroker.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2668	System.exe
Token: SeDebugPrivilege	2172	System.exe
Token: SeDebugPrivilege	1552	System.exe
Token: SeDebugPrivilege	240	System.exe
Token: SeDebugPrivilege	1200	System.exe
Token: SeDebugPrivilege	1924	System.exe
Token: SeDebugPrivilege	652	System.exe
Token: SeDebugPrivilege	1628	System.exe
Token: SeDebugPrivilege	2788	System.exe
Token: SeDebugPrivilege	1904	System.exe
Token: SeDebugPrivilege	2836	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2068	2104	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 2104 wrote to memory of 2068	2104	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 2104 wrote to memory of 2068	2104	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 2104 wrote to memory of 2068	2104	8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe	28
PID 2068 wrote to memory of 2688	2068	1.exe	29
PID 2068 wrote to memory of 2688	2068	1.exe	29
PID 2068 wrote to memory of 2688	2068	1.exe	29
PID 2068 wrote to memory of 2688	2068	1.exe	29
PID 2688 wrote to memory of 2684	2688	WScript.exe	30
PID 2688 wrote to memory of 2684	2688	WScript.exe	30
PID 2688 wrote to memory of 2684	2688	WScript.exe	30
PID 2688 wrote to memory of 2684	2688	WScript.exe	30
PID 2684 wrote to memory of 2580	2684	cmd.exe	32
PID 2684 wrote to memory of 2580	2684	cmd.exe	32
PID 2684 wrote to memory of 2580	2684	cmd.exe	32
PID 2684 wrote to memory of 2580	2684	cmd.exe	32
PID 2684 wrote to memory of 1940	2684	cmd.exe	33
PID 2684 wrote to memory of 1940	2684	cmd.exe	33
PID 2684 wrote to memory of 1940	2684	cmd.exe	33
PID 2684 wrote to memory of 1940	2684	cmd.exe	33
PID 1940 wrote to memory of 2736	1940	blockPortComdriverbroker.exe	38
PID 1940 wrote to memory of 2736	1940	blockPortComdriverbroker.exe	38
PID 1940 wrote to memory of 2736	1940	blockPortComdriverbroker.exe	38
PID 2736 wrote to memory of 2808	2736	csc.exe	40
PID 2736 wrote to memory of 2808	2736	csc.exe	40
PID 2736 wrote to memory of 2808	2736	csc.exe	40
PID 1940 wrote to memory of 668	1940	blockPortComdriverbroker.exe	56
PID 1940 wrote to memory of 668	1940	blockPortComdriverbroker.exe	56
PID 1940 wrote to memory of 668	1940	blockPortComdriverbroker.exe	56
PID 1940 wrote to memory of 1820	1940	blockPortComdriverbroker.exe	57
PID 1940 wrote to memory of 1820	1940	blockPortComdriverbroker.exe	57
PID 1940 wrote to memory of 1820	1940	blockPortComdriverbroker.exe	57
PID 1940 wrote to memory of 1076	1940	blockPortComdriverbroker.exe	58
PID 1940 wrote to memory of 1076	1940	blockPortComdriverbroker.exe	58
PID 1940 wrote to memory of 1076	1940	blockPortComdriverbroker.exe	58
PID 1940 wrote to memory of 852	1940	blockPortComdriverbroker.exe	60
PID 1940 wrote to memory of 852	1940	blockPortComdriverbroker.exe	60
PID 1940 wrote to memory of 852	1940	blockPortComdriverbroker.exe	60
PID 1940 wrote to memory of 1044	1940	blockPortComdriverbroker.exe	61
PID 1940 wrote to memory of 1044	1940	blockPortComdriverbroker.exe	61
PID 1940 wrote to memory of 1044	1940	blockPortComdriverbroker.exe	61
PID 1940 wrote to memory of 1528	1940	blockPortComdriverbroker.exe	63
PID 1940 wrote to memory of 1528	1940	blockPortComdriverbroker.exe	63
PID 1940 wrote to memory of 1528	1940	blockPortComdriverbroker.exe	63
PID 1940 wrote to memory of 1168	1940	blockPortComdriverbroker.exe	68
PID 1940 wrote to memory of 1168	1940	blockPortComdriverbroker.exe	68
PID 1940 wrote to memory of 1168	1940	blockPortComdriverbroker.exe	68
PID 1168 wrote to memory of 2096	1168	cmd.exe	70
PID 1168 wrote to memory of 2096	1168	cmd.exe	70
PID 1168 wrote to memory of 2096	1168	cmd.exe	70
PID 1168 wrote to memory of 904	1168	cmd.exe	71
PID 1168 wrote to memory of 904	1168	cmd.exe	71
PID 1168 wrote to memory of 904	1168	cmd.exe	71
PID 1168 wrote to memory of 2668	1168	cmd.exe	72
PID 1168 wrote to memory of 2668	1168	cmd.exe	72
PID 1168 wrote to memory of 2668	1168	cmd.exe	72
PID 2668 wrote to memory of 1420	2668	System.exe	73
PID 2668 wrote to memory of 1420	2668	System.exe	73
PID 2668 wrote to memory of 1420	2668	System.exe	73
PID 1420 wrote to memory of 2784	1420	cmd.exe	75
PID 1420 wrote to memory of 2784	1420	cmd.exe	75
PID 1420 wrote to memory of 2784	1420	cmd.exe	75
PID 1420 wrote to memory of 2772	1420	cmd.exe	76
PID 1420 wrote to memory of 2772	1420	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe
"C:\Users\Admin\AppData\Local\Temp\8edf194ebe43881996616dc08ce1c828a59b51d312715b43e155af0e59484159.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\fontInto\soby05K3uOljM.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2580
    - - C:\fontInto\blockPortComdriverbroker.exe
        
        "C:\fontInto/blockPortComdriverbroker.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ckscquzc\ckscquzc.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73B9.tmp" "c:\Windows\System32\CSC32F0814EACB8467E9E324837F28646.TMP"
        7⤵
        
        PID:2808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\lsm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\fontInto\blockPortComdriverbroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V0qDImcDXU.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:904
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o3IeSgqMHP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2772
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XA2Giq7lse.bat"
        10⤵
        
        PID:2644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vBpF9HAQp1.bat"
        12⤵
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat"
        14⤵
        
        PID:796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat"
        16⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1204
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat"
        18⤵
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1436
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat"
        20⤵
        
        PID:2280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2028
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3cBJ2i3CCl.bat"
        22⤵
        
        PID:2972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2676
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat"
        24⤵
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2964
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mCHKcGl2nx.bat"
        26⤵
        
        PID:2988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:2876
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\fontInto\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\fontInto\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\fontInto\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\fontInto\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\fontInto\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\fontInto\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\fontInto\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\fontInto\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\fontInto\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 12 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbroker" /sc ONLOGON /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "blockPortComdriverbrokerb" /sc MINUTE /mo 10 /tr "'C:\fontInto\blockPortComdriverbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
2.0MB

MD5
e7197369aa79213cb20f49e31a6d0ff9

SHA1
c841bbcd0ce335b4cc10cff1c354be238b3c9338

SHA256
9e4af984c4b935ed29a62c1bf93672f5937f75324781bd266fed6d7d0d238620

SHA512
5ecaf7034e16249b7239c720588f40f673f49c247f2cb329bfe83fefae7d00b2c658e721e5ddc8d3d9d3ab5a039c36ac47d6279de3b36398b297435c918b402c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1LArpmQ7xZ.bat

Filesize
209B

MD5
e266a7b871f6b83b89753bb1c2ddde59

SHA1
cd50d9c01ef0183b52b5d5f5915be84a2adf6359

SHA256
1d492c58b835ecbf944eb5f50bcc0280b71448693ce6a0c8e65cd47bd32ed6ce

SHA512
c22bb8734ffbe2aa72aa2573c67b4a4cf6fa12ccc5d9bc5bcf3767d3681d6ecf8713dd1fdb600c67297e9782d5437738f85565d27a39b8fac615b1878b51e3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cBJ2i3CCl.bat

Filesize
209B

MD5
95a7f488915918b9394e69455bb00e9d

SHA1
d79fc1d8c56faccba5b60371a46d9b01b6f4842f

SHA256
b48f857644c95a58dd11404661a3b0dc80721bd2c593b32eb1cddc3d56bb966c

SHA512
0016dbfb5297f3192cf1e6c2d6043cecd4fe5e50a517283f36b1bcf4f20bf0987c80ca97b1e1a9178d1563c6b63f70e19b7556803c0fcec03bfc0fac45d9c847

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBcEZiC4nP.bat

Filesize
257B

MD5
ac0675440ed7539c6ca132d5fc73f7ac

SHA1
dcd67f7397a00b834eca3857a328bdc1b58a2d19

SHA256
84666cd725b98acaaf3458c6ab1903bcf5e2b1e41141de5010af1686a5bf05b0

SHA512
a8048cad2c75632c29453649c93aafb85da7d5f9c85d5c9983bb87cf24e279283866225a1e6a3bb81784aae7afc61b2a45bf6a71b5d72467b5caea576afe9c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES73B9.tmp

Filesize
1KB

MD5
041a2b4a5c01ac87bda45ce894af0895

SHA1
9bc629fb5cce6e43dff5b889351ad6cfc8b986ba

SHA256
67638fd17751ba297f9d80ffc330c16f967bd8fe0589a0b6f9a2f78c6c66bce0

SHA512
395e1c34eaf075c0d4b4d9000853d36333f4b06939e8609b68ed01bc92f5675e578e483579fe43685df02f7d993723191d8d7239579f2a77833574e02f33c406

Download Submit
C:\Users\Admin\AppData\Local\Temp\V0qDImcDXU.bat

Filesize
209B

MD5
b583241121b032d8533d6f626bb97eac

SHA1
aa3bffad32f29ec4736ec61cf201b0df841892a4

SHA256
0065774ff20a9fa8b59f987500ed6dfb2b8d081cd975ac17be5463cd4eb74bd4

SHA512
e4155849d97e3dd355b210dec851d3d47cd08e6536f0ac5928e988e1ba7a6bd0d6bb6b63686485e14fea51bcca9305351ce30e6807390d73a70cb08f86745aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XA2Giq7lse.bat

Filesize
209B

MD5
2961cb6e8cda6bc7972951d0690fddef

SHA1
9c006c5da392999e70eb47f7d6ddaa3fe8d87376

SHA256
e5d3fdbe529e0cd3f78dd75bd058180bc5d7d4f5c7674749530f803e84686b74

SHA512
dafa3a72804842520edfd0e1559fe6cf3ebed16a611ecbaa4728f74b461ce1a04727a5973256e123d7ae6aeb0c010d8e08ae02d73f17ab03a794da4aa085a045

Download Submit
C:\Users\Admin\AppData\Local\Temp\mCHKcGl2nx.bat

Filesize
209B

MD5
091272b047e5217be016bea04e0c34c8

SHA1
78f2ff2b766ad4479c9900c2f79d66e91b446bcc

SHA256
cd001d283185f74be2356c4633389a5fce95d56b5d1932abf597948d547ecce9

SHA512
de595f1c3964c3c31f71e4d40ed09aea0af40a8d7ab5095b74d325ccdb87ec5fb99f2efc2699205f606498186c70cffcc5d9415d49edb0c39664062817831438

Download Submit
C:\Users\Admin\AppData\Local\Temp\o3IeSgqMHP.bat

Filesize
209B

MD5
fdfc17634be3aaff64125289ac596ae5

SHA1
1f5add7a8bf0e0deec284b22e466192fde0a34df

SHA256
aaa9d393d4d6d2cacbd2181d3f93db86b47c69a63183f7b8d18e2d7e2aed9233

SHA512
0a86d7a84aa6ca1cc27716caa8b731b4f9ec8c0d8d4e25fcfd8353401c4062272b90519c194a1718a86347b69450ff568d9abd5bfde95481b9f0c8ca92d0660c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat

Filesize
257B

MD5
0eb506efab1bd3d2a8f8b32d2378c98c

SHA1
552999e0ed4fdb5ce559a598e2af4d10cf2b503b

SHA256
fe2d51c06ef3fe079641c4a039255be176209ba986163eea48aa4e5250ab8477

SHA512
293fb7974573c9797aedc7f9a4d58d154d91b2ebb57abf6a70a65ea0882e1ecaee697134e6fe2a7fe2cfeca3de05eb7ff5c612b8cd67aeb73111f8b53456dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat

Filesize
209B

MD5
5e3afe1be543e2c845e927f3e4e026ff

SHA1
7bd72c499524b2284f82d8f23aa1a9ee109c8cef

SHA256
c760ad8f87df5874b5b27df79f2ee307289819c0a00a630edb9af9b511a4e5f6

SHA512
4a6ec5ca38f4f5d6f1b67eb873ddb46f08ae2755804b88f92e5986ef548fd28476cdb30a80eecb524a1aa089c41f24e1b1eccdac6047d7451a38dc1d967b6af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vBpF9HAQp1.bat

Filesize
209B

MD5
f7fb1a3d1644b56dcb56b62deace64f4

SHA1
5cd5741afbfe8441f83741c930a914f3d2de5db2

SHA256
380639638e410fb9e8991e3d3ffc305e5c7338c07eb993b061b3123e143b24ff

SHA512
a3e2a3a5cf6b69a78db6ec219d4959cd13c515cf695e3be6a11d27ea94478c6491aa105c017e3eae4ff0828b4766c956f923486a42e58871b4ac8c2d1e7cdc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yC86nPihDu.bat

Filesize
257B

MD5
3cecd56ea6033e46c89faeaf80bcfbda

SHA1
454fdeda733793c461d8dd8dfebb8fa508ac5a20

SHA256
9d6a4b27a9725815363e4043868e089b202cb529f4a1f0ec3745120286ea336b

SHA512
5a7278dc90ae43d887a10ca300176d201b7b28fe56f009d8da183d709be77751ce58bcd0377d37336cc06447b55f937c347a3b6510009dc1302dcf04a0f7a325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99377db777493402fd27c5c24236467c

SHA1
a5a9558e76a22d10a3db99e671016562488c3f08

SHA256
ede875fd9739c7207d1ca61c52c85fcf482fbe904d6594130e3f50c1fdee00ba

SHA512
7700033714ef6418e0cd473085c94ec98931aaadd1b3316437e7d19be2184d3ca9c738f76a69583b701ead45b88a9654ebe994b3070475bb22ba03847c4407af

Download Submit
C:\fontInto\Jen6v5fr6DIraPDLAa6o2N0ITfygF4.vbe

Filesize
200B

MD5
acd11feb4451a8f14fd6e2dc71164cf1

SHA1
9b645b0798b101fb04a565d3a1a5cef1155e0800

SHA256
cb0d496499709d17bacc28d5fb00b22e64af093062530c195ff03a69033fd9f0

SHA512
5db057a8957169c9e001c47577fcc8ec4cca145aa595946f31a5eaef71f2438d6f7a4d4758808db0c473b8542fc85801fa91ec2e02c7cfdc84f31c79e02fe72c

Download Submit
C:\fontInto\soby05K3uOljM.bat

Filesize
201B

MD5
ef94f890944f55d5b0719b9fe4578c48

SHA1
3de264c05e7b45bf65c676391d1e112184258f3b

SHA256
6bdf05e8f2ae2dc331d1f47fa7ff2d8da950f44d0e78a5e727c3c2058f7c8350

SHA512
29c9b9532c4b0e7eb7995916da0703637a43fd6afc5bf4eacce7eaf2d6d0ffa47b4e215b1ba305738719cab383edc48fad25f535c7210ff6698309a57c295302

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ckscquzc\ckscquzc.0.cs

Filesize
351B

MD5
c8b2979c03cc7ea558205853c9f02edd

SHA1
802295039aac8b19c19f35037cddce33820fd8de

SHA256
e186f63f1d30d910b23dee3c87929e97b7e190d4a4c6882669e6d171a664d31e

SHA512
b243f7c17535e4f6f1804d8301b0df9093f8f242a17e5bceb9cae58e1332545aef58dc17cd4fb0d4d0a8f1032a1797b8a6128255eac2bd90923b520d14e256ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ckscquzc\ckscquzc.cmdline

Filesize
235B

MD5
ac0d16decf923758ea17eb76f5ce7e38

SHA1
9f07e37c7bde9ecb955d8c6d948e45a6f89163e4

SHA256
1ad3dedbf1d484bf397be6ce49cc4caa70bfc29fa786bdbc632b05077a1cf17d

SHA512
ea314e15e17610a4fefe0642498f0102ff8cec4c9c94e86dc05a66981377fd1e4a92c9b628b85acd258f8d79a439f20e60d1f4ebc0e0cecc212a97c18ce7d25f

Download Submit
\??\c:\Windows\System32\CSC32F0814EACB8467E9E324837F28646.TMP

Filesize
1KB

MD5
3fcb2bd8a227751c0367dff5940613bb

SHA1
bcca174ab4499de5713d836fbc368966aa1f5b2c

SHA256
aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c

SHA512
c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672

Download Submit
\fontInto\blockPortComdriverbroker.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
memory/240-116-0x0000000001390000-0x000000000153C000-memory.dmp

Filesize
1.7MB

Download
memory/652-144-0x0000000000C00000-0x0000000000DAC000-memory.dmp

Filesize
1.7MB

Download
memory/668-75-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/668-74-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1200-125-0x00000000000C0000-0x000000000026C000-memory.dmp

Filesize
1.7MB

Download
memory/1552-107-0x0000000001320000-0x00000000014CC000-memory.dmp

Filesize
1.7MB

Download
memory/1924-135-0x0000000000970000-0x0000000000B1C000-memory.dmp

Filesize
1.7MB

Download
memory/1940-27-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1940-25-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/1940-23-0x0000000001020000-0x00000000011CC000-memory.dmp

Filesize
1.7MB

Download
memory/2104-7-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2104-0-0x000007FEF5CE3000-0x000007FEF5CE4000-memory.dmp

Filesize
4KB

Download
memory/2104-8-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp

Filesize
9.9MB

Download
memory/2104-1-0x0000000001180000-0x00000000012F4000-memory.dmp

Filesize
1.5MB

Download
memory/2172-98-0x0000000000BC0000-0x0000000000D6C000-memory.dmp

Filesize
1.7MB

Download
memory/2668-89-0x00000000001B0000-0x000000000035C000-memory.dmp

Filesize
1.7MB

Download
memory/2788-162-0x0000000001330000-0x00000000014DC000-memory.dmp

Filesize
1.7MB

Download
memory/2836-179-0x0000000000190000-0x000000000033C000-memory.dmp

Filesize
1.7MB

Download