zgrat | 95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

Analysis

max time kernel
300s
max time network
306s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
22-11-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Size

1.7MB
MD5

85503a298f3d3680349b8f956f335ba6
SHA1

25557850af352dd22f7f4a8e2392bd30d700e624
SHA256

95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93
SHA512

1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 27 IoCs

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000900000-0x0000000000AC0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00060000000165d3-26.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-79.dat	family_zgrat_v1
behavioral1/memory/1684-81-0x0000000000B90000-0x0000000000D50000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00090000000161a5-80.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-101.dat	family_zgrat_v1
behavioral1/memory/2240-102-0x0000000000BD0000-0x0000000000D90000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00090000000161a5-123.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-143.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-163.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-184.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-205.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-225.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-242.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-263.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-284.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-305.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-327.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-348.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-369.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-390.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-411.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-430.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-452.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-473.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-494.dat	family_zgrat_v1
behavioral1/files/0x00090000000161a5-515.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 32 IoCs

pid	Process
1684	wininit.exe
2240	wininit.exe
964	wininit.exe
2388	wininit.exe
2956	wininit.exe
2044	wininit.exe
2676	wininit.exe
1824	wininit.exe
1424	wininit.exe
2832	wininit.exe
1964	wininit.exe
2224	wininit.exe
2508	wininit.exe
2796	wininit.exe
2584	wininit.exe
1448	wininit.exe
1500	wininit.exe
1632	wininit.exe
2832	wininit.exe
2740	wininit.exe
2716	wininit.exe
332	wininit.exe
3004	wininit.exe
1056	wininit.exe
2032	wininit.exe
972	wininit.exe
272	wininit.exe
2832	wininit.exe
2156	wininit.exe
2980	wininit.exe
1616	wininit.exe
3064	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\ja-JP\lsass.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
File created	C:\Program Files\Windows Defender\ja-JP\6203df4a6bafc7	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\taskhost.exe	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wininit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wininit.exe

Runs ping.exe 1 TTPs 16 IoCs

Remote System Discovery

T1018

pid	Process
2804	PING.EXE
2836	PING.EXE
820	PING.EXE
1808	PING.EXE
2764	PING.EXE
1756	PING.EXE
1136	PING.EXE
1656	PING.EXE
1868	PING.EXE
340	PING.EXE
1816	PING.EXE
2360	PING.EXE
1828	PING.EXE
1676	PING.EXE
2468	PING.EXE
2204	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1684	wininit.exe
Token: SeDebugPrivilege	2240	wininit.exe
Token: SeDebugPrivilege	964	wininit.exe
Token: SeDebugPrivilege	2388	wininit.exe
Token: SeDebugPrivilege	2956	wininit.exe
Token: SeDebugPrivilege	2044	wininit.exe
Token: SeDebugPrivilege	2676	wininit.exe
Token: SeDebugPrivilege	1824	wininit.exe
Token: SeDebugPrivilege	1424	wininit.exe
Token: SeDebugPrivilege	2832	wininit.exe
Token: SeDebugPrivilege	1964	wininit.exe
Token: SeDebugPrivilege	2224	wininit.exe
Token: SeDebugPrivilege	2508	wininit.exe
Token: SeDebugPrivilege	2796	wininit.exe
Token: SeDebugPrivilege	2584	wininit.exe
Token: SeDebugPrivilege	1448	wininit.exe
Token: SeDebugPrivilege	1500	wininit.exe
Token: SeDebugPrivilege	1632	wininit.exe
Token: SeDebugPrivilege	2832	wininit.exe
Token: SeDebugPrivilege	2740	wininit.exe
Token: SeDebugPrivilege	2716	wininit.exe
Token: SeDebugPrivilege	332	wininit.exe
Token: SeDebugPrivilege	3004	wininit.exe
Token: SeDebugPrivilege	1056	wininit.exe
Token: SeDebugPrivilege	2032	wininit.exe
Token: SeDebugPrivilege	972	wininit.exe
Token: SeDebugPrivilege	272	wininit.exe
Token: SeDebugPrivilege	2832	wininit.exe
Token: SeDebugPrivilege	2156	wininit.exe
Token: SeDebugPrivilege	2980	wininit.exe
Token: SeDebugPrivilege	1616	wininit.exe
Token: SeDebugPrivilege	3064	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2668	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	37
PID 2040 wrote to memory of 2668	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	37
PID 2040 wrote to memory of 2668	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	37
PID 2040 wrote to memory of 2692	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	35
PID 2040 wrote to memory of 2692	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	35
PID 2040 wrote to memory of 2692	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	35
PID 2040 wrote to memory of 2720	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	34
PID 2040 wrote to memory of 2720	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	34
PID 2040 wrote to memory of 2720	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	34
PID 2040 wrote to memory of 2828	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	31
PID 2040 wrote to memory of 2828	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	31
PID 2040 wrote to memory of 2828	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	31
PID 2040 wrote to memory of 2608	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	30
PID 2040 wrote to memory of 2608	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	30
PID 2040 wrote to memory of 2608	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	30
PID 2040 wrote to memory of 2332	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	38
PID 2040 wrote to memory of 2332	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	38
PID 2040 wrote to memory of 2332	2040	95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe	38
PID 2332 wrote to memory of 340	2332	cmd.exe	40
PID 2332 wrote to memory of 340	2332	cmd.exe	40
PID 2332 wrote to memory of 340	2332	cmd.exe	40
PID 2332 wrote to memory of 1180	2332	cmd.exe	41
PID 2332 wrote to memory of 1180	2332	cmd.exe	41
PID 2332 wrote to memory of 1180	2332	cmd.exe	41
PID 2332 wrote to memory of 1684	2332	cmd.exe	42
PID 2332 wrote to memory of 1684	2332	cmd.exe	42
PID 2332 wrote to memory of 1684	2332	cmd.exe	42
PID 1684 wrote to memory of 880	1684	wininit.exe	44
PID 1684 wrote to memory of 880	1684	wininit.exe	44
PID 1684 wrote to memory of 880	1684	wininit.exe	44
PID 880 wrote to memory of 1556	880	cmd.exe	46
PID 880 wrote to memory of 1556	880	cmd.exe	46
PID 880 wrote to memory of 1556	880	cmd.exe	46
PID 880 wrote to memory of 1776	880	cmd.exe	45
PID 880 wrote to memory of 1776	880	cmd.exe	45
PID 880 wrote to memory of 1776	880	cmd.exe	45
PID 880 wrote to memory of 2240	880	cmd.exe	47
PID 880 wrote to memory of 2240	880	cmd.exe	47
PID 880 wrote to memory of 2240	880	cmd.exe	47
PID 2240 wrote to memory of 1992	2240	wininit.exe	50
PID 2240 wrote to memory of 1992	2240	wininit.exe	50
PID 2240 wrote to memory of 1992	2240	wininit.exe	50
PID 1992 wrote to memory of 2184	1992	cmd.exe	52
PID 1992 wrote to memory of 2184	1992	cmd.exe	52
PID 1992 wrote to memory of 2184	1992	cmd.exe	52
PID 1992 wrote to memory of 1868	1992	cmd.exe	53
PID 1992 wrote to memory of 1868	1992	cmd.exe	53
PID 1992 wrote to memory of 1868	1992	cmd.exe	53
PID 1992 wrote to memory of 964	1992	cmd.exe	54
PID 1992 wrote to memory of 964	1992	cmd.exe	54
PID 1992 wrote to memory of 964	1992	cmd.exe	54
PID 964 wrote to memory of 368	964	wininit.exe	55
PID 964 wrote to memory of 368	964	wininit.exe	55
PID 964 wrote to memory of 368	964	wininit.exe	55
PID 368 wrote to memory of 2072	368	cmd.exe	57
PID 368 wrote to memory of 2072	368	cmd.exe	57
PID 368 wrote to memory of 2072	368	cmd.exe	57
PID 368 wrote to memory of 2204	368	cmd.exe	58
PID 368 wrote to memory of 2204	368	cmd.exe	58
PID 368 wrote to memory of 2204	368	cmd.exe	58
PID 368 wrote to memory of 2388	368	cmd.exe	59
PID 368 wrote to memory of 2388	368	cmd.exe	59
PID 368 wrote to memory of 2388	368	cmd.exe	59
PID 2388 wrote to memory of 2000	2388	wininit.exe	60

C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe
"C:\Users\Admin\AppData\Local\Temp\95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\lsass.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f596bfe2-7211-11ee-b58c-fd22f4f772f4\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUXajTIURH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:340
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1180
- - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Po3x2tXZGL.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1776
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1556
    - - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1868
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FH8oguQ3dQ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2204
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wBPskakqGG.bat"
        10⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2416
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bw0avzYF4z.bat"
        12⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:340
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wUPJtRJpO.bat"
        14⤵
        
        PID:1908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1456
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qe7zIwqSAW.bat"
        16⤵
        
        PID:1136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:1816
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJpXqSaXt9.bat"
        18⤵
        
        PID:1860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1756
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpXlQnQd1k.bat"
        20⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:820
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3WH03M43Wl.bat"
        22⤵
        
        PID:528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2836
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cE1qBYVKAL.bat"
        24⤵
        
        PID:2392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2148
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PAAmIRCFxL.bat"
        26⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2716
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axwQXfGLdd.bat"
        28⤵
        
        PID:2892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2372
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pvm5o68kgM.bat"
        30⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2632
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26UXRAQMNZ.bat"
        32⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2812
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FTIgCVObEa.bat"
        34⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:1472
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZCyxGcg3L6.bat"
        36⤵
        
        PID:1460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:2252
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JlC5zfAS6C.bat"
        38⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        Runs ping.exe
        
        PID:2360
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7X1gMNi76.bat"
        40⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:1828
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AABNdhKLsd.bat"
        42⤵
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        Runs ping.exe
        
        PID:2804
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeLhFiBvb0.bat"
        44⤵
        
        PID:1968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        Runs ping.exe
        
        PID:1676
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRMrapfWgv.bat"
        46⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:2468
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jqlTNZm6TE.bat"
        48⤵
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        Runs ping.exe
        
        PID:1136
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJ33xL03Hm.bat"
        50⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:1656
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X4ufk0Q6MZ.bat"
        52⤵
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        Runs ping.exe
        
        PID:1808
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1eT93LUFj2.bat"
        54⤵
        
        PID:436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2840
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\74RqM7W2bB.bat"
        56⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:1740
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\29a6RA8xzC.bat"
        58⤵
        
        PID:1844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        59⤵
        
        PID:2148
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6i2Y3psmC.bat"
        60⤵
        
        PID:568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        Runs ping.exe
        
        PID:2764
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J59ArupckC.bat"
        62⤵
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        63⤵
        
        PID:2520
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDnwPuEug1.bat"
        64⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:2676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:2644
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Program Files\Windows Defender\ja-JP\lsass.exe

Filesize
1.7MB

MD5
85503a298f3d3680349b8f956f335ba6

SHA1
25557850af352dd22f7f4a8e2392bd30d700e624

SHA256
95d9af6bbcf51231f765b04ed8b8e765388e28e8e3aac0c06c3d1c75bc210d93

SHA512
1f5d743a0726ffa740c54a7ac539df3fcc4a6641bda9dda798683eb017bbc4262b87101716b333ccb79e151ee7c8baf05fac8267a61c284aebd68abce48d9bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\26UXRAQMNZ.bat

Filesize
250B

MD5
48d5485a108729c38d1f6be7312b1996

SHA1
c9cec007e90b218eab689dc614aaafef4227e4e4

SHA256
7857c6f8d4f04e408e9bc0c1047f9d8d5a806f3e8a9eba3b6453e5b7eedd3524

SHA512
e8b355703dbd869b4a5848eb4de6e98d0689bb4504c58ee2b7b803354dfb71ffb6dbe9188939019d2e6234b10579668ec6100453df8ff69f92d1b17403d2febb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wUPJtRJpO.bat

Filesize
250B

MD5
069c2d180523508116513ab2bb080a00

SHA1
763caa3c564170889841a0514f816d0a1169a381

SHA256
1ba336990a4c38dcdbe6029af9e00da45b705b841d5a38f00de5711dcc765129

SHA512
d17c5a9b621a6e7ba5d1c8356019c5d031184e03bfd24677a09cb458a11e0994279eb7c369d25eab432cc92a887408c2d8b48e39b8f2fbd9df13c430ef1c1aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3WH03M43Wl.bat

Filesize
202B

MD5
92a7bb218960f1584a1900cf9918b1e4

SHA1
e58bb15807cd22cf0ceb8d6dcec244e84da90db4

SHA256
46c84d740467a190dbd4ca8053e0ba674308a2ae4fcbaa378f5c9f59802e79ba

SHA512
15f602435a93e8926c749e6a736d262565d4acd6db38b79e46e7664ed02eb84888d1e3dc5961e32b1c11c4bc4753cb3b555bd540cfce1c91bb84401ab869de9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AABNdhKLsd.bat

Filesize
202B

MD5
3fa280a12970d5da0b90988979c76811

SHA1
d922b2765ab9741406c0f1efbc81f914365556d6

SHA256
4257bb6c0a31c22022eb7b113a966b670da66d261a64f6d0857cc1edd727ed5f

SHA512
3e39db36a39887bcbc928cddd7ddc8776321eb46413723f0954840e1c0edf969d7a4294ff20ec281ae355c887d164d14cca355c52b63d8e95b6b010dc2757b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\FH8oguQ3dQ.bat

Filesize
202B

MD5
76458d3010f01c58e8180f4df03a47be

SHA1
389e95f17d99f94f797071c871ca04777d48b2b3

SHA256
f0cfd3100c070deba17726d50658e747466f0d0708f87b0d7bd1dced91a035cb

SHA512
05ef77fb9035efd4d680fe278c2e03c08f1a1290c51c0597da1b87822765da882baf25812ad0d4dfc4525992213818410776b92e5390531a2ece5eb1e1d13592

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTIgCVObEa.bat

Filesize
250B

MD5
01a8abea7dd643c0dda3410bb574d9dc

SHA1
bb175860769976412e0457607ff330981593fbb1

SHA256
0d26d21fa10c4df825e238caee9b2b2f033d98f7f3cbc1c1392eb8877639f7bc

SHA512
2f86a4b1275fb423224e4e4232d3a1c0e8a9f8d902893f8f66062b2e225d955301d13ade5544b769e76ca544ea13d7b02a1a38b04ab945d4d63ee02a5399cfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRMrapfWgv.bat

Filesize
202B

MD5
870b046293926248c078c497b06a8750

SHA1
f7d6b54871b7c3deda175839bec4cc425f7296ec

SHA256
ced79498b45a0511a985a1e8d49be5290bcebca103df6528d09bbb96aa5b1745

SHA512
f05a1c507381b225d53c4ae471263e24f3e028de765d52d5ce0aa3e97f45e97cba7f2f9764e91d44af9471be737f576ef8bad3b260606ae2adc0339e39695ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeLhFiBvb0.bat

Filesize
202B

MD5
23315c86b63dbaa3bd13fe79e9c11abd

SHA1
d77ad6f7e19396713d8ea4f114bb332fd1020126

SHA256
3846b0a3a24e88c25c0f62cafb2fa84f59320b30aaf05ccca7a8ccdeb93d9b57

SHA512
33071d018a374ea5b724a65e7dfcc5302c6995d82a8ccf555c8936a8efb682f13ebf0606ea42b63635debea400cff72b0f7cbb9c39be730380e9d301ad6348bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JlC5zfAS6C.bat

Filesize
202B

MD5
ec9e9d32a858117c8e517b6d9003d6b7

SHA1
2d0df1e3f96459d29eabcaacc01c1c6aab79d418

SHA256
1e9f4253b09e2e6793f170a31c1f0c978099d8284eef4874942e0029a226b153

SHA512
8d71caa336886875ead158ffd1a2181e06bad36f636888735e1551ab89f3b059954c0ff4845fe0122a5b832468320df4c1984c85be17e8e649af3d46600179a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAAmIRCFxL.bat

Filesize
250B

MD5
80db6498ab26fefa1c2dc1ac0dc6f000

SHA1
851616edc9cb4415c206288107863c3844ce14b0

SHA256
303616313d0efdf1cfa91d4fbfd1fa6966e0bb7c319794da4fc652bdaa3d9bbf

SHA512
a39cb30f05b32f2cfef0cdccfcb55d4d282b2d3a6d542c5fa39d5896b09056d65fc409247f267df77d2c7bdf97218fe9d212ab00eb33e64c5c276a31c404f8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Po3x2tXZGL.bat

Filesize
250B

MD5
981714bbdd818d410409919330860694

SHA1
99a7bad934123583a5e22a9839d1e44c9df1a3bd

SHA256
648e89b78a383164556ae1ef44c1c8990589170d9e89f2f00567bf26d3704a4c

SHA512
009704f01305b39631a09174ff4c3a29e9d9ae3d6e010a054c93696e179c65a6930171f8242a94a3f398d768b234553b1a1077f8583b4840a8f0949f6c4aa0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qe7zIwqSAW.bat

Filesize
202B

MD5
8073d204567f1b24b45953c7d9e463bd

SHA1
02aa32b83663b334d0f761b44ef0407965d91194

SHA256
6697359ec3f62f9d5e5b5d01c846b94f3e5292c632180313499ee3fd07487d97

SHA512
0783072d29d02c53a84648aba4c2b1d6ee2ec194e85715c3c14b7f8b6897edcb2bc30993b5357335d9224c257fffe37fe4de07f0634796b8e2b1f8f1c3999efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCyxGcg3L6.bat

Filesize
250B

MD5
adb33bd706f85461b45da298d7ccd6bf

SHA1
6ac56f47010647786a4a6531cdd8382e10951c24

SHA256
ea22004e2e19cc240624208b31519e70bdc6639db843698013f96feff6cfe26a

SHA512
f8be6c4d7bc566b5c5164fc70cf24b05f6320eb95e0e2d0a9f4f5caf6a2d0ddf74a130f0f8f2ac44d616554de462896d0a68258977aeddb04f0ea8c26ade0cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\axwQXfGLdd.bat

Filesize
250B

MD5
4d9ccdcb26991f1601f8799fb46830c7

SHA1
66424513bf1d73f3ee7026b5733c69cd80bfa77c

SHA256
3786f223d051eca8a4be477c3e29999b210beecbcc7be5aeb81b5d3cddad6f8c

SHA512
159a3bade469294a3a3e347f393e81e46920c12dde768be78815dca37344e0808854f9669c8514c259162fe4cac64478c155005e74bac27b2bf46c18912fb2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bw0avzYF4z.bat

Filesize
202B

MD5
2d7a1c9d4fcad7e10670cb2151d0fa8b

SHA1
87800f5dfbcd6031857756d36c2f099863db6dc3

SHA256
c30266fcceabbfa6491891f392ded88c6f3117bcb335fae79f89a51007781474

SHA512
222ecffe0b5256dbae72788b61bbf04af0c33c1a9410f3dae9b921d316061db058fcc774c6a9e75af9b9d3f91a4c4119345bf319a43c6157a6769f202d99c855

Download Submit
C:\Users\Admin\AppData\Local\Temp\cE1qBYVKAL.bat

Filesize
250B

MD5
f5281dd85d2519156707f4557b6c4173

SHA1
e612e9c00c183ebbce732866094674bddbc47d94

SHA256
c509208689fe417e1f99774393307847c202179195f476e7f229fb4168d00f30

SHA512
18801d489d52518f9ce0398cb3c4ca77887966cabfe93b8e3267840816bdfa15be5c95668fed4e1c1c56c36d7afcfe0b71e527b5be1b2d94fb0ec0af113737f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fMhC4n1i0S.bat

Filesize
202B

MD5
5d7a2ecd296954e59f1b136572ed5658

SHA1
556971135e3ffadd1f0e16a9ce558eb8c96259bf

SHA256
3210a4bac770c28627f91c207c4b766039d63b3d91ce1abae78064fb1dbc73fa

SHA512
016463143e5d1267fc254b5440f69454016055e6ece24c7cddbfd8c99c33ff1462c84b000e1dc3402f42707fe42276fed8d4a9cca72ab2ea70dee29fc03baded

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJpXqSaXt9.bat

Filesize
202B

MD5
448138bc3712e03a40010f52333ec04d

SHA1
f0f9055e4e1a6f523de5812546789cdee5ce74fc

SHA256
c95b8d4030d33cc3c9347586c5c701fc8d47b7d31cb51946f93808a307cd5ce5

SHA512
bc96eb482a0a70bb36d8dbf22514f09b9ffd0e833b30809f629fde147a4e1a2d228cfea9471c42043efd38e9eb1c5538a81dc981093265d5c94d020a0669a7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvm5o68kgM.bat

Filesize
250B

MD5
1da3b0a0f2e47a293a43d65d528b0760

SHA1
df7f8d6a1f8d637728f9993bd96b4a5aab1f6aa1

SHA256
ce8378fe2fd0070e7cc3653ac16024948e204fd5c1e04cc52c095b927eb4d799

SHA512
271cb3350ad7c210f55b676896b57049f3fb64ab9fe181309e2741d8691a1045976c8081b55c7ff6e9816f9d95f7b058623094dd8d369a725dfda619ef9122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpXlQnQd1k.bat

Filesize
202B

MD5
0f695e301261ce7beb9a96b112001234

SHA1
4e41e9be015d59e4104388449754a196aba1c166

SHA256
95e355310d2472151bbb868b060437232ce917496999e86eb844c911175aa0c9

SHA512
16bcfdd2346af5d98ec01863899f0e142f0b8a8e6be59d2f7399a1d1c59fa2b7e32ea935026b36fc2c89287455e9813785103c729653164725f3ab93298f3c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7X1gMNi76.bat

Filesize
202B

MD5
bce3c108b1eda7fc04ff104c84534555

SHA1
d2b6891ffb27f730d8bfae44800c51ca0d506934

SHA256
050ecbba1cc5d9c09cff6795f3d4b2da0d75e287447eaea1a3c856cd49becb00

SHA512
17487bd626ce7361642c638df40d3a250796cf12a9f721880693a298816fbcacfac05f7e68aa529925cbea515d09621a99107dd7db27e4b9fbe9c19d333c565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUXajTIURH.bat

Filesize
250B

MD5
bc84126620712c69645e5232f9033ce4

SHA1
38a9c47d9613cf71128ee17bfd0aa9813d439e75

SHA256
160783d452c88e206c9506863b1cc342079e9228372e98480f98b05db5acc2ab

SHA512
8a052535764d1ba4941e6dc844963ca01d6b8bfc3068e53f05819384c448a55ddf17b503b4fbb7e078700cb0171f9fca6e4d92b462166bca1b7a49a952855477

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f808d409472fba3af578459d004744fe

SHA1
050a4bc59383338be00fffb8624fb397a42a2090

SHA256
db51a4327a4b70eb98dbab9adad56059f6047b7aac9a38a29ed89c33f8627db4

SHA512
9e0439d31a3c4129fb45be822e8d54983bff38d71cd5a0b47afd57ff40eda082c9c7146c2d8700d9acc6cf2b11a928b028975b20db8ac5a1bc841f34f575800c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f808d409472fba3af578459d004744fe

SHA1
050a4bc59383338be00fffb8624fb397a42a2090

SHA256
db51a4327a4b70eb98dbab9adad56059f6047b7aac9a38a29ed89c33f8627db4

SHA512
9e0439d31a3c4129fb45be822e8d54983bff38d71cd5a0b47afd57ff40eda082c9c7146c2d8700d9acc6cf2b11a928b028975b20db8ac5a1bc841f34f575800c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f808d409472fba3af578459d004744fe

SHA1
050a4bc59383338be00fffb8624fb397a42a2090

SHA256
db51a4327a4b70eb98dbab9adad56059f6047b7aac9a38a29ed89c33f8627db4

SHA512
9e0439d31a3c4129fb45be822e8d54983bff38d71cd5a0b47afd57ff40eda082c9c7146c2d8700d9acc6cf2b11a928b028975b20db8ac5a1bc841f34f575800c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LN01EN5JDIEER2J8TGQP.temp

Filesize
7KB

MD5
f808d409472fba3af578459d004744fe

SHA1
050a4bc59383338be00fffb8624fb397a42a2090

SHA256
db51a4327a4b70eb98dbab9adad56059f6047b7aac9a38a29ed89c33f8627db4

SHA512
9e0439d31a3c4129fb45be822e8d54983bff38d71cd5a0b47afd57ff40eda082c9c7146c2d8700d9acc6cf2b11a928b028975b20db8ac5a1bc841f34f575800c

Download Submit
memory/964-124-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

Filesize
9.9MB

Download
memory/964-125-0x000000001B4C0000-0x000000001B540000-memory.dmp

Filesize
512KB

Download
memory/964-126-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1684-85-0x000000001B550000-0x000000001B5D0000-memory.dmp

Filesize
512KB

Download
memory/1684-86-0x000000001B550000-0x000000001B5D0000-memory.dmp

Filesize
512KB

Download
memory/1684-100-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

Filesize
9.9MB

Download
memory/1684-94-0x00000000773E0000-0x00000000773E1000-memory.dmp

Filesize
4KB

Download
memory/1684-81-0x0000000000B90000-0x0000000000D50000-memory.dmp

Filesize
1.8MB

Download
memory/1684-91-0x00000000773F0000-0x00000000773F1000-memory.dmp

Filesize
4KB

Download
memory/1684-82-0x000007FEF4DC0000-0x000007FEF57AC000-memory.dmp

Filesize
9.9MB

Download
memory/1684-84-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1684-90-0x0000000077400000-0x0000000077401000-memory.dmp

Filesize
4KB

Download
memory/1684-83-0x000000001B550000-0x000000001B5D0000-memory.dmp

Filesize
512KB

Download
memory/1684-88-0x0000000077410000-0x0000000077411000-memory.dmp

Filesize
4KB

Download
memory/2040-11-0x0000000077400000-0x0000000077401000-memory.dmp

Filesize
4KB

Download
memory/2040-8-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2040-0-0x0000000000900000-0x0000000000AC0000-memory.dmp

Filesize
1.8MB

Download
memory/2040-10-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2040-14-0x00000000773F0000-0x00000000773F1000-memory.dmp

Filesize
4KB

Download
memory/2040-17-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2040-15-0x00000000773E0000-0x00000000773E1000-memory.dmp

Filesize
4KB

Download
memory/2040-13-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2040-6-0x0000000077410000-0x0000000077411000-memory.dmp

Filesize
4KB

Download
memory/2040-5-0x000000001AE20000-0x000000001AEA0000-memory.dmp

Filesize
512KB

Download
memory/2040-56-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-4-0x000000001AE20000-0x000000001AEA0000-memory.dmp

Filesize
512KB

Download
memory/2040-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2040-2-0x000000001AE20000-0x000000001AEA0000-memory.dmp

Filesize
512KB

Download
memory/2040-1-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-102-0x0000000000BD0000-0x0000000000D90000-memory.dmp

Filesize
1.8MB

Download
memory/2240-122-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-116-0x00000000773E0000-0x00000000773E1000-memory.dmp

Filesize
4KB

Download
memory/2240-114-0x00000000773F0000-0x00000000773F1000-memory.dmp

Filesize
4KB

Download
memory/2240-111-0x0000000077400000-0x0000000077401000-memory.dmp

Filesize
4KB

Download
memory/2240-109-0x0000000077410000-0x0000000077411000-memory.dmp

Filesize
4KB

Download
memory/2240-108-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2240-107-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2240-105-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2240-104-0x000000001B4A0000-0x000000001B520000-memory.dmp

Filesize
512KB

Download
memory/2240-103-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-66-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/2608-57-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2608-59-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/2608-63-0x00000000022F0000-0x0000000002370000-memory.dmp

Filesize
512KB

Download
memory/2608-64-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2668-65-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/2668-55-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2668-60-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2668-62-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-78-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/2692-77-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2692-75-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2692-72-0x000000000256B000-0x00000000025D2000-memory.dmp

Filesize
412KB

Download
memory/2720-70-0x0000000002B34000-0x0000000002B37000-memory.dmp

Filesize
12KB

Download
memory/2720-58-0x0000000002B30000-0x0000000002BB0000-memory.dmp

Filesize
512KB

Download
memory/2720-67-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2828-76-0x0000000002424000-0x0000000002427000-memory.dmp

Filesize
12KB

Download
memory/2828-61-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2828-73-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2828-74-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2828-71-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2828-68-0x000007FEEEC30000-0x000007FEEF5CD000-memory.dmp

Filesize
9.6MB

Download
memory/2828-69-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2828-54-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download