zgrat | 95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

Analysis

max time kernel
299s
max time network
303s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
19/11/2023, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Size

1.7MB
MD5

85503a298f3d3680349b8f956f335ba6
SHA1

25557850af352dd22f7f4a8e2392bd30d700e624
SHA256

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93
SHA512

1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 28 IoCs

resource	yara_rule
behavioral1/memory/1504-0-0x0000000000EA0000-0x0000000001060000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000015ca0-26.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-84.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-85.dat	family_zgrat_v1
behavioral1/memory/768-86-0x00000000012F0000-0x00000000014B0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-107.dat	family_zgrat_v1
behavioral1/memory/2252-109-0x0000000000090000-0x0000000000250000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-128.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-151.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-171.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-185.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-207.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-227.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-248.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-268.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-291.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-311.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-333.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-354.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-376.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-395.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-416.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-432.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-454.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-475.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-496.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-518.dat	family_zgrat_v1
behavioral1/files/0x0027000000015c0c-539.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 34 IoCs

pid	Process
768	sppsvc.exe
2252	sppsvc.exe
2176	sppsvc.exe
1196	sppsvc.exe
2608	sppsvc.exe
2516	sppsvc.exe
2920	sppsvc.exe
2472	sppsvc.exe
1088	sppsvc.exe
1108	sppsvc.exe
1600	sppsvc.exe
1560	sppsvc.exe
1516	sppsvc.exe
2040	conhost.exe
2792	conhost.exe
304	sppsvc.exe
3008	sppsvc.exe
2100	sppsvc.exe
1344	sppsvc.exe
2376	sppsvc.exe
2248	sppsvc.exe
2140	sppsvc.exe
2900	sppsvc.exe
980	sppsvc.exe
1620	sppsvc.exe
832	sppsvc.exe
1572	sppsvc.exe
2464	sppsvc.exe
2260	sppsvc.exe
1516	sppsvc.exe
2688	sppsvc.exe
2860	sppsvc.exe
2836	sppsvc.exe
768	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\c5b4cb5e9653cc	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files (x86)\Uninstall Information\sppsvc.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files (x86)\Uninstall Information\0a1fd5f707cd16	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files\Windows NT\audiodg.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files\Windows NT\42af1c969fbb7b	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\services.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\services.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	sppsvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	sppsvc.exe

Runs ping.exe 1 TTPs 19 IoCs

Remote System Discovery

T1018

pid	Process
1620	PING.EXE
2440	PING.EXE
2556	PING.EXE
2624	PING.EXE
2376	PING.EXE
2960	PING.EXE
1532	PING.EXE
2508	PING.EXE
1512	PING.EXE
2928	PING.EXE
1568	PING.EXE
1572	PING.EXE
2968	PING.EXE
1324	PING.EXE
2120	PING.EXE
400	PING.EXE
1436	PING.EXE
2536	PING.EXE
2832	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 34 IoCs

pid	Process
768	sppsvc.exe
2252	sppsvc.exe
2176	sppsvc.exe
1196	sppsvc.exe
2608	sppsvc.exe
2516	sppsvc.exe
2920	sppsvc.exe
2472	sppsvc.exe
1088	sppsvc.exe
1108	sppsvc.exe
1600	sppsvc.exe
1560	sppsvc.exe
1516	sppsvc.exe
2040	conhost.exe
2792	conhost.exe
304	sppsvc.exe
3008	sppsvc.exe
2100	sppsvc.exe
1344	sppsvc.exe
2376	sppsvc.exe
2248	sppsvc.exe
2140	sppsvc.exe
2900	sppsvc.exe
980	sppsvc.exe
1620	sppsvc.exe
832	sppsvc.exe
1572	sppsvc.exe
2464	sppsvc.exe
2260	sppsvc.exe
1516	sppsvc.exe
2688	sppsvc.exe
2860	sppsvc.exe
2836	sppsvc.exe
768	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2740	powershell.exe
2664	powershell.exe
2720	powershell.exe
2724	powershell.exe
2716	powershell.exe
768	sppsvc.exe
768	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	768	sppsvc.exe
Token: SeDebugPrivilege	2252	sppsvc.exe
Token: SeDebugPrivilege	2176	sppsvc.exe
Token: SeDebugPrivilege	1196	sppsvc.exe
Token: SeDebugPrivilege	2608	sppsvc.exe
Token: SeDebugPrivilege	2516	sppsvc.exe
Token: SeDebugPrivilege	2920	sppsvc.exe
Token: SeDebugPrivilege	2472	sppsvc.exe
Token: SeDebugPrivilege	1088	sppsvc.exe
Token: SeDebugPrivilege	1108	sppsvc.exe
Token: SeDebugPrivilege	1600	sppsvc.exe
Token: SeDebugPrivilege	1560	sppsvc.exe
Token: SeDebugPrivilege	1516	sppsvc.exe
Token: SeDebugPrivilege	2040	conhost.exe
Token: SeDebugPrivilege	2792	conhost.exe
Token: SeDebugPrivilege	304	sppsvc.exe
Token: SeDebugPrivilege	3008	sppsvc.exe
Token: SeDebugPrivilege	2100	sppsvc.exe
Token: SeDebugPrivilege	1344	sppsvc.exe
Token: SeDebugPrivilege	2376	sppsvc.exe
Token: SeDebugPrivilege	2248	sppsvc.exe
Token: SeDebugPrivilege	2140	sppsvc.exe
Token: SeDebugPrivilege	2900	sppsvc.exe
Token: SeDebugPrivilege	980	sppsvc.exe
Token: SeDebugPrivilege	1620	sppsvc.exe
Token: SeDebugPrivilege	832	sppsvc.exe
Token: SeDebugPrivilege	1572	sppsvc.exe
Token: SeDebugPrivilege	2464	sppsvc.exe
Token: SeDebugPrivilege	2260	sppsvc.exe
Token: SeDebugPrivilege	1516	sppsvc.exe
Token: SeDebugPrivilege	2688	sppsvc.exe
Token: SeDebugPrivilege	2860	sppsvc.exe
Token: SeDebugPrivilege	2836	sppsvc.exe
Token: SeDebugPrivilege	768	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2664	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	28
PID 1504 wrote to memory of 2664	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	28
PID 1504 wrote to memory of 2664	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	28
PID 1504 wrote to memory of 2720	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	29
PID 1504 wrote to memory of 2720	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	29
PID 1504 wrote to memory of 2720	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	29
PID 1504 wrote to memory of 2724	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	30
PID 1504 wrote to memory of 2724	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	30
PID 1504 wrote to memory of 2724	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	30
PID 1504 wrote to memory of 2740	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	31
PID 1504 wrote to memory of 2740	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	31
PID 1504 wrote to memory of 2740	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	31
PID 1504 wrote to memory of 2716	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	35
PID 1504 wrote to memory of 2716	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	35
PID 1504 wrote to memory of 2716	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	35
PID 1504 wrote to memory of 2768	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	38
PID 1504 wrote to memory of 2768	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	38
PID 1504 wrote to memory of 2768	1504	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	38
PID 2768 wrote to memory of 2852	2768	cmd.exe	40
PID 2768 wrote to memory of 2852	2768	cmd.exe	40
PID 2768 wrote to memory of 2852	2768	cmd.exe	40
PID 2768 wrote to memory of 2928	2768	cmd.exe	41
PID 2768 wrote to memory of 2928	2768	cmd.exe	41
PID 2768 wrote to memory of 2928	2768	cmd.exe	41
PID 2768 wrote to memory of 768	2768	cmd.exe	42
PID 2768 wrote to memory of 768	2768	cmd.exe	42
PID 2768 wrote to memory of 768	2768	cmd.exe	42
PID 2768 wrote to memory of 768	2768	cmd.exe	42
PID 2768 wrote to memory of 768	2768	cmd.exe	42
PID 768 wrote to memory of 2916	768	sppsvc.exe	43
PID 768 wrote to memory of 2916	768	sppsvc.exe	43
PID 768 wrote to memory of 2916	768	sppsvc.exe	43
PID 2916 wrote to memory of 872	2916	cmd.exe	45
PID 2916 wrote to memory of 872	2916	cmd.exe	45
PID 2916 wrote to memory of 872	2916	cmd.exe	45
PID 2916 wrote to memory of 1436	2916	cmd.exe	46
PID 2916 wrote to memory of 1436	2916	cmd.exe	46
PID 2916 wrote to memory of 1436	2916	cmd.exe	46
PID 2916 wrote to memory of 2252	2916	cmd.exe	47
PID 2916 wrote to memory of 2252	2916	cmd.exe	47
PID 2916 wrote to memory of 2252	2916	cmd.exe	47
PID 2916 wrote to memory of 2252	2916	cmd.exe	47
PID 2916 wrote to memory of 2252	2916	cmd.exe	47
PID 2252 wrote to memory of 2416	2252	sppsvc.exe	48
PID 2252 wrote to memory of 2416	2252	sppsvc.exe	48
PID 2252 wrote to memory of 2416	2252	sppsvc.exe	48
PID 2416 wrote to memory of 832	2416	cmd.exe	50
PID 2416 wrote to memory of 832	2416	cmd.exe	50
PID 2416 wrote to memory of 832	2416	cmd.exe	50
PID 2416 wrote to memory of 2164	2416	cmd.exe	51
PID 2416 wrote to memory of 2164	2416	cmd.exe	51
PID 2416 wrote to memory of 2164	2416	cmd.exe	51
PID 2416 wrote to memory of 2176	2416	cmd.exe	52
PID 2416 wrote to memory of 2176	2416	cmd.exe	52
PID 2416 wrote to memory of 2176	2416	cmd.exe	52
PID 2416 wrote to memory of 2176	2416	cmd.exe	52
PID 2416 wrote to memory of 2176	2416	cmd.exe	52
PID 2176 wrote to memory of 1960	2176	sppsvc.exe	56
PID 2176 wrote to memory of 1960	2176	sppsvc.exe	56
PID 2176 wrote to memory of 1960	2176	sppsvc.exe	56
PID 1960 wrote to memory of 976	1960	cmd.exe	55
PID 1960 wrote to memory of 976	1960	cmd.exe	55
PID 1960 wrote to memory of 976	1960	cmd.exe	55
PID 1960 wrote to memory of 2376	1960	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
"C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\services.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\MSN Websites\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\audiodg.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KeDnbi7dVF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2852
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2928
- - C:\Program Files (x86)\Uninstall Information\sppsvc.exe
    "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WJwCUxpp42.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:872
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1436
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2968
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1372
    - - C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bc4V3lt5Qz.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2164
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ylROGge0Sy.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ozseo6rLH0.bat"
        10⤵
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2088
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0OceA6Xfhf.bat"
        12⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3048
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y3yp8Lh1nv.bat"
        14⤵
        
        PID:2744
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6hK16ZrMtB.bat"
        16⤵
        
        PID:2732
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C59y11uehL.bat"
        18⤵
        
        PID:3040
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rNnSCw4rJt.bat"
        20⤵
        
        PID:2100
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qw8FYVnXFs.bat"
        22⤵
        
        PID:400
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5TPLp0dsPT.bat"
        24⤵
        
        PID:568
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ucX7bnqC8X.bat"
        26⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2656
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtyVABn1Ct.bat"
        28⤵
        
        PID:2564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2592
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        29⤵
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gactKMGCUA.bat"
        30⤵
        
        PID:2568
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        31⤵
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FDRBKGR2CD.bat"
        32⤵
        
        PID:1668
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pSpsobUXTB.bat"
        34⤵
        
        PID:476
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P1AeAAEDQA.bat"
        36⤵
        
        PID:1436
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JTBpj7DN0q.bat"
        38⤵
        
        PID:284
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6LEBq1ChCC.bat"
        40⤵
        
        PID:1136
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhy3B39XMX.bat"
        42⤵
        
        PID:852
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oQf8QHV2QC.bat"
        44⤵
        
        PID:2240
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\09MCfWrWUs.bat"
        46⤵
        
        PID:2808
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wDZd8tkMKF.bat"
        48⤵
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:268
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FyBjogktzP.bat"
        50⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:984
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yhs0sn2L6w.bat"
        52⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        Runs ping.exe
        
        PID:1512
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        53⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gCyA6Uc1Ox.bat"
        54⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:1368
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        55⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\htd8auDHaW.bat"
        56⤵
        
        PID:1788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        Runs ping.exe
        
        PID:400
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        57⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hSpfyjZaRK.bat"
        58⤵
        
        PID:3068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:2380
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        59⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xeM6k5O3TR.bat"
        60⤵
        
        PID:2580
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        Runs ping.exe
        
        PID:2556
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        61⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JTBpj7DN0q.bat"
        62⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:2624
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        63⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sbi9TUILnc.bat"
        64⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:1520
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        65⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4pIGJu18c7.bat"
        66⤵
        
        PID:2668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        67⤵
        
        PID:652
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        67⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddtUB3Qwlt.bat"
        68⤵
        
        PID:1556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        69⤵
        
        PID:3052
        
        C:\Program Files (x86)\Uninstall Information\sppsvc.exe
        
        "C:\Program Files (x86)\Uninstall Information\sppsvc.exe"
        69⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JG58brWjr2.bat"
        70⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        71⤵
        Runs ping.exe
        
        PID:2120

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2376

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:976

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2624

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1092

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2536

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2860

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1568

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1912

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2960

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:900

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1772

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1572

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1704

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1740

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1996

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3020

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2812

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2536

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1620

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3056

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1324

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2832

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1320

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2440

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1588

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1756

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1399898511094367756-195702631419111518772725701672960974331614098836-156822937"
1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2568

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "317171661-11865942341242228831-106945924-208963608814437298651090847034-330121081"
1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files (x86)\Uninstall Information\sppsvc.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files\Windows NT\audiodg.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\09MCfWrWUs.bat

Filesize
231B

MD5
75ab0467f53caee8cb5edac4accb50eb

SHA1
fb925c6f5641cdff498867397bd2469e8770fd82

SHA256
d5dd49760d6195fe361e7709704cf742eed35fe623eb6a075154218a7261f64b

SHA512
479290069f93dba579d9f9b173303e8ddd22f6d09212e175f46004fd34816b9dc7615ac77740c5712410aa47246087f6f8d6034556b7cedd8994376fe0350bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0OceA6Xfhf.bat

Filesize
231B

MD5
cc08a7eb4fb1523d788faf486bcc8789

SHA1
7560d8791a01c174f6175701f6ce9bd2190adce1

SHA256
aac428e36812bf9737d47c5752c986525a561b0ba35f00a1b6bf6b9fcedcc562

SHA512
ad0f931452f4ba64bd19d50496213f873e217f7d3c758e09f3627b683c18a02c25f2c031838b6aec01cb9b89272ae984683e05a79055e18a5cfacebcea6c23c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5TPLp0dsPT.bat

Filesize
231B

MD5
cafe8959859fced3b3fe3121d0674ccb

SHA1
7f107c0d0d80a3eb2fd6779d607baa16eeb9ae4e

SHA256
0635f04afd1650cf5f4e90591518e150cbab6de50d1683b485a5280bcc59cc1d

SHA512
966e4d4c5232a33c767d80bcfdb1aa3d44fdd92b68a56a0c5d03a04451609c4ce674c9b1507258336cad89a152301860d4c93eb338fee1f7d8ca3399d15873fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6LEBq1ChCC.bat

Filesize
183B

MD5
4a4e1ac0f6facd7d2e3a88b182cbdbd1

SHA1
63b570b3f1c8269a3cc18948bf043235b7e90d88

SHA256
049984f4a23b886b10689277cc5971439cbf3b3c42160065113cf5f12e09883e

SHA512
3bfbe88aaf04714e6c2672f7424f54ac2d88eff7931eca33b583d36d417b2079bbf58835b096d4f9b2e8f226f6b4859c25ef37dc9662ebc0607b6ed4afe97c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6hK16ZrMtB.bat

Filesize
183B

MD5
220c1658318f32f23296c1c827f9401a

SHA1
508fb3055a322234816398314694aad1fc30b2f7

SHA256
4b103bf3f3bd6615797d8a99f1460e206afffd4918be258970137b71dc18b76d

SHA512
bb335b3bc7a98b85264e2448dfb0fd6a52621365ad475088ce4f3688f69e1b14adf3da6b8fa4642dbb8c2e13f1db929636f7ac9b8b70012a603780b4a6e24ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C59y11uehL.bat

Filesize
183B

MD5
8e97e328a18f96b29921d057c5acaab5

SHA1
57d27e268155338c31d2d622b0ad3d33423f8b4e

SHA256
ea94c1a1b2ff3369804e21ad4fb86e33f695817a186996a92b9d4d7138481ec0

SHA512
6c7a2366a8bea7cd364d28e22ec5b48b81ecc428dd9097825a9c5d7d2b08ff36f64c2aa38f53e67ce57013e9b9d5ed61cdfee7b5e03bf17496bcd6d452d0e218

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDRBKGR2CD.bat

Filesize
231B

MD5
5660b06a845d98679e41ae81861beb45

SHA1
36a73ef06c0036a20ac45ab32b4c0dc2db3103c7

SHA256
2b238aab6e618191b548fbdc16287e589ba6194efe3b95566d041421e7fc0524

SHA512
77c69b15da557e9dac5228821cee80265fbef7f4b5054bca09ce849ab5bca7fecf992d15d4a73178845a6f01c1c8b63418fb5c55dad643209ac5791aab6779c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JTBpj7DN0q.bat

Filesize
183B

MD5
eb6ffed6973868a846f50d2c9300ae57

SHA1
c5573950f33920de8df1ed2177d9d3ab006fe081

SHA256
e1aa0b2ca8132825360f800d28f9c3269438ab728d70b1818e4d2096dfb608f3

SHA512
2bdacb7afa015bd3348ac57cf07580f719aafbb73ab604c4af108107f596c8b880024256e1c39d5c4a0faf6ea37861aa7debec88b96f62f7b8a0fa69e3875e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeDnbi7dVF.bat

Filesize
183B

MD5
76aa6c900ce57c6464c338171e42b581

SHA1
805592662c285f410f4d17c236fe7a381c9af2a0

SHA256
9d423609ddb09b161a7893fd6c51a03f65c463f0ce55db989d8870648453549a

SHA512
1b1e1699c9ba1266916b68e955a9ddcbccf75db4db2712ecd511d4a7911df0aac3a76c28bbb7ff2045e31d485264628443b849e520fd36e278d7a1030b9d312d

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1AeAAEDQA.bat

Filesize
183B

MD5
2a49d47dac7a06510ceacab9028fad75

SHA1
82ebf53d50e6627883637d88fd6e1102c488ab61

SHA256
ec07aa95da2687959ec1f023ce638e1a1c422e4726370c9fbdd2604fc493d45a

SHA512
920039786f76f263d3467a8d72208a0bd0238acdf693bd79cf86e6165ea77e9a7588a95b66a5a4681b1568f78550796861c299023d0e967a03d78eaceac2a173

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtyVABn1Ct.bat

Filesize
183B

MD5
e7ff004ad336902d2f6a926239545bc4

SHA1
be64f3bfd43f6e56a902f38264b28d34a45eb525

SHA256
c98606c4f8778b60e20acad94c3f38a09fce5f63801956cf4b3db3b512fc706c

SHA512
29e5fe269f222b18a4ea949836020c41df45736f97758d9da314ba6bd8a7c4f6b64fb6b88301e31466959771b36ccaa0fe72bcb01989694d8ffae436af231af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qw8FYVnXFs.bat

Filesize
183B

MD5
f3223a137a7b686c42bbfc0d37cce200

SHA1
02cd560b8c405f4c16df68c0535658db2dd272a8

SHA256
fb7d49f50c7a7f297b47e7669a648c2b43839fe7a0fc66c475d069c840a51c2f

SHA512
afd89e836a7621264ee1b3d5b41a378085447960b30a863563fbd5f9e0384a3bc853bcf95d2f9ae0dfaf13a156f481ddbe158fc765bfae8348ec6629890e001c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJwCUxpp42.bat

Filesize
183B

MD5
3b7f0297958c0a3d99d7b5ef7ab285ee

SHA1
8a1ddf878ce2727c1db38fa43bda6272e067a2fb

SHA256
88fd646d59de0ce4e801752ef8d4c45a851a80f046a1d50a20ca37da93b8c1b7

SHA512
8f68f04d161f10dc17bf3ffa672ef3e752270d63e9711997db8519d9cb16337c32e6fdc3960d3bbe2d42009a4ba9a3ba19f4d20cc737bb592194008e18f6e04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y3yp8Lh1nv.bat

Filesize
231B

MD5
53d3a200dc79c4816b72f3fb3666504e

SHA1
e34d26fb7cfd73445034bc5f4c288cdf1176ab24

SHA256
d27b7b7519f08d8ec2ca27f36bfb5d75d0390c86201abef76cf9fc6ce42ea18c

SHA512
bd96631f279896f6dda28dc08e8b1642cca8b1fa77abd3b3251d8facc0454a4614f05bd22d91901692c172842e7fbdfe2ae34a7f730118eaf3598ac5286ab958

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc4V3lt5Qz.bat

Filesize
231B

MD5
b8c1af72adc01b5af5ffdcd5c2838524

SHA1
4ac9880394847f9cbe35f7b3a27ad06dd424934d

SHA256
19d88a0432c7d534f93d7827c9853b0d586e38eb56f73b7f1d00396be0837dba

SHA512
6b9bb750011c913a1929c24bbf319dfae954d87010ffe30e4e4f4693dadf194741e5381e7ac88b027aeee2bf206bab8e90c90c472bb248c7d7492159babbd90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhy3B39XMX.bat

Filesize
183B

MD5
771e92bd5da8be2059ced7d0b923f5fa

SHA1
ae2bb5a31962571ac0253457b7ec94c52c309c06

SHA256
2d717cc4fd227531a88927a6ffa049ec81ddebd51bfe9fe5fa50c87f77af78bf

SHA512
9558921df99f890e52835a4e2b539a3856c80363db24c86c939975073ab3668737911a68b401f01c22eb443ce367c28b11c588f89eaebca42c2888383fa6c4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gactKMGCUA.bat

Filesize
231B

MD5
1147bc6316f655bea1b9934c8771480b

SHA1
347ce625f5ea28eda32b4c45ef0a669287d19928

SHA256
45d007cedbc151a5bbb90fca28e2978e2be45a77678aa5918fa45a87de77f3d2

SHA512
dd9b288e0b3b5f85555f235580dd51663c72c4a57c526de42bc7de9e47b658066d896e9592ea08fe56c0cb21597977d1b7f88265b61084bdbcacf0a49bcae97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQf8QHV2QC.bat

Filesize
183B

MD5
8923564d34e3fe5f7e7a2818e6e2dd9b

SHA1
9250f3571334a2e2b0785d8b85db9983f39c9a42

SHA256
158472cb3e1a306b7611f52d88fb2bbbe08da63cbf388006c345519783d914c2

SHA512
12d8f36bbb1289eb5c6d1fddd479c711a7060d99b07628778b7509adfd63bb390aa0e3fec74da515236bedd0abf2d208a36cc2d92b502b817dc9351ad193fa52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ozseo6rLH0.bat

Filesize
231B

MD5
a4c4134b028b90d961b30f4fa5388620

SHA1
26ed873374739660a13c975024586e6966b15042

SHA256
0d6f4783419fcf982bd18cabd0f16946e0b095badf0e76ca55dbd3b5095dc6c4

SHA512
5e5b5b50c8752018a9cabc1e47df465c878dd98cd565558a24f441e1153f1aeeab6fe51dc8650812ca33c293278a012a4fb79658463639f8a4ab6295078d5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\pSpsobUXTB.bat

Filesize
183B

MD5
2edb3ad8061da0717a4b960b368b1fbf

SHA1
2fb1c09a68ffa2d6c326b80c8c29ce58b8491ea8

SHA256
463793e388ec2f7e34379a4c0b17b75f3a1fe2c4e7cfe833d1d16af713fbc62a

SHA512
0fdc28f330bf0ec45716619163d48e9ff6a10fc33be9b7cf27a8c3003eeedfd377c31abd98ec6fbff82bec9521ac1f18f5539e27fd863c3c756f77a6e724aa45

Download Submit
C:\Users\Admin\AppData\Local\Temp\rNnSCw4rJt.bat

Filesize
183B

MD5
18205431bea63edc491ec8770bb267e1

SHA1
b64c7660d2aa147cef46c8e85e287c80a40fa2b7

SHA256
cb84fb9a664b18febcaabc941923018ecbe91d426e03a53738d2964a8b93263d

SHA512
ad37205c9900a4588e6425fb4a6e7aad7672049fca7f4f46651d3f7b243e950f547612f661cd936a2a8b6b3373365cbbd4042bd52623c1ba5563999045e3c1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucX7bnqC8X.bat

Filesize
231B

MD5
c7a97d90ed9519a52efc6fe6bc88aa8f

SHA1
eb817866246923137442d28dbd7ba14d54c1225b

SHA256
49e0c782da6d637ad0d14da5625c7b1e7bd518a1631a86c046f1da56afef945b

SHA512
5f23a6195126d24f27f323888708ed499c3387849b4aec670e0eeb2ba4630d94b1171d7afaeed8e3df3379e8ecaa20f6bc5d11d9a8317f3187295f18049b6703

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylROGge0Sy.bat

Filesize
183B

MD5
c71ba5a2781dcc54503407d4f258881f

SHA1
bd04cbc8c6a8f8e54971abf4fbf290302c097602

SHA256
7c52bd48b68dd23e82902c467c592bdb9f79022f946d89c1a79473c29bca4a20

SHA512
aa8122b471c34d44a7a9d1b2b0c577a1bb3b98b7c66319a9256befa2554c08e1b4ca29eda417d691aa9e8a98829e9ee75ab670db27296752a2df975346f49551

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a68964596cfee2cabb35304b0b80695

SHA1
63ba69f331901c951284e89b0ee20c835e3d0212

SHA256
275e3bfbba896bc1773bdf64282ba5ab284160e721246f86fed4f77c296723f7

SHA512
a2e8b66c09b3229d906836df7f1491d8ea1c94a2f1c3a7e1de50bdd43516afc0403f33324f55cc3b72d891f5caef9fd0cd4ea19dae22b8edc71f10b8ff45d74f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a68964596cfee2cabb35304b0b80695

SHA1
63ba69f331901c951284e89b0ee20c835e3d0212

SHA256
275e3bfbba896bc1773bdf64282ba5ab284160e721246f86fed4f77c296723f7

SHA512
a2e8b66c09b3229d906836df7f1491d8ea1c94a2f1c3a7e1de50bdd43516afc0403f33324f55cc3b72d891f5caef9fd0cd4ea19dae22b8edc71f10b8ff45d74f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a68964596cfee2cabb35304b0b80695

SHA1
63ba69f331901c951284e89b0ee20c835e3d0212

SHA256
275e3bfbba896bc1773bdf64282ba5ab284160e721246f86fed4f77c296723f7

SHA512
a2e8b66c09b3229d906836df7f1491d8ea1c94a2f1c3a7e1de50bdd43516afc0403f33324f55cc3b72d891f5caef9fd0cd4ea19dae22b8edc71f10b8ff45d74f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a68964596cfee2cabb35304b0b80695

SHA1
63ba69f331901c951284e89b0ee20c835e3d0212

SHA256
275e3bfbba896bc1773bdf64282ba5ab284160e721246f86fed4f77c296723f7

SHA512
a2e8b66c09b3229d906836df7f1491d8ea1c94a2f1c3a7e1de50bdd43516afc0403f33324f55cc3b72d891f5caef9fd0cd4ea19dae22b8edc71f10b8ff45d74f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6S46MRXY1MOT4IOTVVCH.temp

Filesize
7KB

MD5
2a68964596cfee2cabb35304b0b80695

SHA1
63ba69f331901c951284e89b0ee20c835e3d0212

SHA256
275e3bfbba896bc1773bdf64282ba5ab284160e721246f86fed4f77c296723f7

SHA512
a2e8b66c09b3229d906836df7f1491d8ea1c94a2f1c3a7e1de50bdd43516afc0403f33324f55cc3b72d891f5caef9fd0cd4ea19dae22b8edc71f10b8ff45d74f

Download Submit
memory/768-93-0x0000000076C30000-0x0000000076C31000-memory.dmp

Filesize
4KB

Download
memory/768-89-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/768-86-0x00000000012F0000-0x00000000014B0000-memory.dmp

Filesize
1.8MB

Download
memory/768-87-0x000007FEF4830000-0x000007FEF521C000-memory.dmp

Filesize
9.9MB

Download
memory/768-88-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/768-106-0x000007FEF4830000-0x000007FEF521C000-memory.dmp

Filesize
9.9MB

Download
memory/768-90-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/768-91-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/768-95-0x0000000076C20000-0x0000000076C21000-memory.dmp

Filesize
4KB

Download
memory/768-96-0x0000000076C10000-0x0000000076C11000-memory.dmp

Filesize
4KB

Download
memory/768-99-0x000007FEF4830000-0x000007FEF521C000-memory.dmp

Filesize
9.9MB

Download
memory/768-100-0x0000000076C00000-0x0000000076C01000-memory.dmp

Filesize
4KB

Download
memory/1504-11-0x0000000076C20000-0x0000000076C21000-memory.dmp

Filesize
4KB

Download
memory/1504-5-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/1504-16-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/1504-14-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1504-4-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/1504-12-0x0000000076C10000-0x0000000076C11000-memory.dmp

Filesize
4KB

Download
memory/1504-17-0x0000000076C00000-0x0000000076C01000-memory.dmp

Filesize
4KB

Download
memory/1504-8-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/1504-36-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/1504-6-0x0000000076C30000-0x0000000076C31000-memory.dmp

Filesize
4KB

Download
memory/1504-10-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1504-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1504-2-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/1504-1-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/1504-0-0x0000000000EA0000-0x0000000001060000-memory.dmp

Filesize
1.8MB

Download
memory/2252-109-0x0000000000090000-0x0000000000250000-memory.dmp

Filesize
1.8MB

Download
memory/2252-127-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-108-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

Filesize
9.9MB

Download
memory/2252-110-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2252-111-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2252-112-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2252-114-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2252-115-0x0000000076C30000-0x0000000076C31000-memory.dmp

Filesize
4KB

Download
memory/2252-118-0x0000000076C20000-0x0000000076C21000-memory.dmp

Filesize
4KB

Download
memory/2252-120-0x0000000076C10000-0x0000000076C11000-memory.dmp

Filesize
4KB

Download
memory/2252-121-0x0000000076C00000-0x0000000076C01000-memory.dmp

Filesize
4KB

Download
memory/2664-60-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2664-62-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2664-64-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2664-65-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-83-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-73-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2716-81-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2716-80-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/2716-79-0x00000000024FB000-0x0000000002562000-memory.dmp

Filesize
412KB

Download
memory/2716-75-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-72-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-67-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-78-0x000000000296B000-0x00000000029D2000-memory.dmp

Filesize
412KB

Download
memory/2720-82-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-70-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2720-69-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-68-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2724-77-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/2724-71-0x000000000239B000-0x0000000002402000-memory.dmp

Filesize
412KB

Download
memory/2724-76-0x0000000002390000-0x0000000002410000-memory.dmp

Filesize
512KB

Download
memory/2724-74-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2740-66-0x000000000295B000-0x00000000029C2000-memory.dmp

Filesize
412KB

Download
memory/2740-63-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

Filesize
9.6MB

Download
memory/2740-61-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/2740-52-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2740-53-0x0000000002210000-0x0000000002218000-memory.dmp

Filesize
32KB

Download