zgrat | f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

Analysis

max time kernel
115s
max time network
299s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Size

1.7MB
MD5

8a0c0d8277cb76f54616540f7612ddc1
SHA1

b199e5e7656f2041186baa9df2c08ea05baf663a
SHA256

f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad
SHA512

54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 31 IoCs

resource	yara_rule
behavioral2/memory/1172-0-0x0000000000450000-0x0000000000610000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-26.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-293.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-292.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-314.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-336.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-356.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-376.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-397.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-417.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-437.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-457.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-477.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-497.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-517.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-538.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-558.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-579.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-599.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-619.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-639.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-660.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-680.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-700.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-720.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-741.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-761.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-782.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-802.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-822.dat	family_zgrat_v1
behavioral2/files/0x000600000001ac0b-842.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 10 IoCs

pid	Process
2076	InstallAgent.exe
4988	InstallAgent.exe
4252	InstallAgent.exe
876	InstallAgent.exe
4576	InstallAgent.exe
4508	InstallAgent.exe
4524	InstallAgent.exe
5068	InstallAgent.exe
804	InstallAgent.exe
2072	InstallAgent.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\200f98429d280b	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe
Key created	\REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings	InstallAgent.exe

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
712	PING.EXE
1568	PING.EXE
3632	PING.EXE
1628	PING.EXE
1820	PING.EXE
1748	PING.EXE
2568	PING.EXE
376	PING.EXE
3020	PING.EXE
1000	PING.EXE
1132	PING.EXE
880	PING.EXE
1916	PING.EXE
2724	PING.EXE
196	PING.EXE
2596	PING.EXE
5080	PING.EXE
4644	PING.EXE
2296	PING.EXE
1272	PING.EXE
4232	PING.EXE
932	PING.EXE
524	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
2336	powershell.exe
2492	powershell.exe
3740	powershell.exe
1140	powershell.exe
3344	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeIncreaseQuotaPrivilege	2492	powershell.exe
Token: SeSecurityPrivilege	2492	powershell.exe
Token: SeTakeOwnershipPrivilege	2492	powershell.exe
Token: SeLoadDriverPrivilege	2492	powershell.exe
Token: SeSystemProfilePrivilege	2492	powershell.exe
Token: SeSystemtimePrivilege	2492	powershell.exe
Token: SeProfSingleProcessPrivilege	2492	powershell.exe
Token: SeIncBasePriorityPrivilege	2492	powershell.exe
Token: SeCreatePagefilePrivilege	2492	powershell.exe
Token: SeBackupPrivilege	2492	powershell.exe
Token: SeRestorePrivilege	2492	powershell.exe
Token: SeShutdownPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeSystemEnvironmentPrivilege	2492	powershell.exe
Token: SeRemoteShutdownPrivilege	2492	powershell.exe
Token: SeUndockPrivilege	2492	powershell.exe
Token: SeManageVolumePrivilege	2492	powershell.exe
Token: 33	2492	powershell.exe
Token: 34	2492	powershell.exe
Token: 35	2492	powershell.exe
Token: 36	2492	powershell.exe
Token: SeIncreaseQuotaPrivilege	3740	powershell.exe
Token: SeSecurityPrivilege	3740	powershell.exe
Token: SeTakeOwnershipPrivilege	3740	powershell.exe
Token: SeLoadDriverPrivilege	3740	powershell.exe
Token: SeSystemProfilePrivilege	3740	powershell.exe
Token: SeSystemtimePrivilege	3740	powershell.exe
Token: SeProfSingleProcessPrivilege	3740	powershell.exe
Token: SeIncBasePriorityPrivilege	3740	powershell.exe
Token: SeCreatePagefilePrivilege	3740	powershell.exe
Token: SeBackupPrivilege	3740	powershell.exe
Token: SeRestorePrivilege	3740	powershell.exe
Token: SeShutdownPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeSystemEnvironmentPrivilege	3740	powershell.exe
Token: SeRemoteShutdownPrivilege	3740	powershell.exe
Token: SeUndockPrivilege	3740	powershell.exe
Token: SeManageVolumePrivilege	3740	powershell.exe
Token: 33	3740	powershell.exe
Token: 34	3740	powershell.exe
Token: 35	3740	powershell.exe
Token: 36	3740	powershell.exe
Token: SeIncreaseQuotaPrivilege	2336	powershell.exe
Token: SeSecurityPrivilege	2336	powershell.exe
Token: SeTakeOwnershipPrivilege	2336	powershell.exe
Token: SeLoadDriverPrivilege	2336	powershell.exe
Token: SeSystemProfilePrivilege	2336	powershell.exe
Token: SeSystemtimePrivilege	2336	powershell.exe
Token: SeProfSingleProcessPrivilege	2336	powershell.exe
Token: SeIncBasePriorityPrivilege	2336	powershell.exe
Token: SeCreatePagefilePrivilege	2336	powershell.exe
Token: SeBackupPrivilege	2336	powershell.exe
Token: SeRestorePrivilege	2336	powershell.exe
Token: SeShutdownPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeSystemEnvironmentPrivilege	2336	powershell.exe
Token: SeRemoteShutdownPrivilege	2336	powershell.exe
Token: SeUndockPrivilege	2336	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 3740	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	81
PID 1172 wrote to memory of 3740	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	81
PID 1172 wrote to memory of 2336	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	80
PID 1172 wrote to memory of 2336	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	80
PID 1172 wrote to memory of 1140	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	79
PID 1172 wrote to memory of 1140	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	79
PID 1172 wrote to memory of 2492	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	74
PID 1172 wrote to memory of 2492	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	74
PID 1172 wrote to memory of 3344	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	73
PID 1172 wrote to memory of 3344	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	73
PID 1172 wrote to memory of 1688	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	76
PID 1172 wrote to memory of 1688	1172	f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe	76
PID 1688 wrote to memory of 376	1688	cmd.exe	91
PID 1688 wrote to memory of 376	1688	cmd.exe	91
PID 1688 wrote to memory of 4644	1688	cmd.exe	83
PID 1688 wrote to memory of 4644	1688	cmd.exe	83
PID 1688 wrote to memory of 2076	1688	cmd.exe	85
PID 1688 wrote to memory of 2076	1688	cmd.exe	85
PID 2076 wrote to memory of 4108	2076	InstallAgent.exe	89
PID 2076 wrote to memory of 4108	2076	InstallAgent.exe	89
PID 4108 wrote to memory of 4120	4108	cmd.exe	86
PID 4108 wrote to memory of 4120	4108	cmd.exe	86
PID 4108 wrote to memory of 2568	4108	cmd.exe	87
PID 4108 wrote to memory of 2568	4108	cmd.exe	87
PID 4108 wrote to memory of 4988	4108	cmd.exe	90
PID 4108 wrote to memory of 4988	4108	cmd.exe	90
PID 4988 wrote to memory of 4640	4988	InstallAgent.exe	94
PID 4988 wrote to memory of 4640	4988	InstallAgent.exe	94
PID 4640 wrote to memory of 3068	4640	cmd.exe	92
PID 4640 wrote to memory of 3068	4640	cmd.exe	92
PID 4640 wrote to memory of 376	4640	cmd.exe	91
PID 4640 wrote to memory of 376	4640	cmd.exe	91
PID 4640 wrote to memory of 4252	4640	cmd.exe	95
PID 4640 wrote to memory of 4252	4640	cmd.exe	95
PID 4252 wrote to memory of 4032	4252	InstallAgent.exe	99
PID 4252 wrote to memory of 4032	4252	InstallAgent.exe	99
PID 4032 wrote to memory of 4280	4032	cmd.exe	98
PID 4032 wrote to memory of 4280	4032	cmd.exe	98
PID 4032 wrote to memory of 3020	4032	cmd.exe	97
PID 4032 wrote to memory of 3020	4032	cmd.exe	97
PID 4032 wrote to memory of 876	4032	cmd.exe	100
PID 4032 wrote to memory of 876	4032	cmd.exe	100
PID 876 wrote to memory of 1924	876	InstallAgent.exe	104
PID 876 wrote to memory of 1924	876	InstallAgent.exe	104
PID 1924 wrote to memory of 3336	1924	cmd.exe	102
PID 1924 wrote to memory of 3336	1924	cmd.exe	102
PID 1924 wrote to memory of 712	1924	cmd.exe	101
PID 1924 wrote to memory of 712	1924	cmd.exe	101
PID 1924 wrote to memory of 4576	1924	cmd.exe	105
PID 1924 wrote to memory of 4576	1924	cmd.exe	105
PID 4576 wrote to memory of 4148	4576	InstallAgent.exe	109
PID 4576 wrote to memory of 4148	4576	InstallAgent.exe	109
PID 4148 wrote to memory of 2528	4148	cmd.exe	108
PID 4148 wrote to memory of 2528	4148	cmd.exe	108
PID 4148 wrote to memory of 1568	4148	cmd.exe	107
PID 4148 wrote to memory of 1568	4148	cmd.exe	107
PID 4148 wrote to memory of 4508	4148	cmd.exe	110
PID 4148 wrote to memory of 4508	4148	cmd.exe	110
PID 4508 wrote to memory of 2940	4508	InstallAgent.exe	114
PID 4508 wrote to memory of 2940	4508	InstallAgent.exe	114
PID 2940 wrote to memory of 4568	2940	cmd.exe	112
PID 2940 wrote to memory of 4568	2940	cmd.exe	112
PID 2940 wrote to memory of 2296	2940	cmd.exe	111
PID 2940 wrote to memory of 2296	2940	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe
"C:\Users\Admin\AppData\Local\Temp\f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ocyBONKacU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:376
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:4644
- - C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
    "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xVZsORhRPb.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4108
    - - C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jCrJd6RmAD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cfpJnj91JY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s8lvSze9bR.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cfpJnj91JY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oAocY3YSOp.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3sOpJujjEl.bat"
        16⤵
        
        PID:4212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4544
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zuRWOxc209.bat"
        18⤵
        
        PID:4172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:4232
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tXcZTVakCz.bat"
        20⤵
        
        PID:2256
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:1000
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        21⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGxgnDDQjz.bat"
        22⤵
        
        PID:2500
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        23⤵
        
        PID:4860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QKAuQiBIVW.bat"
        24⤵
        
        PID:2944
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        25⤵
        
        PID:4580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yhs0sn2L6w.bat"
        26⤵
        
        PID:2504
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        27⤵
        
        PID:2680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QKAuQiBIVW.bat"
        28⤵
        
        PID:392
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        29⤵
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EoBbgPmrRE.bat"
        30⤵
        
        PID:4900
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        31⤵
        
        PID:3316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\howVEGEG8J.bat"
        32⤵
        
        PID:3852
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        33⤵
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hdmdigGiX9.bat"
        34⤵
        
        PID:4988
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        35⤵
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qkq749RcZX.bat"
        36⤵
        
        PID:4804
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        37⤵
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pZgFYZT4yN.bat"
        38⤵
        
        PID:1348
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        39⤵
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z6jdsJyxgU.bat"
        40⤵
        
        PID:4908
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        41⤵
        
        PID:3508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sZYO5BIqkd.bat"
        42⤵
        
        PID:3568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:4840
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        43⤵
        
        PID:612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FE2FgvhS1m.bat"
        44⤵
        
        PID:4140
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        45⤵
        
        PID:3188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v8e4zbUuNh.bat"
        46⤵
        
        PID:320
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        47⤵
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hdmdigGiX9.bat"
        48⤵
        
        PID:2080
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        49⤵
        
        PID:3664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z6jdsJyxgU.bat"
        50⤵
        
        PID:872
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        51⤵
        
        PID:4984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJ33xL03Hm.bat"
        52⤵
        
        PID:4260
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        53⤵
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S8tBRk2Vgc.bat"
        54⤵
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:1472
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        55⤵
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0SKfNvdG8.bat"
        56⤵
        
        PID:3776
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        57⤵
        
        PID:1276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJ33xL03Hm.bat"
        58⤵
        
        PID:5012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        Runs ping.exe
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:2496
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        59⤵
        
        PID:4628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\In8vbLsXfq.bat"
        60⤵
        
        PID:2528
        
        C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe"
        61⤵
        
        PID:3076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m0aad8I0LJ.bat"
        62⤵
        
        PID:4488
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:196
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\ApplicationFrameHost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4120

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:376

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3068

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3020

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4280

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:712

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3336

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1568

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2528
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1136
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:2360

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2296

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:932

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:668

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5100

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1132

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4248

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3632

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4820

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:64

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4136

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1628

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1820

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5056

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2596

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2100

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4592

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:5080

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2972

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4200

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:880

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3320

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:524

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2928

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1748

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4552

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1916

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4168

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4288

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2144

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3632

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\InstallAgent.exe

Filesize
1.7MB

MD5
8a0c0d8277cb76f54616540f7612ddc1

SHA1
b199e5e7656f2041186baa9df2c08ea05baf663a

SHA256
f4f77e85cad2e8810d1c4f77d331a40dbca4fee7b5b5e30595025c58ad7844ad

SHA512
54efa0623f4f9679b179dbcc84af5befab5d51baa3030c79b5ec4cb4a4aaa271798e9a322fc6e753579236880208624417f4d0faff8fc56ddbaa3fee9dd07605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallAgent.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da620bfaeb6a2ea4d6aec798488fc184

SHA1
03db0dd14013355038f03a05900db8fe3ac6786a

SHA256
a23995266845201abcc9955807fbe2866d1241995f8fc8d01cd70369b0e76f8e

SHA512
f763b1faaad468f679b45b0ddb66ac8a16a4b6000fd8bc2f5e171f86d413b11bb32ddfc19c00bc02c836f5d56661c1e9749e4619440bc81fd596c256fb93e6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bdfaa14d7814b541a77f4e97920dfd6

SHA1
c239720eee47db7f7136bb78e37c539b9e735c4c

SHA256
4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

SHA512
dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0bdfaa14d7814b541a77f4e97920dfd6

SHA1
c239720eee47db7f7136bb78e37c539b9e735c4c

SHA256
4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

SHA512
dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
646f39f031450f67373ea54e7998191e

SHA1
9ee779c15406bea76ceefcf79e45f10b6d953b7f

SHA256
7e30c74dd6570c4ff6d3c1cfb12f8cd741f856c911377ec83b974d90dd8ca56b

SHA512
a6973efcb9af1d6c6db5ae4f0e74e3047fb4b17d2c47a40f5a95b3bdfe15fd494a3538ca04cf1fb221361bef03e6d4449a9d6ffc9ea5240cdf63fc7aed1608c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3sOpJujjEl.bat

Filesize
195B

MD5
101b58cd9a6ae2904791a7d96134ff26

SHA1
3d82d558dcbe6a980d68aae1b0162b8ef4a4bdd8

SHA256
c01c448f9f29e9097f68dc8b344b10f01cfd0c9a8abc41a2f2b4373a3221c4b8

SHA512
3923787911fd250e1ff2b11d848c277f5335c4349e12a257be97e5fcb941e9adecddce9ae88bf7a1ee8ddf3519a83b4600a4166fc7ec28ee63d8367890d73ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0SKfNvdG8.bat

Filesize
243B

MD5
9e1ca1676306b2bdb7aed9d4c4dbfae2

SHA1
50cb13f3be0a688683b93aa26e21b99d9f5f289c

SHA256
2b5cbb6483cbfc890905d847d53130f2114d3c018e75ad1f28be2efedecee907

SHA512
596456ef95538cc02d206fbd512cf0aa81e4e31da4a188e84904e00a5773ca43aac00797d4823b6b5ed644ea41e11d233627347edf75569d2f5047d5c58442c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoBbgPmrRE.bat

Filesize
243B

MD5
04f18ba75abf2a90480843b4f64b4d74

SHA1
3e3c7712b03664486b33911003993f3977adbcee

SHA256
5402f67760283c6b132f6481edbf1e668b7135f6d60384cc5146041b0dcbb4a0

SHA512
2ce00ab07f2bfbed04c92aa26d2ad04645667e01f7eda70852deb3f96708bbc4fb4c3092b73b0083516d9eee63f16bf3c305f81c8d2f72cafa9b445ddda88f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE2FgvhS1m.bat

Filesize
243B

MD5
8f1aad6b45110c97a1d2119d4f1748d8

SHA1
5938a2388a75be1bd4749db58bd0e7732de1196f

SHA256
970bc216201e29a43e03ddd62b1695012abf18905462987a22b7ab43e37951cb

SHA512
af6e4d0a4fb8748ff7871b8124bf1d42f58146c4b0dd5966177a2a8989d8c0c1d4af8533e5bce538a3a52af2407528c2f078429136c96d247ebcafc8c04ced03

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKAuQiBIVW.bat

Filesize
243B

MD5
9eabc50735e93ea4e91948ea8a6d771a

SHA1
3874ef8f183ce4674f0788085f49d61537f460fb

SHA256
45e48a827303df759305658c55f49e5bf7c230b43f93465a50d9bb45412a5082

SHA512
5c7018c7c3d0d756e064a1e5d5295068fd5b5dc59b5495c635dc4abe725ba57ca2e2339a2aa5617442d1528018360617df9a02e2cbd779c1fdd32af8c05fd098

Download Submit
C:\Users\Admin\AppData\Local\Temp\QKAuQiBIVW.bat

Filesize
243B

MD5
9eabc50735e93ea4e91948ea8a6d771a

SHA1
3874ef8f183ce4674f0788085f49d61537f460fb

SHA256
45e48a827303df759305658c55f49e5bf7c230b43f93465a50d9bb45412a5082

SHA512
5c7018c7c3d0d756e064a1e5d5295068fd5b5dc59b5495c635dc4abe725ba57ca2e2339a2aa5617442d1528018360617df9a02e2cbd779c1fdd32af8c05fd098

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8tBRk2Vgc.bat

Filesize
243B

MD5
b7834e261296893e0af68f15c15e483c

SHA1
89fbf7f17648390e231b77b893a5c0933a69d5f7

SHA256
3d01e2b4168903ecfab4de3700b82c0349b122c5fd8062f47d76bd099ee6fbdf

SHA512
8c2b0434cbd78ff8df9e71f76640c627536f05c3df697bf1d9cf6afe529007003ca6ee190a8caed691919dbab0437f5f85725e0b3186c17e56c77473c8006325

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ33xL03Hm.bat

Filesize
195B

MD5
44e40e200cbd5faa18499e81297490d3

SHA1
8f095d9950ce9e31beba94487c19f8176246ec8c

SHA256
9fb1d1d1ebe1f2a8f7830c77bc67f85aa25932ea5ab70e793d3f43e3e43533ed

SHA512
221c317d1a9e6e6187bf3dfc61ebe921ae1da16a2f5647a744fdc459c3c48c8718cb237586a55057f1bf658522d46f9ac66795cfa1fca535e39c0105cf59fb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ33xL03Hm.bat

Filesize
195B

MD5
44e40e200cbd5faa18499e81297490d3

SHA1
8f095d9950ce9e31beba94487c19f8176246ec8c

SHA256
9fb1d1d1ebe1f2a8f7830c77bc67f85aa25932ea5ab70e793d3f43e3e43533ed

SHA512
221c317d1a9e6e6187bf3dfc61ebe921ae1da16a2f5647a744fdc459c3c48c8718cb237586a55057f1bf658522d46f9ac66795cfa1fca535e39c0105cf59fb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yhs0sn2L6w.bat

Filesize
195B

MD5
373af500a1d09abcd7e451b4277faa3e

SHA1
19d00c5a82e0df96158c04d20c1cbe2f53d3f58d

SHA256
c070686f6c4f02affc0294f72f0de68a33898b8a47179ae3567cbccc508f5f06

SHA512
780e8a0e499f11811acb3fa5c0752736ba7766db40675af42d1396a36fadb1334c557ca2c74d06b805c8485fe57492c9ca5d6802e29e869391970aa0980f6cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6jdsJyxgU.bat

Filesize
195B

MD5
8876c2baf9cf5df9ac97110ba452c8f3

SHA1
639093cca431280089dde94d68f955b771d2b7f9

SHA256
043b25222de0467db2081ecee38e96f27a6aaf43aa0e05c4c1cd42937eed6245

SHA512
9425b71406e83701c59876c60324921a5876339b11aa5116270c10e14ef07973d4d170f3843a7a31fde39b4fbd5dff19deef5707d24e04490a1d94fba607c898

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6jdsJyxgU.bat

Filesize
195B

MD5
8876c2baf9cf5df9ac97110ba452c8f3

SHA1
639093cca431280089dde94d68f955b771d2b7f9

SHA256
043b25222de0467db2081ecee38e96f27a6aaf43aa0e05c4c1cd42937eed6245

SHA512
9425b71406e83701c59876c60324921a5876339b11aa5116270c10e14ef07973d4d170f3843a7a31fde39b4fbd5dff19deef5707d24e04490a1d94fba607c898

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfcv42is.woz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGxgnDDQjz.bat

Filesize
195B

MD5
0cfef8a134ea1f78353da5a37def385c

SHA1
863c76340e54060b6b1a5bd2d97a2db6f6163f8d

SHA256
d5fa234336e234572a8ec7dbe28fe4432ea60fc7af02afbbf52d4d3362dbf046

SHA512
905373103ac07ce811de7ed6f96b64d66c8665f7f4d0c42613b4c1a003db12ea73312fe9603fa9c36c5436a3db217b16b83eb86b5eaa130e675eb20648cd4579

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfpJnj91JY.bat

Filesize
195B

MD5
0f9e656574a22212054e155d434b7fd8

SHA1
8aa0da89b2baa7aa82d7d238d464c89f0a10cfae

SHA256
0bfccff48a9cb338f80b29ad8c9409537ecd0bdf0b48f23a5f608124d8ad9d08

SHA512
7bc1359602ab365f969ce205bff3913b48624880ab0d9cd724dbe719bec3d4c6ec7b3adcc485e8150fdb137f124f4d04bc1934667a71a4764fad6d331c65feed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfpJnj91JY.bat

Filesize
195B

MD5
0f9e656574a22212054e155d434b7fd8

SHA1
8aa0da89b2baa7aa82d7d238d464c89f0a10cfae

SHA256
0bfccff48a9cb338f80b29ad8c9409537ecd0bdf0b48f23a5f608124d8ad9d08

SHA512
7bc1359602ab365f969ce205bff3913b48624880ab0d9cd724dbe719bec3d4c6ec7b3adcc485e8150fdb137f124f4d04bc1934667a71a4764fad6d331c65feed

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdmdigGiX9.bat

Filesize
195B

MD5
67c689e13df1930664d2b8cb3f4173df

SHA1
54c26c92a72795bae4c930e8784d75a3ccab4b22

SHA256
5a15ff4b491f383f0997850af67ac286549d6e64784c2dc10e229a380f4dfeff

SHA512
e6f4483b92fa5db5f7fb7b41c48a2ada826e2671b0ff9b72e63e16ecfb18729ecac754c0112ecced3e7a3effef05075708b6d8eb292e56be02ba29b83536025a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdmdigGiX9.bat

Filesize
195B

MD5
67c689e13df1930664d2b8cb3f4173df

SHA1
54c26c92a72795bae4c930e8784d75a3ccab4b22

SHA256
5a15ff4b491f383f0997850af67ac286549d6e64784c2dc10e229a380f4dfeff

SHA512
e6f4483b92fa5db5f7fb7b41c48a2ada826e2671b0ff9b72e63e16ecfb18729ecac754c0112ecced3e7a3effef05075708b6d8eb292e56be02ba29b83536025a

Download Submit
C:\Users\Admin\AppData\Local\Temp\howVEGEG8J.bat

Filesize
195B

MD5
2523ce95b7adb2299a217028000de24d

SHA1
b9f234d035fb118c8dd32bb3612aa1e569aa0f34

SHA256
bc59587c09c89ce4f29257dec8b54e0218137f2355b98675948170f7c158d7a5

SHA512
d7463d6ce1fa87ada4ae55d1d02aaf6082bb2c99dbab42cccad0dd86fb92191b7268ff517c2d4a471390206859a75576fbd147b784013b979acb0ef78071f0ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\jCrJd6RmAD.bat

Filesize
195B

MD5
71db4a8175e84671ef53a9ece3d6c48f

SHA1
00872f912fd64b4ed61742233a0a0aa48bf44abf

SHA256
16e0220d068665a49d0ec872224e8bb1036a40706fd02baa4c32014f1d6e5885

SHA512
a35b2133709dc15ccbe5bdcdd135d9dad2f6fca237b3acb39d441a7cd6f91f1250018cddd10ffddd4efc37e6f58bb455a3faba27e2942dc7d38eb6102859530a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAocY3YSOp.bat

Filesize
195B

MD5
47326394472a694e40267b9fe4cff265

SHA1
8fff6dc0fb87b9f427ab98f5cae99d8d4516251f

SHA256
414c7a63dcf44b308394e5a3c53bd3457aeb7df9f96952738e01e144bb21ce9e

SHA512
b4a8f8e4c153e74537cc37c17dd9580ab9f3ae3039425ea976679755f877566a43c4d585eba2874ab4c089e41092c288fd1568088718292ae2d328f1e9087a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocyBONKacU.bat

Filesize
195B

MD5
3c9f2917cc818ab39eecf6317c0063b1

SHA1
c71300abd794a456562eeb0ec31c7113f403e4af

SHA256
622c5b6771765da16e52aeea754fbdef12a089ed09457581447636d4e880d4bb

SHA512
348bcb8fdd02483cb1b9c5de8f41aed80bc963fe41cbe95749aeb06cb0c9fa94c4047049a5f1f6b6284501a0af319cebd5c5b16c3b8c0c8b3bb7ff262c75be65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZgFYZT4yN.bat

Filesize
195B

MD5
d0fb3450e5eed28f7682869c769665ee

SHA1
f22fa15ed0d77568d96ce3b2502da5c74eac8594

SHA256
1f5929a0c2985bf0f94dec5470bbb7a2d216b4b08634f538455efcfd2c87b54e

SHA512
0f5742acbcbd43f625aabe9b6ac58a6b1525bfbfabeb959d9f2cc270443f7632ccdf25c6d3f89d0fae71fed5b99b3aecc8a3a5fbcf68a28f0d3837eaad6119f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkq749RcZX.bat

Filesize
195B

MD5
920a096d60538872173832894983abfe

SHA1
51d7986a93a953cb3becaaebc72d6dd670f989e2

SHA256
851743d64f343adec46b8ac630c81abc66cddbb6bdd7b9469677681695104245

SHA512
56a101a1dc248fc0e60da87ef8c573d1f0579d3bd7f69e3e439bd8f1782a9f4d0c48a41dd916b5dd4083ae053e5f8dd1f967b21aa1bb75be544e2eff4ea90446

Download Submit
C:\Users\Admin\AppData\Local\Temp\s8lvSze9bR.bat

Filesize
195B

MD5
200cd99b7b96743eb943d8cba36da40c

SHA1
b4f7969909109d0684cc0b0c4383d89b4ac446e0

SHA256
211493a56495c440ef7e0b4d94e95d114154ff7360d3100e37f0349a0b21391d

SHA512
bdd95b2ea610ba23d0d4c80bc58b946e3494b3a3a4a642e7ec2ee9344fb5c6dfdeb92878e15a37fbc7efb23e6af4d6f43c222a1c6994e52e2f8a50a253ab0c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sZYO5BIqkd.bat

Filesize
243B

MD5
318f5faf305259a7841a555125bb040b

SHA1
2fd4a56590ae0d03ac69a145ed499bdd838d7c23

SHA256
da7f226831b4659c8bfea6d67729d69eca6dae63b9ab0438a4ef7cbecdca4c23

SHA512
4d7b157c638afccfe8ff0f967b38fd1ec5dbe7936ae75039d56ef7240f23e9aa64dcedc5da142941fa6a704f829e872c5cc1656b1b9cc8833d9530defc59956e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tXcZTVakCz.bat

Filesize
195B

MD5
77a23d8b041989d75c2a038eecc11fe3

SHA1
262c293b8af1d0efbf365dbd8c32bfeb73d29f49

SHA256
47972523945c0e7acd1203e46a88b09e880ee60f0e1e31af1567205808113b59

SHA512
0206d928f43442fa3359f96654b8ed8c74d3443c43ffec775cbebab6632d4f2bb627951c5b3c6a859259e3fa0d2a25250d2568dcbf94ea00b7844ae871346171

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8e4zbUuNh.bat

Filesize
195B

MD5
e68ec307ec20405bc7c9c403445a4aa3

SHA1
a0790efdb7804a3f5bbc4da9634927be535ea975

SHA256
db2c52a944309baf89c57972e4b5d526da01f40c9bf1eff549f62d68ed0164ff

SHA512
f7bddae7448b8e4a358fd569359763c13e68bbfa849cdd258c34e4bff8d89b4588b6716bb07ba9d5c1742b3cf98421e60817a13e991261d1b0d1cddad7a6316b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xVZsORhRPb.bat

Filesize
195B

MD5
62a5f58c651976ee8ad51c78a69a0f79

SHA1
03bbf8b921d14828e184fd99502516a5602810e8

SHA256
36d42ac04b63e5040d941e29242174ffbd90ac08d33d9aa7047cd4f999a43f66

SHA512
bc9d703581ecc73c0e39082f4cfa5d7c5629f611ce56e0aa2c18747dd043f0a275dd50cd96d8692083c73f2c8275a8450e22fb01dd47ebf63b6754b7fa8560e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuRWOxc209.bat

Filesize
195B

MD5
2a2aa15f2dc2640163049a5a1d71665b

SHA1
c080f3756c84287da5a2d62b8b54f3fa41a71fc1

SHA256
bd260fa305e6ccbe5e6c1a02848f4e61d4ac688e981cfedd1687e2633ed17b95

SHA512
473ce208f675845997e2aa232975aa0e2a1d0cecdeff39369bfd030c859d3741803e5200dae95d9b9ca34cf8b65c1cafa17c58eda0aba056e80aab0ec5875e71

Download Submit
memory/1140-72-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/1140-285-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/1140-66-0x0000016A64B60000-0x0000016A64B70000-memory.dmp

Filesize
64KB

Download
memory/1140-64-0x0000016A64B60000-0x0000016A64B70000-memory.dmp

Filesize
64KB

Download
memory/1140-181-0x0000016A64B60000-0x0000016A64B70000-memory.dmp

Filesize
64KB

Download
memory/1140-268-0x0000016A64B60000-0x0000016A64B70000-memory.dmp

Filesize
64KB

Download
memory/1172-17-0x00007FFC0CAE0000-0x00007FFC0CAE1000-memory.dmp

Filesize
4KB

Download
memory/1172-2-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/1172-13-0x0000000002820000-0x000000000282C000-memory.dmp

Filesize
48KB

Download
memory/1172-14-0x00007FFC0CAF0000-0x00007FFC0CAF1000-memory.dmp

Filesize
4KB

Download
memory/1172-1-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-0-0x0000000000450000-0x0000000000610000-memory.dmp

Filesize
1.8MB

Download
memory/1172-11-0x00007FFC0CB00000-0x00007FFC0CB01000-memory.dmp

Filesize
4KB

Download
memory/1172-10-0x00000000026C0000-0x00000000026CE000-memory.dmp

Filesize
56KB

Download
memory/1172-33-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-8-0x00000000026B0000-0x00000000026BE000-memory.dmp

Filesize
56KB

Download
memory/1172-3-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1172-6-0x00007FFC0CB10000-0x00007FFC0CB11000-memory.dmp

Filesize
4KB

Download
memory/1172-5-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/1172-16-0x0000000002830000-0x000000000283C000-memory.dmp

Filesize
48KB

Download
memory/1172-57-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/1172-4-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/2076-294-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-299-0x00007FFC0CB10000-0x00007FFC0CB11000-memory.dmp

Filesize
4KB

Download
memory/2076-297-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/2076-296-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/2076-302-0x00007FFC0CB00000-0x00007FFC0CB01000-memory.dmp

Filesize
4KB

Download
memory/2076-303-0x00007FFC0CAF0000-0x00007FFC0CAF1000-memory.dmp

Filesize
4KB

Download
memory/2076-298-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/2076-295-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/2076-306-0x00007FFC0CAE0000-0x00007FFC0CAE1000-memory.dmp

Filesize
4KB

Download
memory/2336-286-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-41-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-273-0x00000152F4A40000-0x00000152F4A50000-memory.dmp

Filesize
64KB

Download
memory/2336-267-0x00000152F4A40000-0x00000152F4A50000-memory.dmp

Filesize
64KB

Download
memory/2336-58-0x00000152F4A40000-0x00000152F4A50000-memory.dmp

Filesize
64KB

Download
memory/2336-172-0x00000152F4A40000-0x00000152F4A50000-memory.dmp

Filesize
64KB

Download
memory/2336-274-0x00000152F4A40000-0x00000152F4A50000-memory.dmp

Filesize
64KB

Download
memory/2336-258-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-59-0x00000152F4A40000-0x00000152F4A50000-memory.dmp

Filesize
64KB

Download
memory/2336-63-0x00000152F4D20000-0x00000152F4D42000-memory.dmp

Filesize
136KB

Download
memory/2492-275-0x0000020479BB0000-0x0000020479BC0000-memory.dmp

Filesize
64KB

Download
memory/2492-62-0x0000020479BB0000-0x0000020479BC0000-memory.dmp

Filesize
64KB

Download
memory/2492-65-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-104-0x0000020479BB0000-0x0000020479BC0000-memory.dmp

Filesize
64KB

Download
memory/2492-61-0x0000020479BB0000-0x0000020479BC0000-memory.dmp

Filesize
64KB

Download
memory/2492-253-0x0000020479BB0000-0x0000020479BC0000-memory.dmp

Filesize
64KB

Download
memory/2492-277-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-276-0x0000020479BB0000-0x0000020479BC0000-memory.dmp

Filesize
64KB

Download
memory/3344-278-0x0000017FF1FA0000-0x0000017FF1FB0000-memory.dmp

Filesize
64KB

Download
memory/3344-194-0x0000017FF1FA0000-0x0000017FF1FB0000-memory.dmp

Filesize
64KB

Download
memory/3344-56-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/3344-290-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/3344-69-0x0000017FF1FA0000-0x0000017FF1FB0000-memory.dmp

Filesize
64KB

Download
memory/3344-67-0x0000017FF1FA0000-0x0000017FF1FB0000-memory.dmp

Filesize
64KB

Download
memory/3344-265-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/3740-76-0x0000024FC0DE0000-0x0000024FC0DF0000-memory.dmp

Filesize
64KB

Download
memory/3740-128-0x0000024FC0DE0000-0x0000024FC0DF0000-memory.dmp

Filesize
64KB

Download
memory/3740-49-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/3740-252-0x0000024FC0DE0000-0x0000024FC0DF0000-memory.dmp

Filesize
64KB

Download
memory/3740-261-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download
memory/3740-74-0x0000024FC1070000-0x0000024FC10E6000-memory.dmp

Filesize
472KB

Download
memory/3740-60-0x0000024FC0DE0000-0x0000024FC0DF0000-memory.dmp

Filesize
64KB

Download
memory/3740-266-0x00007FFC02F90000-0x00007FFC0397C000-memory.dmp

Filesize
9.9MB

Download