zgrat | f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

Analysis

max time kernel
126s
max time network
298s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
13-11-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Size

1.7MB
MD5

8a0c0d8277cb76f54616540f7612ddc1
SHA1

b199e5e7656f2041186baa9df2c08ea05baf663a
SHA256

f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad
SHA512

54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 28 IoCs

resource	yara_rule
behavioral1/memory/2144-0-0x0000000000EE0000-0x00000000010A0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000018ba2-26.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-82.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-81.dat	family_zgrat_v1
behavioral1/memory/1500-83-0x0000000000D50000-0x0000000000F10000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-103.dat	family_zgrat_v1
behavioral1/memory/2324-104-0x00000000000D0000-0x0000000000290000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-125.dat	family_zgrat_v1
behavioral1/memory/2192-126-0x0000000000F90000-0x0000000001150000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-146.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-168.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-189.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-210.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-231.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-253.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-273.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-295.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-316.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-337.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-358.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-376.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-397.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-418.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-438.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-460.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-481.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-502.dat	family_zgrat_v1
behavioral1/files/0x0007000000018b7a-520.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 14 IoCs

pid	Process
1500	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2324	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2192	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2460	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1072	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
664	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2600	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1728	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2332	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2288	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1104	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2064	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2560	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\en-US\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
File created	C:\Program Files\DVD Maker\en-US\2229ad0f8d553f	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
File created	C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
File created	C:\Program Files\Windows Journal\Templates\2229ad0f8d553f	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1092	PING.EXE
1676	PING.EXE
1548	PING.EXE
2928	PING.EXE
1776	PING.EXE
2624	PING.EXE
1680	PING.EXE
2216	PING.EXE
2552	PING.EXE
3004	PING.EXE
2772	PING.EXE
2492	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1500	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2324	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2192	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2460	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	1072	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	664	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2600	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	1728	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2332	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2288	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	1104	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2064	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2560	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2716	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	37
PID 2144 wrote to memory of 2716	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	37
PID 2144 wrote to memory of 2716	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	37
PID 2144 wrote to memory of 2744	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	36
PID 2144 wrote to memory of 2744	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	36
PID 2144 wrote to memory of 2744	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	36
PID 2144 wrote to memory of 2832	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	35
PID 2144 wrote to memory of 2832	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	35
PID 2144 wrote to memory of 2832	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	35
PID 2144 wrote to memory of 2640	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	34
PID 2144 wrote to memory of 2640	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	34
PID 2144 wrote to memory of 2640	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	34
PID 2144 wrote to memory of 2612	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	30
PID 2144 wrote to memory of 2612	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	30
PID 2144 wrote to memory of 2612	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	30
PID 2144 wrote to memory of 2960	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	38
PID 2144 wrote to memory of 2960	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	38
PID 2144 wrote to memory of 2960	2144	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	38
PID 2960 wrote to memory of 328	2960	cmd.exe	39
PID 2960 wrote to memory of 328	2960	cmd.exe	39
PID 2960 wrote to memory of 328	2960	cmd.exe	39
PID 2960 wrote to memory of 2548	2960	cmd.exe	41
PID 2960 wrote to memory of 2548	2960	cmd.exe	41
PID 2960 wrote to memory of 2548	2960	cmd.exe	41
PID 2960 wrote to memory of 1500	2960	cmd.exe	42
PID 2960 wrote to memory of 1500	2960	cmd.exe	42
PID 2960 wrote to memory of 1500	2960	cmd.exe	42
PID 1500 wrote to memory of 2796	1500	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	44
PID 1500 wrote to memory of 2796	1500	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	44
PID 1500 wrote to memory of 2796	1500	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	44
PID 2796 wrote to memory of 2584	2796	cmd.exe	46
PID 2796 wrote to memory of 2584	2796	cmd.exe	46
PID 2796 wrote to memory of 2584	2796	cmd.exe	46
PID 2796 wrote to memory of 2364	2796	cmd.exe	45
PID 2796 wrote to memory of 2364	2796	cmd.exe	45
PID 2796 wrote to memory of 2364	2796	cmd.exe	45
PID 2796 wrote to memory of 2324	2796	cmd.exe	47
PID 2796 wrote to memory of 2324	2796	cmd.exe	47
PID 2796 wrote to memory of 2324	2796	cmd.exe	47
PID 2324 wrote to memory of 2280	2324	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	49
PID 2324 wrote to memory of 2280	2324	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	49
PID 2324 wrote to memory of 2280	2324	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	49
PID 2280 wrote to memory of 1036	2280	cmd.exe	51
PID 2280 wrote to memory of 1036	2280	cmd.exe	51
PID 2280 wrote to memory of 1036	2280	cmd.exe	51
PID 2280 wrote to memory of 2216	2280	cmd.exe	50
PID 2280 wrote to memory of 2216	2280	cmd.exe	50
PID 2280 wrote to memory of 2216	2280	cmd.exe	50
PID 2280 wrote to memory of 2192	2280	cmd.exe	52
PID 2280 wrote to memory of 2192	2280	cmd.exe	52
PID 2280 wrote to memory of 2192	2280	cmd.exe	52
PID 2192 wrote to memory of 936	2192	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	57
PID 2192 wrote to memory of 936	2192	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	57
PID 2192 wrote to memory of 936	2192	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	57
PID 936 wrote to memory of 2288	936	cmd.exe	94
PID 936 wrote to memory of 2288	936	cmd.exe	94
PID 936 wrote to memory of 2288	936	cmd.exe	94
PID 936 wrote to memory of 1092	936	cmd.exe	53
PID 936 wrote to memory of 1092	936	cmd.exe	53
PID 936 wrote to memory of 1092	936	cmd.exe	53
PID 936 wrote to memory of 2460	936	cmd.exe	59
PID 936 wrote to memory of 2460	936	cmd.exe	59
PID 936 wrote to memory of 2460	936	cmd.exe	59
PID 2460 wrote to memory of 2448	2460	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	63

C:\Users\Admin\AppData\Local\Temp\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
"C:\Users\Admin\AppData\Local\Temp\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61boP86JPt.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:328
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2548
- - C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
    "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZCyxGcg3L6.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2364
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2584
    - - C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YTmIkWLiw7.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1036
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxiuQmrpE1.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Usvo58uhQV.bat"
        10⤵
        
        PID:2448
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4RGbRhdNMU.bat"
        12⤵
        
        PID:2492
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FXOGCU6CqD.bat"
        14⤵
        
        PID:1184
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VE2eLfZN7U.bat"
        16⤵
        
        PID:2668
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GPC7CVf0dw.bat"
        18⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1888
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hs9KC1JDp8.bat"
        20⤵
        
        PID:1320
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eDg5wW3gSH.bat"
        22⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1372
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\02VouYs0zf.bat"
        24⤵
        
        PID:1112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1040
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1TWCJOn7dC.bat"
        26⤵
        
        PID:1876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:1548
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J9EkrtYDMp.bat"
        28⤵
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:2492
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y5NT8uJA6y.bat"
        30⤵
        
        PID:2096
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        31⤵
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vLkm7sAXXV.bat"
        32⤵
        
        PID:2760
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        33⤵
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26UXRAQMNZ.bat"
        34⤵
        
        PID:1908
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        35⤵
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWHCtE00Zc.bat"
        36⤵
        
        PID:2836
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        37⤵
        
        PID:1320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\irhJyFUC1s.bat"
        38⤵
        
        PID:2244
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        39⤵
        
        PID:908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u0amT0ExOA.bat"
        40⤵
        
        PID:344
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        41⤵
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9KWG0zl28s.bat"
        42⤵
        
        PID:2980
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        43⤵
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1rZrAbBstq.bat"
        44⤵
        
        PID:1316
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        45⤵
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU00hIhBOb.bat"
        46⤵
        
        PID:1992
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        47⤵
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\47JVZSxDiT.bat"
        48⤵
        
        PID:2156
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        49⤵
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CY6B1XXruX.bat"
        50⤵
        
        PID:2720
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        51⤵
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wf31kVUUl1.bat"
        52⤵
        
        PID:1932
        
        C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
        
        "C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
        53⤵
        
        PID:2336

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1092

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2288

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1720

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1676

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2552

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2504

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3004

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2444

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1368

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2576

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2068

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2344

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2648

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1140

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2928

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2292

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1068

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1776

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2584

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1156

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1468

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:400

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2128

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1592

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1988

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2624

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2680

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:832

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2940

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1436

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2588

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:604

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2500

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1680

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files\Windows Journal\Templates\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Recovery\d10510a2-6fc3-11ee-bc6f-a02387f916ed\Idle.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Users\Admin\AppData\Local\Temp\02VouYs0zf.bat

Filesize
287B

MD5
957a2000f0fdb917ae4bd6ec3213ea0f

SHA1
0e4d5d08590d02b2bb66f77de756046beb6263e2

SHA256
b656606603b6f6a2d25d913bfaca3088f1e375d1d8aa4da7306c95046cc3be49

SHA512
152bce46ee01951a983829f37c765914b91dc926a832252810d3052dd52c0f77b7ec564ee2909fa6219b740752e22abccdc0689488034805149f946ee135dd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1TWCJOn7dC.bat

Filesize
239B

MD5
8bd01560842721a09c5fde5c4f5850f9

SHA1
fa7c30005478509ea1f2887f017e6c71ae061d82

SHA256
376a2aa83695da6ea8d613669e38b63ac7d7ffed6fdd2e6c64798662ae1e2a21

SHA512
8d7f74c4b909775117a18c87faf3c738780898d77c77e578c5893d6f09d5814cd07fd4772bd3c86d822fce2586410ba0f53a22a728daf7747b1e980e4711149b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rZrAbBstq.bat

Filesize
239B

MD5
f2428a16b1c7f7a698f7f1816bc11ad5

SHA1
9a99a52dc880954ce54548074efd39d246b381db

SHA256
1ae80230232a6eb6c7cdb3a24bf28b1032fe388e817a62a9b890cb831de299aa

SHA512
c73f5090c6660cfc64bf0d76c53258ff3a5990306521af78253e53547507f95d0dcf021fe482f618bcc73482b1ee728a0d8c23bb72c98a439b37834d3619aecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\26UXRAQMNZ.bat

Filesize
287B

MD5
ee18099f612f7e179854a413b641dac5

SHA1
a6a0fd24704ab48cf60d3a5c69201f9363f6ce28

SHA256
61d924bc7804edb5f839d83451ce93dbc1a7fb1c4e5f32a0f72e7d536392821a

SHA512
557358c4faeccd849dc17af73ca2ecc354cb01d65447ff91f82bd451a371c1def103c335096f72678fa7ce4ef1ce2ab36884cfaffab31c69712e8c29e9dc0d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\4RGbRhdNMU.bat

Filesize
239B

MD5
521c0e1a199fc696ed70de7ecf42f28f

SHA1
5bdf5ed9ebad89c9b75d642bf6d52c0c26705af4

SHA256
9ae60c548f2f7c036f61bbdbf271c3fc9861d700efc2cf3c40fc36a104b61f2c

SHA512
f7e2dfdca0190d36ca3a6413e17ef3a020947bb307d20c82c174848f4882f86db08a735ee4504009612acb5b1d0413d9e72178f9e8a239a6138619000e3f6512

Download Submit
C:\Users\Admin\AppData\Local\Temp\61boP86JPt.bat

Filesize
287B

MD5
16e9d4426151009dfa0ddaefb824f2d2

SHA1
24c91ffc81addde414109e03338941a2993731a4

SHA256
46e9adab1605a05f1e10e27fb43353edc95ed0a69a55b9635ef6ab664cb405c0

SHA512
e92d3b63731ee50499454541635ab8c2ac2e2e8bf8b40b84de2e6f7dbd1a30a8d33d0837008da3887be16cbcb53f7457e2d6a5b031733e1773ca6e44b9976e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\9KWG0zl28s.bat

Filesize
287B

MD5
e86d916097bbe20bc1e33da7851d1663

SHA1
d2e1129b7c16f52e758e1e52aaf1e246c0a1f7df

SHA256
8df60765f0d6989636de45335e7974dfa50c6d4dc6127120fed2f830c01f705c

SHA512
d112b59b6740c68ff8a3bb6040a0cbeecf3959d750aad9388a85facc78780d06f47258cff003c2afd2991fd072114e1439c0a196f06513b73745384fb935c9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWHCtE00Zc.bat

Filesize
239B

MD5
0fc7a9a3725d6b208240121930a3d7d1

SHA1
35923db1f68f421798f3ee1df343c9d7037959a3

SHA256
808f4274936113434a334705ac0c29982a6229c98e961b8c4287d6d7f61e5460

SHA512
21321ff64cddb7e34565ca955b4af113dbb3808c003790c724937198b67304f9ed1f33ff6576cb3608ebe0b373fa1f6161cabefe7f1ad478533d89370774c90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXOGCU6CqD.bat

Filesize
239B

MD5
89562b200a675127fac5c3e7ec7966be

SHA1
9d7adac29be1a141a3c91c50ad7e31e9383dc68b

SHA256
f58c6cacbc548d7702e47df0fed924436b1f88b5bac710cf1586d09b2897428c

SHA512
928e29a6b0fa060150138e69313bb2b370f7915e23b5ce32edd85df8e55c4bb110aa57625a7f22c16d41a3644e6a178557e8ee88545e11274e40445750e8e97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPC7CVf0dw.bat

Filesize
287B

MD5
071db0b02c642225c4089ad5a521d052

SHA1
193314f053773447ad1633b6e705f9d4eda8f42c

SHA256
37741ee6dcb7efc5fe8532d2d5e00bf49fc54beba49ab8baba3f2eebf4e18191

SHA512
f50fe6782f0079970d252bee45152e378fb6e629cf1444ab91decf0e359eb43ab749c96101e670c188a107719526075d4fea1bd20a4b92e697507918f3e60cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hs9KC1JDp8.bat

Filesize
287B

MD5
27e3343dc0d1010441cd2e45131e82f3

SHA1
f819f9c0d318107796107712e485eaf40a0048ac

SHA256
420a0319f44f933ba44f07028311c0e0b05e4d5bce81beeecb49e58e60c51540

SHA512
1470d44f907ccf3075de2a5d338f18e51212ec8e96622d491341c5a36f343ad27417e366cb5d019a66cee8444508af5f3834e032b57e9737e87c76633298de96

Download Submit
C:\Users\Admin\AppData\Local\Temp\J9EkrtYDMp.bat

Filesize
239B

MD5
ef362f4c4e12b53e8cad90abd97f7770

SHA1
c128d8bb223c1116c8837fd22a022a27fcaf1be4

SHA256
8c82d30b2d2fd26a24f556f6ddaef34cf64285f27d70b2b1b1f1769d2cd99008

SHA512
92e6cc1d1ea9cf4b0b99fd148a33a202c964b851fa4ee1aaf78ae49f25444ff2e06a477dc84256eec749e4a3016db903195e72f8de97f4f36dfc19d0ae626396

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU00hIhBOb.bat

Filesize
287B

MD5
b23ced33513cc2eb1f26f73fac18edd3

SHA1
f5de7ab0b5ebb669d30092bfb5715f28ff486974

SHA256
e314a3efd24b5f869170d2eda4588d24cd2cab59924fbdc925d1073c93b8dc50

SHA512
9d76e58e05158c77afea10a46603eaea40eca91e4cc9d868e2b290840301151f16e9cd850b3c4204c2a2d8bab7ee5dd7085aca07cdb8406f19dd8b302a427d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usvo58uhQV.bat

Filesize
239B

MD5
64a1ea958e017b16067122d3378bf540

SHA1
4ca1c7a23ce2c91abd794cd40fa5b026c5b3d386

SHA256
e29f53de82275f911edc4460c03a5ed1987b2f243b712d8e6cddc03676cb5c75

SHA512
84e9396e2db8889a484d0006447cd661826a5a0b148f9f485ee8ad8dcb22a44c5095571462e43306cf4a584408eb44ddd6d4070274a0bc9915a2be6fcc85537c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VE2eLfZN7U.bat

Filesize
287B

MD5
9bc7a51656156e6c29f7f884aa566177

SHA1
b4a952a38f097912fe46e94370638bc370f3419d

SHA256
ece8069e0ac9766d5986a540167cce6bbf3ce4bead97fc2aeeceea6e83ddaf4a

SHA512
5147a57cd64dc18c9f1fbe1e3628305753a4fa36b693f419c1437eb58f3442f1d36cfba9a01d7d51b28c00fd17ccc82b38648209fa8d9510b2830fcdba603e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTmIkWLiw7.bat

Filesize
239B

MD5
1eb248d3ed87b84cf50bd8385af9d154

SHA1
92725bbbd3c94cfd2470b22fc9bc7f3ca494569a

SHA256
0bc7dca2a2249bbbe15e46d94bd9d5e008e1fa94d65067d46f99caf24aa3ad33

SHA512
8f07f13e09b9152ecfc4f6409dbec9cd9041409da6f14806aa725f551ac7903fffa6e190336b28b6b69bb5d50b00fdf7c172e5739cedffc243811cb7e8f71f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCyxGcg3L6.bat

Filesize
287B

MD5
85dea99afa2ed0ba46f5396e3f740b1e

SHA1
0a424867ace912a79174058c03e944a9a5ca4f13

SHA256
036371e905a15c9b85cc72035675c6b840accab0f646f95a2ce93e687198124a

SHA512
024412f738e2852de801d6f3bb766d4262c522bb42a23c875e5f74ff2841d73447b97db67246855d0edfef9faf7616ffdc2e879eb5aa2ca3f4e23f307e33fa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\eDg5wW3gSH.bat

Filesize
239B

MD5
c60f9eb40ed5466bbd96c22dbcdfd7a6

SHA1
f137055351ac8cee519478acaea0991d1862a791

SHA256
748e27dbb71af1d3a620086d01b12edbf077e5e26835d7e4e47b6ff36aca5509

SHA512
12177322d74046c1fe5268ff500092cd2ad23150cf89b0b946a118f1e03ea30b4e3dd48f70102480060287b2fd2bfa3c38483c91108af6cfcc2d7261e92438e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\irhJyFUC1s.bat

Filesize
287B

MD5
6cd5aff9fa6e9278ca91d9e6c47ccf74

SHA1
7b7088c4f94c678aea77bd1bfd56e3b1e580ee95

SHA256
fb070a6409bef0df9856fb6f823249397e14abd95088d91fba118de2971f0b43

SHA512
ec53e150da55c658b332c4cb9cbad3cea3c1249f494088d378f13cfab24d37721836b8616fecc0fd4e52c819f4e81f55a3a0034404b48b6a58498368c3b07f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxiuQmrpE1.bat

Filesize
239B

MD5
2929e5832f42d17fb8c609088adccc9d

SHA1
06bf1fcab9f22d4a8c5448bc433ece494b93f338

SHA256
d1a47200ed85ea3519f97e459d024b6128304a6c11d174b48daee319f61367b0

SHA512
00196567fa8570fa934855d6dfc933e4461450e55a8ed276015ed182aa1ce96800f1564a1a2824728c03ec76c8ff33089d2cdb1724dd0d665ef1bdaf5b3eabc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0amT0ExOA.bat

Filesize
287B

MD5
ed9d7f39ad9295b683d3c500fe6004de

SHA1
67f353eb55727863c8304be6ec67abfa32fcc219

SHA256
b5ec1ca74498dce899897298857e212b2c5aa795d90c0ce38b18e4afb5e89eec

SHA512
02875586166e6e47e0cac41d703cf5207a1fb8924b184e270d26eab65b110da37855b9c51565fbab4fdfc866358914e8d23448e26963d00420d12bf7d5d5527f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vLkm7sAXXV.bat

Filesize
239B

MD5
54c9e009eb4859332e477e92e4eadc95

SHA1
d0faaa095e56db7c9f70478756c417134b9d5c60

SHA256
b1a984894f74c08b31693c7d6bb745b5928b905c02767a3c6e249eda14844ca3

SHA512
a328b468677fdcc2b117f005a298faa3e37b89bec5e8baac3ae82e775340439e4c0c3f936f723bae2b0b636aa4a0dadd673ff6a2960990bfbfc97ed9dde8ca18

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5NT8uJA6y.bat

Filesize
287B

MD5
e2693293801941defcbf7531c29601a3

SHA1
86843f706db6588f3d7d2079fc28c6f493762ae8

SHA256
71ab0ec22043d4ff497ce293fee3e287561779637e5bd89ab89c434c7d075d20

SHA512
adf2fbfe2c269a00bbfb184d0612efd738eb69459feb249355741f88b8e42ba16785bc0e9e993d55a0e49c637c3fe5d21e7969a4b3c83cca4596f3af0e4b3080

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1bdab0dcf803fc675b1ede4835dad7d5

SHA1
89900f32aa09758cdc2ab1ac7e831a88f843555b

SHA256
922554ea861e77fce8f5328853f8a659c7ae439c863c628dc6073fdc0e398e4e

SHA512
123e8302a53b78a8fa95fdb83f3c860aa4442782eabd0c2f06a05cacc3db98bc6ca828bc4a912910ab41b525b7c43c0edc50510b3de9b60582d3c75d5392442f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1bdab0dcf803fc675b1ede4835dad7d5

SHA1
89900f32aa09758cdc2ab1ac7e831a88f843555b

SHA256
922554ea861e77fce8f5328853f8a659c7ae439c863c628dc6073fdc0e398e4e

SHA512
123e8302a53b78a8fa95fdb83f3c860aa4442782eabd0c2f06a05cacc3db98bc6ca828bc4a912910ab41b525b7c43c0edc50510b3de9b60582d3c75d5392442f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1bdab0dcf803fc675b1ede4835dad7d5

SHA1
89900f32aa09758cdc2ab1ac7e831a88f843555b

SHA256
922554ea861e77fce8f5328853f8a659c7ae439c863c628dc6073fdc0e398e4e

SHA512
123e8302a53b78a8fa95fdb83f3c860aa4442782eabd0c2f06a05cacc3db98bc6ca828bc4a912910ab41b525b7c43c0edc50510b3de9b60582d3c75d5392442f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1bdab0dcf803fc675b1ede4835dad7d5

SHA1
89900f32aa09758cdc2ab1ac7e831a88f843555b

SHA256
922554ea861e77fce8f5328853f8a659c7ae439c863c628dc6073fdc0e398e4e

SHA512
123e8302a53b78a8fa95fdb83f3c860aa4442782eabd0c2f06a05cacc3db98bc6ca828bc4a912910ab41b525b7c43c0edc50510b3de9b60582d3c75d5392442f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ICUO9VER5KMP4ZQWBSJN.temp

Filesize
7KB

MD5
1bdab0dcf803fc675b1ede4835dad7d5

SHA1
89900f32aa09758cdc2ab1ac7e831a88f843555b

SHA256
922554ea861e77fce8f5328853f8a659c7ae439c863c628dc6073fdc0e398e4e

SHA512
123e8302a53b78a8fa95fdb83f3c860aa4442782eabd0c2f06a05cacc3db98bc6ca828bc4a912910ab41b525b7c43c0edc50510b3de9b60582d3c75d5392442f

Download Submit
memory/1500-83-0x0000000000D50000-0x0000000000F10000-memory.dmp

Filesize
1.8MB

Download
memory/1500-88-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/1500-84-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1500-102-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1500-92-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/1500-85-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/1500-96-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/1500-93-0x00000000771D0000-0x00000000771D1000-memory.dmp

Filesize
4KB

Download
memory/1500-86-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1500-87-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/1500-89-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/2144-6-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/2144-4-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2144-11-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2144-1-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-0-0x0000000000EE0000-0x00000000010A0000-memory.dmp

Filesize
1.8MB

Download
memory/2144-2-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2144-3-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2144-14-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2144-8-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2144-12-0x00000000771D0000-0x00000000771D1000-memory.dmp

Filesize
4KB

Download
memory/2144-17-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/2144-51-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-5-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/2144-9-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/2144-16-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2192-127-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-129-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2192-128-0x000000001B640000-0x000000001B6C0000-memory.dmp

Filesize
512KB

Download
memory/2192-126-0x0000000000F90000-0x0000000001150000-memory.dmp

Filesize
1.8MB

Download
memory/2324-106-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/2324-109-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/2324-112-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/2324-118-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/2324-116-0x00000000771D0000-0x00000000771D1000-memory.dmp

Filesize
4KB

Download
memory/2324-114-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/2324-110-0x000000001B510000-0x000000001B590000-memory.dmp

Filesize
512KB

Download
memory/2324-124-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-104-0x00000000000D0000-0x0000000000290000-memory.dmp

Filesize
1.8MB

Download
memory/2324-105-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2324-107-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2612-71-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2612-65-0x000007FEEF100000-0x000007FEEFA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-72-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2612-76-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2612-66-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2640-68-0x000007FEEF100000-0x000007FEEFA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2640-74-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2640-78-0x000000000288B000-0x00000000028F2000-memory.dmp

Filesize
412KB

Download
memory/2716-80-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2716-77-0x000007FEEF100000-0x000007FEEFA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-79-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2716-75-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2716-60-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2744-59-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2744-58-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2744-73-0x000000000254B000-0x00000000025B2000-memory.dmp

Filesize
412KB

Download
memory/2744-69-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2744-61-0x000007FEEF100000-0x000007FEEFA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2744-63-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2744-62-0x000007FEEF100000-0x000007FEEFA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-70-0x0000000002A1B000-0x0000000002A82000-memory.dmp

Filesize
412KB

Download
memory/2832-64-0x000007FEEF100000-0x000007FEEFA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-67-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download