zgrat | 8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

Analysis

max time kernel
296s
max time network
299s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
Size

1.7MB
MD5

1293f563c73464bc5d7f43aac04bbcd8
SHA1

2104dc4168aae58bbb281fdc0ca746cb207f50f7
SHA256

8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695
SHA512

e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 28 IoCs

resource	yara_rule
behavioral1/memory/2012-0-0x0000000000380000-0x0000000000540000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000900000001561b-26.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-80.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-79.dat	family_zgrat_v1
behavioral1/memory/1688-81-0x0000000000100000-0x00000000002C0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00080000000152d1-103.dat	family_zgrat_v1
behavioral1/memory/2360-105-0x0000000000B10000-0x0000000000CD0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00080000000152d1-125.dat	family_zgrat_v1
behavioral1/memory/1520-126-0x00000000010D0000-0x0000000001290000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00080000000152d1-145.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-165.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-186.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-206.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-222.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-241.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-260.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-280.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-296.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-316.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-333.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-354.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-370.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-383.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-406.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-426.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-448.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-469.dat	family_zgrat_v1
behavioral1/files/0x00080000000152d1-489.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 29 IoCs

pid	Process
1688	spoolsv.exe
2360	spoolsv.exe
1520	spoolsv.exe
3032	spoolsv.exe
1720	spoolsv.exe
2732	spoolsv.exe
2672	spoolsv.exe
2648	spoolsv.exe
1096	spoolsv.exe
620	spoolsv.exe
2356	spoolsv.exe
1056	spoolsv.exe
1616	spoolsv.exe
2768	spoolsv.exe
3004	spoolsv.exe
2860	spoolsv.exe
2520	spoolsv.exe
1596	spoolsv.exe
768	spoolsv.exe
1780	spoolsv.exe
1724	spoolsv.exe
3028	spoolsv.exe
1756	spoolsv.exe
340	spoolsv.exe
2704	spoolsv.exe
2880	spoolsv.exe
2152	spoolsv.exe
2488	spoolsv.exe
2400	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\42af1c969fbb7b	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
File created	C:\Program Files (x86)\Common Files\Services\spoolsv.exe	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
File created	C:\Program Files (x86)\Common Files\Services\f3b6ecef712a24	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
File created	C:\Program Files\Windows Portable Devices\explorer.exe	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
File created	C:\Program Files\Windows Portable Devices\7a0fd90576e088	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\audiodg.exe	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\audiodg.exe	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	spoolsv.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2692	PING.EXE
1788	PING.EXE
1052	PING.EXE
1080	PING.EXE
2284	PING.EXE
1708	PING.EXE
612	PING.EXE
1372	PING.EXE
2264	PING.EXE
2004	PING.EXE
2416	PING.EXE
2720	PING.EXE
2540	PING.EXE
1680	PING.EXE
620	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1688	spoolsv.exe
Token: SeDebugPrivilege	2360	spoolsv.exe
Token: SeDebugPrivilege	1520	spoolsv.exe
Token: SeDebugPrivilege	3032	spoolsv.exe
Token: SeDebugPrivilege	1720	spoolsv.exe
Token: SeDebugPrivilege	2732	spoolsv.exe
Token: SeDebugPrivilege	2672	spoolsv.exe
Token: SeDebugPrivilege	2648	spoolsv.exe
Token: SeDebugPrivilege	1096	spoolsv.exe
Token: SeDebugPrivilege	620	spoolsv.exe
Token: SeDebugPrivilege	2356	spoolsv.exe
Token: SeDebugPrivilege	1056	spoolsv.exe
Token: SeDebugPrivilege	1616	spoolsv.exe
Token: SeDebugPrivilege	2768	spoolsv.exe
Token: SeDebugPrivilege	3004	spoolsv.exe
Token: SeDebugPrivilege	2860	spoolsv.exe
Token: SeDebugPrivilege	2520	spoolsv.exe
Token: SeDebugPrivilege	1596	spoolsv.exe
Token: SeDebugPrivilege	768	spoolsv.exe
Token: SeDebugPrivilege	1780	spoolsv.exe
Token: SeDebugPrivilege	1724	spoolsv.exe
Token: SeDebugPrivilege	3028	spoolsv.exe
Token: SeDebugPrivilege	1756	spoolsv.exe
Token: SeDebugPrivilege	340	spoolsv.exe
Token: SeDebugPrivilege	2704	spoolsv.exe
Token: SeDebugPrivilege	2880	spoolsv.exe
Token: SeDebugPrivilege	2152	spoolsv.exe
Token: SeDebugPrivilege	2488	spoolsv.exe
Token: SeDebugPrivilege	2400	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2088	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	36
PID 2012 wrote to memory of 2088	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	36
PID 2012 wrote to memory of 2088	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	36
PID 2012 wrote to memory of 2440	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	35
PID 2012 wrote to memory of 2440	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	35
PID 2012 wrote to memory of 2440	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	35
PID 2012 wrote to memory of 2736	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	32
PID 2012 wrote to memory of 2736	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	32
PID 2012 wrote to memory of 2736	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	32
PID 2012 wrote to memory of 2724	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	31
PID 2012 wrote to memory of 2724	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	31
PID 2012 wrote to memory of 2724	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	31
PID 2012 wrote to memory of 2924	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	29
PID 2012 wrote to memory of 2924	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	29
PID 2012 wrote to memory of 2924	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	29
PID 2012 wrote to memory of 2472	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	38
PID 2012 wrote to memory of 2472	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	38
PID 2012 wrote to memory of 2472	2012	8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe	38
PID 2472 wrote to memory of 2840	2472	cmd.exe	40
PID 2472 wrote to memory of 2840	2472	cmd.exe	40
PID 2472 wrote to memory of 2840	2472	cmd.exe	40
PID 2472 wrote to memory of 1944	2472	cmd.exe	41
PID 2472 wrote to memory of 1944	2472	cmd.exe	41
PID 2472 wrote to memory of 1944	2472	cmd.exe	41
PID 2472 wrote to memory of 1688	2472	cmd.exe	42
PID 2472 wrote to memory of 1688	2472	cmd.exe	42
PID 2472 wrote to memory of 1688	2472	cmd.exe	42
PID 1688 wrote to memory of 1536	1688	spoolsv.exe	43
PID 1688 wrote to memory of 1536	1688	spoolsv.exe	43
PID 1688 wrote to memory of 1536	1688	spoolsv.exe	43
PID 1536 wrote to memory of 2456	1536	cmd.exe	45
PID 1536 wrote to memory of 2456	1536	cmd.exe	45
PID 1536 wrote to memory of 2456	1536	cmd.exe	45
PID 1536 wrote to memory of 2416	1536	cmd.exe	46
PID 1536 wrote to memory of 2416	1536	cmd.exe	46
PID 1536 wrote to memory of 2416	1536	cmd.exe	46
PID 1536 wrote to memory of 2360	1536	cmd.exe	49
PID 1536 wrote to memory of 2360	1536	cmd.exe	49
PID 1536 wrote to memory of 2360	1536	cmd.exe	49
PID 2360 wrote to memory of 2488	2360	spoolsv.exe	50
PID 2360 wrote to memory of 2488	2360	spoolsv.exe	50
PID 2360 wrote to memory of 2488	2360	spoolsv.exe	50
PID 2488 wrote to memory of 964	2488	cmd.exe	52
PID 2488 wrote to memory of 964	2488	cmd.exe	52
PID 2488 wrote to memory of 964	2488	cmd.exe	52
PID 2488 wrote to memory of 1568	2488	cmd.exe	53
PID 2488 wrote to memory of 1568	2488	cmd.exe	53
PID 2488 wrote to memory of 1568	2488	cmd.exe	53
PID 2488 wrote to memory of 1520	2488	cmd.exe	54
PID 2488 wrote to memory of 1520	2488	cmd.exe	54
PID 2488 wrote to memory of 1520	2488	cmd.exe	54
PID 1520 wrote to memory of 1816	1520	spoolsv.exe	55
PID 1520 wrote to memory of 1816	1520	spoolsv.exe	55
PID 1520 wrote to memory of 1816	1520	spoolsv.exe	55
PID 1816 wrote to memory of 3056	1816	cmd.exe	57
PID 1816 wrote to memory of 3056	1816	cmd.exe	57
PID 1816 wrote to memory of 3056	1816	cmd.exe	57
PID 1816 wrote to memory of 1080	1816	cmd.exe	58
PID 1816 wrote to memory of 1080	1816	cmd.exe	58
PID 1816 wrote to memory of 1080	1816	cmd.exe	58
PID 1816 wrote to memory of 3032	1816	cmd.exe	59
PID 1816 wrote to memory of 3032	1816	cmd.exe	59
PID 1816 wrote to memory of 3032	1816	cmd.exe	59
PID 3032 wrote to memory of 1604	3032	spoolsv.exe	60

C:\Users\Admin\AppData\Local\Temp\8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe
"C:\Users\Admin\AppData\Local\Temp\8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\System.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\audiodg.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NR0JjbBh5t.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2840
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1944
- - C:\Program Files (x86)\Common Files\Services\spoolsv.exe
    "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q9EwglUAPg.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2456
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2416
    - - C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4noHdFs8q.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1568
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\87Ce65nyUj.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:1080
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU00hIhBOb.bat"
        10⤵
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2208
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\89MOUOnUXi.bat"
        12⤵
        
        PID:2460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:2284
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L2HVdYORdu.bat"
        14⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3000
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hLzHEla3w8.bat"
        16⤵
        
        PID:1948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2700
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CRFnHZZKPL.bat"
        18⤵
        
        PID:748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbbIz777as.bat"
        20⤵
        
        PID:436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2692
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zh5ueQJlaG.bat"
        22⤵
        
        PID:1036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1328
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat"
        24⤵
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3056
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2264
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6YKtyItKL0.bat"
        26⤵
        
        PID:1504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:1708
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jTee716RlF.bat"
        28⤵
        
        PID:1176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:2720
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlYFj4oEgi.bat"
        30⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1764
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoa8e0eVVx.bat"
        32⤵
        
        PID:2016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:2540
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3kbcxG26Au.bat"
        34⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PH1A2PBmSX.bat"
        36⤵
        
        PID:748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:612
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nVhX1xwiaU.bat"
        38⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        Runs ping.exe
        
        PID:1788
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G5G1KH0qyw.bat"
        40⤵
        
        PID:1640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:1052
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\29a6RA8xzC.bat"
        42⤵
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:1500
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xTQ808hvMc.bat"
        44⤵
        
        PID:2060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:2808
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nBkS9jGYwT.bat"
        46⤵
        
        PID:1476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:2004
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cE1qBYVKAL.bat"
        48⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:1760
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXrskW4JYl.bat"
        50⤵
        
        PID:1940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:1200
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qe7zIwqSAW.bat"
        52⤵
        
        PID:1924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:1040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        Runs ping.exe
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tQmBjXbDhn.bat"
        54⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        Runs ping.exe
        
        PID:1372
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Odt5WJZ2fB.bat"
        56⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        Runs ping.exe
        
        PID:620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:2388
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BIFf9IaIrA.bat"
        58⤵
        
        PID:756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:2128
        
        C:\Program Files (x86)\Common Files\Services\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Services\spoolsv.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NGCBu7dv8c.bat"
        60⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Program Files (x86)\Common Files\Services\spoolsv.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\System.exe

Filesize
1.7MB

MD5
1293f563c73464bc5d7f43aac04bbcd8

SHA1
2104dc4168aae58bbb281fdc0ca746cb207f50f7

SHA256
8324dd03377ae4f738b328a10f99ccb4def68ed4a4f578c4ff89bb185a16e695

SHA512
e1fe8d3d8b063adabbd5b6f3e6327a67ba0d23f6cdd82bfa954270e99a368dc8394b0d2a70caece6edd60ee09651873c3162b27e3b8e28f407021f8bee28a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\29a6RA8xzC.bat

Filesize
232B

MD5
47d63eb53506025ca620cc157d808004

SHA1
20a3ee2168fcd1f5c74db496b2c51d351d5fc974

SHA256
f9e9aa1d2ee55fdad89e573c2c6a797b6afe6ef24c864906bb1203487ffd0e1e

SHA512
c118657bc6295587f5c272246bb435dfd59f762396cf844b1c993b65f3529b79fc15713c473d61c92705c2ae0c82eccdadecc502c3ceee7d23670643a6921917

Download Submit
C:\Users\Admin\AppData\Local\Temp\3kbcxG26Au.bat

Filesize
232B

MD5
c7df57b2a14fe2d477e0414bc06b3c48

SHA1
47fa9703e7a121945361ee539d44b9e5f3c9b726

SHA256
6a8ee2e4205d5278b6c9972acec0a87bc85aa4a2565e04f1d6aa8c752da3cf22

SHA512
091b8210269013006e6af2f7d7940d7f00584bec44244971a9e2b175d594b42f4cba94f008367b512ad9c961a2a62f7380a34063569844e835372d8cbb3e4354

Download Submit
C:\Users\Admin\AppData\Local\Temp\6YKtyItKL0.bat

Filesize
184B

MD5
8a7736bdc11538b664a19e1f343a2c06

SHA1
e0531a8912d5522d3ea06774a059b6bb0c7fd424

SHA256
1617bd32e07535586b6d06897a5169c85ea18aad69510c42252736c4670b6444

SHA512
f831e95044be428986a1d5db61405b7162335a00de2021402a7962ca66a86e1dc9295dcab59ed7a6a04f554436548fa19daa196c937f69add2865f0089c97a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\87Ce65nyUj.bat

Filesize
184B

MD5
8e4fca6383f83bad74ff593b68c48f42

SHA1
fd674643981ddd40052948eb407e6772dd226c3a

SHA256
83291e0319e515422653fcfc6e71794c45a21d29b1762f3cc52ee4452aadc49e

SHA512
4b23a519bea1a6efdc110e83f9663dc23361ed5e44b420345c7aa849349c84550cec0ac05df4eee313059df438594838383cba64161531862e726b5088a6628c

Download Submit
C:\Users\Admin\AppData\Local\Temp\89MOUOnUXi.bat

Filesize
184B

MD5
919a954162178186463a83bd5f3c8b76

SHA1
c948f23462698142a90857e00b997db580ca1441

SHA256
4557c92d8918ae4a7acab5104afc4e9ca3af3e3b421c65dff105e631a091a7d5

SHA512
15125109b1db508a3b2b62cdd788fde268bebc7c653bf463e29e5d83e35f5d7a0e94018b291ca1af5e6253e0e9bac75945cf44d7ccd6dcbef1a1136bea1962c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRFnHZZKPL.bat

Filesize
232B

MD5
746a774dcf864e2285c318276844f810

SHA1
efe9ece77cc481a0704cc21c5db0ebc3d517edec

SHA256
a8778bca272882b8231a03418428eef3d312fc1f480360bdc2907d0bc9cae924

SHA512
89e7f3dc9040accab5ebd2f5adbdde3fe085137c8340504ad9acec6072f34f36f9c82ed7bd9c7c0b9831dba0490029d8485844cb862d00e79a2508866f086da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\G5G1KH0qyw.bat

Filesize
184B

MD5
fcab9ba5095e3a8948f395339f7b4f6f

SHA1
d0b620cb0587b7f30b97e9ad60f9078685fd793f

SHA256
ea4104ae10cc4201cb029b8b40e55902a834cdc55da121871f5f144c7ede0fc5

SHA512
c96f4f6860f907c5fc87c0dbd490468630e76f0749f9d0ddfc125877b516a4b2efd59b65c27d824120139f7f7fd2a363a6e82d211ae5d2884e74c81da88e4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\L2HVdYORdu.bat

Filesize
232B

MD5
f797303937abadbaad257d7be5189acc

SHA1
2a8c64f4d282891c409359d040097a7f17e35e49

SHA256
ba0aa242bb367c58f405dd05ea7900dbf1ae281fe081ad3743a2ce25a3721dec

SHA512
c75bf7fe2eb9af26f6c56097062726e39be3264322ac4a39c681744bcb15121a127db5e4154d942b13a1ed1fa18a21a1de1c8cc9037d1f99e2bc59f0c6a57274

Download Submit
C:\Users\Admin\AppData\Local\Temp\NR0JjbBh5t.bat

Filesize
232B

MD5
825e192ad637a55a894cbadc4adad140

SHA1
9c31ba3e6e189bcdbc21c190490bbc37f2e9bba9

SHA256
1b5e23c2e1d2800c4221c459a3bf236af52ef6bb775ce8cd0e8e1d93ac7fea1a

SHA512
a5aca17430c775da5a3cf7e99847ec6a4dc2af3faf06d3ea711d9b083f416f8427a6c600511f5becade548e14f156128f13ebb3efa3c7f6a3dcaa74bbd1e7ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\PH1A2PBmSX.bat

Filesize
184B

MD5
d817c8ac371048db0d89c1a7afca31a8

SHA1
25ccfabcf66b9da242c90765bf2425301e0ae0ca

SHA256
9f553e3c970d88fcbf1e3b86334f598421b31138dec137843d7fda13ce96f94e

SHA512
06949a64a2a95f0071a529bcc166ea200b2cf6ea341371d6e30f9622053046d2f09ee8c9714fd1d2e1466a97a58a395b6cd6e552db2b5bf3fe22d7b06de26946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q9EwglUAPg.bat

Filesize
184B

MD5
a78e403bd60bd7bb013742bed65138a3

SHA1
e1f20e4e50597d4a8c716178f49881726482ac1c

SHA256
9ad5245243a38966370fdc311e68af8852c1525b627247091e9d4c4b1d0b0b2c

SHA512
d688130e0b041a571e72a84e544684727e4456b59229bba2ed259d86cb16a1d8d8b947103998dc2e53e8a7811bb2446eb9563a5c7ff543be90f8afe159a4aaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU00hIhBOb.bat

Filesize
232B

MD5
7899fbb22baa43d8e7485b88bfa00147

SHA1
16e4e718e78c9e43d01442275ccadccd6661f5ff

SHA256
9e5eaf9e7adfa33e25528b56e2ea430e9ebca48d289f5538290dd5eedd0110e9

SHA512
418fc38017fe8c3ce8da3d808aa22d4295d782a0b3b06b46ff83e92a42e751b7ddf1928fe787987a206d774014758fd6f466f00520d13029b2e198eb834c6319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zh5ueQJlaG.bat

Filesize
232B

MD5
c956bc73deae97449e2e631d3fdb0f4f

SHA1
6b8ab799ff1af23fe9b6277655a0827384006f53

SHA256
4c9cce8d3c89f471206e3269229ba0bb20df831c4bf22d35ac10ee521fbe6841

SHA512
f9629cbe9018e1b77b0778e4d900f800dd29b482b8f0e0cd746354083dfccf2ede0ea4aacbc160639f2f5b52f6dd79521f335364897d45492ea4de07306e6738

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4noHdFs8q.bat

Filesize
232B

MD5
a1bf60e265d3f1f6db7ab6b1c3dca4b7

SHA1
f2b4f09c54d5b1d6cc1a31ffb4f1e344b07db447

SHA256
f7248f90a9a8a5fda566287f1a0e740c453395cf70ed9510354eb967d89d73b1

SHA512
1d945494cdc875fd116b1ff7487d24a3afac966a7f00e0a71b1e9a915430244d9b28ae87a87c4f9c2c6f9720ec12371599682c1621683c96719f89575f7a1b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat

Filesize
184B

MD5
842b6c6a0acd79958f6e46bac1a5dddb

SHA1
6dc1fcb6df01639cfedd111b81836491ba9a035c

SHA256
dd754bf3e9ff63a004cf8c967dfa488f3b75cfd1a7c8e5cf59567311c8ec0ddf

SHA512
58d930d8a85b4edad752392338e29c11070f11da4b4fc537dac2e15937c3228db561fc48febb0882fd701994b1ea3f0536f09d555c6cdef47d3e119915cc3419

Download Submit
C:\Users\Admin\AppData\Local\Temp\hLzHEla3w8.bat

Filesize
232B

MD5
1a66d0c78b0942ff0d4ae9397bd0f7bb

SHA1
fc87e8e619817fc3348bbcfe6eb7fa937d1f881c

SHA256
0a56bd615cc6e763660ed25a372c191249d2b75f427064e17dbc12e94bb6dbce

SHA512
dba069fb8d0c087e457475d541bc6b3830802e48ab36f808bbbd4299440afeb2e1bf19caacc0e8641691dffe42f75a180f4b5252201888d742fe7595c60bab65

Download Submit
C:\Users\Admin\AppData\Local\Temp\jTee716RlF.bat

Filesize
184B

MD5
95caf04e21efd3460164eb5600dfd884

SHA1
7f1322b85ef0ba5be9ecd40ca4e508964630dd6f

SHA256
501c38eac0182b62f16a4af6b5d076bc250522cd3d19aa3b5f2271045a1b989d

SHA512
80e3de00e4a62ce18fc1d650d9731e5265ceeab1ce710c6d5c9263d0d1310dea829a89ca5446411127015f76a0f742bf72198c6fac1cb8df974b113a3794da9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nVhX1xwiaU.bat

Filesize
184B

MD5
a046c84f646a5e02abd1f6c1ede702c7

SHA1
4ba8f5a934fd3c3b7a850a35b2e0aa83d4316e0a

SHA256
542d757166d2cc17d3a8dfad308b446ca39f457535946b6975075fe0a617ad17

SHA512
36ef4f50bfe23fe512e723063f595ec92c4bec8e30e22d7d2054b27442ff954fa62551c10fc77fb1d615b1f04480cc924fd9cf51223408d09d09e8216de77fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbbIz777as.bat

Filesize
184B

MD5
ae1a3672f6c692724a19266a4d1a050d

SHA1
17e68c0ffae02d4d929e1acb4b1c0c0830eeafa3

SHA256
7855bbf5e81eaf058267fdb49fc8178a877353170e78c322510b35519a5caff5

SHA512
48b64b0577949b7d30e763424b353c210c82f2a2ec8d97fba3b477f0ba0e774fc645c6b968ae207d2557b7c7b47dbcffb09de22b14c7a092c4bb0a275f4b8902

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlYFj4oEgi.bat

Filesize
232B

MD5
83ec54fdf34c2f86430379c2b3236f5a

SHA1
782426b953269c11633a9d8b63f9efa54c4044c2

SHA256
f22158d2449eb16014c610375e5efd1af25e7d38bb470a84d170e38f853349ca

SHA512
d833dbebbce9dc43027069e412b6609e3914cbd85d3d9aa2750884e473cf2da3b4ab4814c5fb9d16791935e7b0b9a17b439bffb210efc31d4a6cf47d972f39ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\xTQ808hvMc.bat

Filesize
232B

MD5
13f80f43301c75ff4ca4992dfe6d997c

SHA1
1a14e5250752b4efeadf7297cfcd245ac2391bc5

SHA256
310a1b4f9f3248e6f452eaf5e1bcf8fd7439639c97208b8f74e285eb81457268

SHA512
f8fe02c41189ed6bf753f0464d985fb9e335999eab40aa52f212be40073728105cc2e2ce1d7060641ce219d425eed8a33639b547236b9dd551c77bec57e00c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoa8e0eVVx.bat

Filesize
184B

MD5
b368a89305c5b625091d4223629b7f04

SHA1
6d4ed0e955e3f0d3bfe3b951cae11b1d72a5a845

SHA256
bb1485384e7b028168ff8f8230eee075236e7406bb5ff074226e369cd2db263f

SHA512
ccadb98c73645e15f36e0ba1be06a3cb2ed301b2bcd79619195733df9e6a1e89f3979832c310a5f6fa2cdace97ec0c4bb1a9bd72917024f202d8104bfc46b274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f7de01a1da9ee525ca8a9c1e9c438ce

SHA1
170f244e581976320a49cf083e2376b2f5a3914e

SHA256
00dbd47228dc13cc0db961e8c56875027550a7b8e4b9336b034150f4a1ee8957

SHA512
a2a60acd4d046671a13e9d405ebf8758b64c963ebbfd889ec575f30caf0488f7ba01f099ae6d3a697dcd3e4f42d1384980c2fb23215d596bfbc6c6f2ff294ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f7de01a1da9ee525ca8a9c1e9c438ce

SHA1
170f244e581976320a49cf083e2376b2f5a3914e

SHA256
00dbd47228dc13cc0db961e8c56875027550a7b8e4b9336b034150f4a1ee8957

SHA512
a2a60acd4d046671a13e9d405ebf8758b64c963ebbfd889ec575f30caf0488f7ba01f099ae6d3a697dcd3e4f42d1384980c2fb23215d596bfbc6c6f2ff294ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f7de01a1da9ee525ca8a9c1e9c438ce

SHA1
170f244e581976320a49cf083e2376b2f5a3914e

SHA256
00dbd47228dc13cc0db961e8c56875027550a7b8e4b9336b034150f4a1ee8957

SHA512
a2a60acd4d046671a13e9d405ebf8758b64c963ebbfd889ec575f30caf0488f7ba01f099ae6d3a697dcd3e4f42d1384980c2fb23215d596bfbc6c6f2ff294ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3f7de01a1da9ee525ca8a9c1e9c438ce

SHA1
170f244e581976320a49cf083e2376b2f5a3914e

SHA256
00dbd47228dc13cc0db961e8c56875027550a7b8e4b9336b034150f4a1ee8957

SHA512
a2a60acd4d046671a13e9d405ebf8758b64c963ebbfd889ec575f30caf0488f7ba01f099ae6d3a697dcd3e4f42d1384980c2fb23215d596bfbc6c6f2ff294ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PDYNMLP5JWVFV93AEY76.temp

Filesize
7KB

MD5
3f7de01a1da9ee525ca8a9c1e9c438ce

SHA1
170f244e581976320a49cf083e2376b2f5a3914e

SHA256
00dbd47228dc13cc0db961e8c56875027550a7b8e4b9336b034150f4a1ee8957

SHA512
a2a60acd4d046671a13e9d405ebf8758b64c963ebbfd889ec575f30caf0488f7ba01f099ae6d3a697dcd3e4f42d1384980c2fb23215d596bfbc6c6f2ff294ad8

Download Submit
memory/1520-126-0x00000000010D0000-0x0000000001290000-memory.dmp

Filesize
1.8MB

Download
memory/1520-127-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-128-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1520-129-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/1688-84-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1688-85-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/1688-102-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-95-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/1688-94-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/1688-93-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-81-0x0000000000100000-0x00000000002C0000-memory.dmp

Filesize
1.8MB

Download
memory/1688-92-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/1688-82-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-89-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/1688-87-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/1688-83-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/1688-86-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/2012-12-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/2012-4-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2012-17-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2012-14-0x0000000002010000-0x000000000201C000-memory.dmp

Filesize
48KB

Download
memory/2012-0-0x0000000000380000-0x0000000000540000-memory.dmp

Filesize
1.8MB

Download
memory/2012-37-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-11-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/2012-10-0x0000000002000000-0x000000000200E000-memory.dmp

Filesize
56KB

Download
memory/2012-8-0x0000000001FF0000-0x0000000001FFE000-memory.dmp

Filesize
56KB

Download
memory/2012-1-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-6-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/2012-5-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2012-2-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2012-16-0x0000000002020000-0x000000000202C000-memory.dmp

Filesize
48KB

Download
memory/2012-3-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2088-61-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-71-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/2088-78-0x000000000270B000-0x0000000002772000-memory.dmp

Filesize
412KB

Download
memory/2088-76-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2088-77-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/2360-105-0x0000000000B10000-0x0000000000CD0000-memory.dmp

Filesize
1.8MB

Download
memory/2360-109-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/2360-118-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2360-114-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/2360-116-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/2360-112-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/2360-110-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/2360-124-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-107-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2360-106-0x000000001B480000-0x000000001B500000-memory.dmp

Filesize
512KB

Download
memory/2360-104-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-63-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-74-0x000000000247B000-0x00000000024E2000-memory.dmp

Filesize
412KB

Download
memory/2440-72-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/2724-69-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2724-73-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/2724-75-0x0000000002A6B000-0x0000000002AD2000-memory.dmp

Filesize
412KB

Download
memory/2724-65-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-67-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2724-59-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2736-68-0x00000000028BB000-0x0000000002922000-memory.dmp

Filesize
412KB

Download
memory/2736-64-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download
memory/2736-60-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/2736-43-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2924-70-0x00000000024BB000-0x0000000002522000-memory.dmp

Filesize
412KB

Download
memory/2924-66-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/2924-62-0x000007FEEF4E0000-0x000007FEEFE7D000-memory.dmp

Filesize
9.6MB

Download