zgrat | bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

Analysis

max time kernel
293s
max time network
297s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
22-11-2023 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
Size

1.7MB
MD5

4843f62f3e35dcc7432a3c05b7b4b7a4
SHA1

91ce8f9ef83e4cda548a5f9c636eebab21772866
SHA256

bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd
SHA512

5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 28 IoCs

resource	yara_rule
behavioral1/memory/2244-0-0x0000000000AF0000-0x0000000000CB0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0009000000016cbc-26.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-77.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-78.dat	family_zgrat_v1
behavioral1/memory/1612-79-0x0000000001230000-0x00000000013F0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000016c67-101.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-122.dat	family_zgrat_v1
behavioral1/memory/2380-123-0x00000000002C0000-0x0000000000480000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000016c67-143.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-164.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-185.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-207.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-228.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-249.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-271.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-291.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-311.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-326.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-340.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-362.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-383.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-403.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-424.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-444.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-463.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-484.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-505.dat	family_zgrat_v1
behavioral1/files/0x0007000000016c67-524.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 31 IoCs

pid	Process
1612	spoolsv.exe
1864	spoolsv.exe
2380	spoolsv.exe
1664	spoolsv.exe
2768	spoolsv.exe
2664	spoolsv.exe
2592	spoolsv.exe
1956	spoolsv.exe
1748	spoolsv.exe
2120	spoolsv.exe
1656	spoolsv.exe
2352	spoolsv.exe
2312	spoolsv.exe
2860	spoolsv.exe
2660	spoolsv.exe
1500	spoolsv.exe
932	spoolsv.exe
1124	spoolsv.exe
2120	spoolsv.exe
2380	spoolsv.exe
2292	spoolsv.exe
1952	spoolsv.exe
1672	spoolsv.exe
2216	spoolsv.exe
1400	spoolsv.exe
564	spoolsv.exe
3004	spoolsv.exe
1712	spoolsv.exe
2352	spoolsv.exe
2112	spoolsv.exe
2492	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\f3b6ecef712a24	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
File created	C:\Program Files\Uninstall Information\bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
File opened for modification	C:\Program Files\Uninstall Information\bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
File created	C:\Program Files\Uninstall Information\80119839eea132	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\wininit.exe	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\56085415360792	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\Idle.exe	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
File created	C:\Windows\TAPI\6ccacd8608530f	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	spoolsv.exe

Runs ping.exe 1 TTPs 21 IoCs

Remote System Discovery

T1018

pid	Process
1672	PING.EXE
2464	PING.EXE
1748	PING.EXE
2588	PING.EXE
2792	PING.EXE
2648	PING.EXE
2236	PING.EXE
2596	PING.EXE
2348	PING.EXE
2696	PING.EXE
1268	PING.EXE
1812	PING.EXE
1592	PING.EXE
2820	PING.EXE
2976	PING.EXE
1668	PING.EXE
1672	PING.EXE
1956	PING.EXE
280	PING.EXE
744	PING.EXE
3044	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
2908	powershell.exe
2840	powershell.exe
2820	powershell.exe
2612	powershell.exe
2620	powershell.exe
1612	spoolsv.exe
1612	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1612	spoolsv.exe
Token: SeDebugPrivilege	1864	spoolsv.exe
Token: SeDebugPrivilege	2380	spoolsv.exe
Token: SeDebugPrivilege	1664	spoolsv.exe
Token: SeDebugPrivilege	2768	spoolsv.exe
Token: SeDebugPrivilege	2664	spoolsv.exe
Token: SeDebugPrivilege	2592	spoolsv.exe
Token: SeDebugPrivilege	1956	spoolsv.exe
Token: SeDebugPrivilege	1748	spoolsv.exe
Token: SeDebugPrivilege	2120	spoolsv.exe
Token: SeDebugPrivilege	1656	spoolsv.exe
Token: SeDebugPrivilege	2352	spoolsv.exe
Token: SeDebugPrivilege	2312	spoolsv.exe
Token: SeDebugPrivilege	2860	spoolsv.exe
Token: SeDebugPrivilege	2660	spoolsv.exe
Token: SeDebugPrivilege	1500	spoolsv.exe
Token: SeDebugPrivilege	932	spoolsv.exe
Token: SeDebugPrivilege	1124	spoolsv.exe
Token: SeDebugPrivilege	2120	spoolsv.exe
Token: SeDebugPrivilege	2380	spoolsv.exe
Token: SeDebugPrivilege	2292	spoolsv.exe
Token: SeDebugPrivilege	1952	spoolsv.exe
Token: SeDebugPrivilege	1672	spoolsv.exe
Token: SeDebugPrivilege	2216	spoolsv.exe
Token: SeDebugPrivilege	1400	spoolsv.exe
Token: SeDebugPrivilege	564	spoolsv.exe
Token: SeDebugPrivilege	3004	spoolsv.exe
Token: SeDebugPrivilege	1712	spoolsv.exe
Token: SeDebugPrivilege	2352	spoolsv.exe
Token: SeDebugPrivilege	2112	spoolsv.exe
Token: SeDebugPrivilege	2492	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2612	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	37
PID 2244 wrote to memory of 2612	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	37
PID 2244 wrote to memory of 2612	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	37
PID 2244 wrote to memory of 2908	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	36
PID 2244 wrote to memory of 2908	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	36
PID 2244 wrote to memory of 2908	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	36
PID 2244 wrote to memory of 2840	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	35
PID 2244 wrote to memory of 2840	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	35
PID 2244 wrote to memory of 2840	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	35
PID 2244 wrote to memory of 2820	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	34
PID 2244 wrote to memory of 2820	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	34
PID 2244 wrote to memory of 2820	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	34
PID 2244 wrote to memory of 2620	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	32
PID 2244 wrote to memory of 2620	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	32
PID 2244 wrote to memory of 2620	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	32
PID 2244 wrote to memory of 2536	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	38
PID 2244 wrote to memory of 2536	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	38
PID 2244 wrote to memory of 2536	2244	bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe	38
PID 2536 wrote to memory of 2128	2536	cmd.exe	40
PID 2536 wrote to memory of 2128	2536	cmd.exe	40
PID 2536 wrote to memory of 2128	2536	cmd.exe	40
PID 2536 wrote to memory of 2236	2536	cmd.exe	41
PID 2536 wrote to memory of 2236	2536	cmd.exe	41
PID 2536 wrote to memory of 2236	2536	cmd.exe	41
PID 2536 wrote to memory of 1612	2536	cmd.exe	42
PID 2536 wrote to memory of 1612	2536	cmd.exe	42
PID 2536 wrote to memory of 1612	2536	cmd.exe	42
PID 1612 wrote to memory of 1772	1612	spoolsv.exe	43
PID 1612 wrote to memory of 1772	1612	spoolsv.exe	43
PID 1612 wrote to memory of 1772	1612	spoolsv.exe	43
PID 1772 wrote to memory of 1052	1772	cmd.exe	45
PID 1772 wrote to memory of 1052	1772	cmd.exe	45
PID 1772 wrote to memory of 1052	1772	cmd.exe	45
PID 1772 wrote to memory of 1932	1772	cmd.exe	46
PID 1772 wrote to memory of 1932	1772	cmd.exe	46
PID 1772 wrote to memory of 1932	1772	cmd.exe	46
PID 1772 wrote to memory of 1864	1772	cmd.exe	47
PID 1772 wrote to memory of 1864	1772	cmd.exe	47
PID 1772 wrote to memory of 1864	1772	cmd.exe	47
PID 1864 wrote to memory of 112	1864	spoolsv.exe	48
PID 1864 wrote to memory of 112	1864	spoolsv.exe	48
PID 1864 wrote to memory of 112	1864	spoolsv.exe	48
PID 112 wrote to memory of 2120	112	cmd.exe	50
PID 112 wrote to memory of 2120	112	cmd.exe	50
PID 112 wrote to memory of 2120	112	cmd.exe	50
PID 112 wrote to memory of 1812	112	cmd.exe	51
PID 112 wrote to memory of 1812	112	cmd.exe	51
PID 112 wrote to memory of 1812	112	cmd.exe	51
PID 112 wrote to memory of 2380	112	cmd.exe	52
PID 112 wrote to memory of 2380	112	cmd.exe	52
PID 112 wrote to memory of 2380	112	cmd.exe	52
PID 2380 wrote to memory of 1964	2380	spoolsv.exe	53
PID 2380 wrote to memory of 1964	2380	spoolsv.exe	53
PID 2380 wrote to memory of 1964	2380	spoolsv.exe	53
PID 1964 wrote to memory of 2080	1964	cmd.exe	55
PID 1964 wrote to memory of 2080	1964	cmd.exe	55
PID 1964 wrote to memory of 2080	1964	cmd.exe	55
PID 1964 wrote to memory of 3020	1964	cmd.exe	56
PID 1964 wrote to memory of 3020	1964	cmd.exe	56
PID 1964 wrote to memory of 3020	1964	cmd.exe	56
PID 1964 wrote to memory of 1664	1964	cmd.exe	59
PID 1964 wrote to memory of 1664	1964	cmd.exe	59
PID 1964 wrote to memory of 1664	1964	cmd.exe	59
PID 1664 wrote to memory of 2676	1664	spoolsv.exe	60

C:\Users\Admin\AppData\Local\Temp\bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe
"C:\Users\Admin\AppData\Local\Temp\bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\Idle.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssTJE63VGf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2128
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2236
- - C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
    "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nLkZH0FaUe.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1052
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1932
    - - C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UVpzpaF2iW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1812
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IXHPi7vycT.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3020
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PXGbYzrvfK.bat"
        10⤵
        
        PID:2676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2596
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rj2XQE6t64.bat"
        12⤵
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1524
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LPJAVlmCtX.bat"
        14⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1672
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ylROGge0Sy.bat"
        16⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:2464
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2JaEZR6zXN.bat"
        18⤵
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1644
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9YD2Vui68H.bat"
        20⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2348
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x0Tv0d3iAQ.bat"
        22⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:1668
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1XclINWiFq.bat"
        24⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1756
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q4uSu8U9Ji.bat"
        26⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2812
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mZn61weJC7.bat"
        28⤵
        
        PID:3032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2844
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jTee716RlF.bat"
        30⤵
        
        PID:2664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1588
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dUsM3mSuDi.bat"
        32⤵
        
        PID:2992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2872
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9YD2Vui68H.bat"
        34⤵
        
        PID:2692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        Runs ping.exe
        
        PID:1956
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kUlUtrswA.bat"
        36⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:1748
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpAoVHioU5.bat"
        38⤵
        
        PID:2400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        Runs ping.exe
        
        PID:280
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KnLpNzAx9B.bat"
        40⤵
        
        PID:1320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:1592
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9sA7N8NGmH.bat"
        42⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        Runs ping.exe
        
        PID:2588
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VS1u4WCCr.bat"
        44⤵
        
        PID:2028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:2852
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E4R3BzSze2.bat"
        46⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:2856
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GwFtC02oQl.bat"
        48⤵
        
        PID:2612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        Runs ping.exe
        
        PID:2820
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat"
        50⤵
        
        PID:2232
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:2976
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NrvcGFykNe.bat"
        52⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        Runs ping.exe
        
        PID:744
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x0Tv0d3iAQ.bat"
        54⤵
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        Runs ping.exe
        
        PID:3044
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eI0Zh92hYF.bat"
        56⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:928
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wrSnsL5gcF.bat"
        58⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:2828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        Runs ping.exe
        
        PID:2792
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat"
        60⤵
        
        PID:2988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:2996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        61⤵
        Runs ping.exe
        
        PID:2648
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DWALPrpmLs.bat"
        62⤵
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:2696
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqrXfpsIjp.bat"
        64⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        Runs ping.exe
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VS1u4WCCr.bat

Filesize
234B

MD5
6a8c8932cddc0f7ca3e983c43df7eb78

SHA1
6618b45cc23779a15e985fcad11952ef436b93fa

SHA256
eefa9ca8c67ba769bb5e36cfd6fe273d73d4ea2bf9fd33f62242329a10f36bb8

SHA512
08289674c1b2dd49878b912c29dab87fa8d3f3206d011ed280fb346b287fcfe302897d2d06fcf1d2496c9ba7b5e51dcb1be0c4a54e4b967b43c5162b1b062f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\1XclINWiFq.bat

Filesize
234B

MD5
a212dc41806bae3f4037806440522156

SHA1
c64d9c6f11df5b4d6f3e3884f78ce8f11db8a1af

SHA256
276b75435950e80c34d45e237f172c8097d38ee7a3da9afdeb15edc423efe57d

SHA512
cd34e5ba39e8f598c867be5651647952d7aefdb36b331937a2c2fccbfc5c6ef09ec37fda76affde0298b25ab95ec10c2e44fecbc593bb7a73f3e4d0534dd012d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2JaEZR6zXN.bat

Filesize
234B

MD5
939670143b94fafb976f666624500438

SHA1
8e5463e128234a28babfe94b114153cd618c8d0f

SHA256
9dc6d4a45f14440301368ee0dfd5d04fd139f63afb70c900294c0efa9f337b3c

SHA512
d967638bd4a1c8e46a22788c74d65ebf7f2768707da6c55e7d7c77ac3e8dbd47ac1a844605284c7424be69492588f7b629d0a0a595d39d05d9ba2cc8ebc80d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kUlUtrswA.bat

Filesize
186B

MD5
bd678e00f85a1788793651681bd412c5

SHA1
f1df90f6109130d7833bfd4e0048044e9f4314fd

SHA256
0dd5b2c0ed549cb783f8d00239a683d431ecafba3a6d17c87ca2acc934ded033

SHA512
f1921db6caf2660463157aa57e2a7dbd8db8766bc283a8a05800bc158c4041b6e7f5778703393981c74f3ccabdc78d5fd741925aa766462a9fc934f49a3c2efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9YD2Vui68H.bat

Filesize
186B

MD5
6c7c1f1fe275c237fb95d755d7ddfd60

SHA1
e6a81e75929309a79996912fa8329ca32cf72aa2

SHA256
b4d8bc3238e0cd507ea031fb055458b53fa43f1cfd475da701bd746f307c7ab4

SHA512
76d9cc0c1c285e4bd2b411c566932fd9e9d66803137bc4020dff1c69ead29ffee8007f0eb501e8b7293bf735c6f37df9ef4f29cb92bbf1791d6d71b9b00d764b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9YD2Vui68H.bat

Filesize
186B

MD5
6c7c1f1fe275c237fb95d755d7ddfd60

SHA1
e6a81e75929309a79996912fa8329ca32cf72aa2

SHA256
b4d8bc3238e0cd507ea031fb055458b53fa43f1cfd475da701bd746f307c7ab4

SHA512
76d9cc0c1c285e4bd2b411c566932fd9e9d66803137bc4020dff1c69ead29ffee8007f0eb501e8b7293bf735c6f37df9ef4f29cb92bbf1791d6d71b9b00d764b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9sA7N8NGmH.bat

Filesize
186B

MD5
c8544ff8554fd2c2ee98d73aba3a9534

SHA1
f074403102c95ff62ea1e78bdac282bdd017e4f6

SHA256
4a1037d2dd6fa08f1683177b528890ab53611228efae8155a33befdec028793f

SHA512
a4401528b85fd9ba215b04aa57133f7398d071c1c3c8a36993f06d6d18f0f64131696d920b604be6ba2b4294f679767845d7df37f33dc57abc340c5d6e824c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4R3BzSze2.bat

Filesize
234B

MD5
ea6651135ba441e1b56d160ee881f94b

SHA1
91639919bf0b1bce8355bf33010065a13872bc68

SHA256
f4153425438840a791f774ade9146d65b105e31649efbd07efc12135a0f772f6

SHA512
a604d35b3a6bb9e1ad4b2ee88472511fd590bdd5889215e5c788d5fbc4315b38314ab595f428e8102cfb285dd5d935bc4e7af7191fb372f3a4f2c7a7805fad5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXHPi7vycT.bat

Filesize
234B

MD5
a61596e98387c3a5fb53e03499655bae

SHA1
717139b113a3d03b10c4b189106ced8c2e9af138

SHA256
235574e041cdac5b523bd42e8effc24832f83dab165aee51639c5452909b8a9d

SHA512
98a3cc735bdc973eb61830126080cb07448b117228888e0c1ba5a3f193c16a75adb0e8a9a2069d5d3dfa6e7c926d183640ee72783401c8f41ccc8dedb18b13ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnLpNzAx9B.bat

Filesize
186B

MD5
795eb97d2be062ff47c8df3ad6f9b647

SHA1
f02c4c27f516ad31efeef5245fb46e7739f6dd61

SHA256
1c7cefeb8a772a680ee539db2d67722f1208b5fef225e23e0e5fdaec15f3f6a0

SHA512
12eb3816662dc6a7277ecc3080dd1651f0a8a2bd34724dc6e5e6d2b97dd4e779a702163c87b1d428f82d287fe38a84c00c938b7c2ecc4369f5ca51ff0601f21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LPJAVlmCtX.bat

Filesize
186B

MD5
bedd9551b6b8d661030fe1b1531129dc

SHA1
d8f7c1827cfb181d0c886abf5f3989e5494a62f5

SHA256
fc6e9fd73161af046f6684928b057a6612b205ab8137c2525c833b2d122defba

SHA512
47611ecfd4494308787359a9478fe61be96436af131fcf91f749e4bb635a61649b32c1583f56a6c83ce12c7eb4e9db064c99beeab38bff15aae1da6a82b99361

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpAoVHioU5.bat

Filesize
186B

MD5
e22ec387d33f0db13f94431573d568d2

SHA1
18046dcfd3fc6c4ce8d64a1224e56940e6cb7c11

SHA256
fca4648a09cd64883f4dd3ff1f62ae1a9c212bdd3006b351d720aa5af1f7efbd

SHA512
bb751e0d904256e865de4979adfcfd5ba2441ee3ed0433969e865e9ee1ae817938ec99418672bd6dc6194cd01ecd0c12d5c19a588891c95eb1a0c53884721db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PXGbYzrvfK.bat

Filesize
186B

MD5
f5819ac05b02c9a5adc0f34ac60421a9

SHA1
1632710469f53d48f075861b9924b9195f47c11a

SHA256
b3d57da868ec9af517807fd50288c229c0713092c3dde5349ae0903ecde4493d

SHA512
7da9ece1909e618554b32e78fddde7f5ab3d1bc357184d8f3c6ac4bca1a06be1058da8c5083f443629a88d90d35232f6b80d23ed620c1fce9375ce613833e404

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q4uSu8U9Ji.bat

Filesize
234B

MD5
b2765c3ae589ce3f3b5d509ed4974afb

SHA1
52a5b25abcc595a99073675b5eff6a77fbd3ed03

SHA256
e7c56a66fac13c6f6fe7816e89a2deebf5e3bceba3698a647c21cb5f5a524990

SHA512
8580ad0a4fd24471f0d99db1a88f4314723d6c4a1913d3f8d9b535c4dab2d40e2acba8de36ade98453deea37b4e0641c3036bcd10fe01d9916d671e9e5d8e07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rj2XQE6t64.bat

Filesize
234B

MD5
bbb27f3b39e9ec6da90788404d030c83

SHA1
90a928f49fd90a3918393d205f7723bfcdd02cdd

SHA256
21d13dde78504ce4033debbafe69220e02fcf7150d0cae9040d4b0eb3eababf5

SHA512
4cc9b9ccd0849fa3143d81c988e5d8e63a785fe79ad6d060288bf21c1c469b50b837bb372b4ded68cf8849e3aa8511ac8eca5545e3353eda70c8a253ccdba851

Download Submit
C:\Users\Admin\AppData\Local\Temp\UVpzpaF2iW.bat

Filesize
186B

MD5
807e88eb003cf654a3496cbb6f81d353

SHA1
3988df4c75d0ac13a98ef24351564ae9297603b6

SHA256
b34b5c9cb60512381611221ac71c10a71e34e7199d983cc5d4f31316ee10f65c

SHA512
7a2e6f6dd854705f57d0135d2764d3738c30307732977c3ed8e1880de60dbc9964c7741fb13aaaf4b5e02e4098296babb3839f594dec9c838c3c6ab19fb16e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUsM3mSuDi.bat

Filesize
234B

MD5
77f186c67c7edf39c2a25923f7b1d427

SHA1
1f29d8de15364b089586cd08c205842a076ba66a

SHA256
705bd6f511ef875f16e503bc611ea260bcc90aea1c29ca59dd5bd80b3277a550

SHA512
fcd3ea55f0f75d898c09e04517fce16c169d8a3427093f6f79191ef809515510f393ea3b132a49076eeda5af18e25658df45cf3532e0ab44da388129b5d0bc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jTee716RlF.bat

Filesize
186B

MD5
69d9087ef27f79b3e29b3d6d859ced7a

SHA1
88f34f10ddbca56e3225db50dd4ca350b5bdab07

SHA256
06762c9126cc2beb8fd0822b981739e13616147b9d64e52fdd93bde03ec755e0

SHA512
cb1103db586af325e1bfa4044ba58eb2ae77018d3a8fe149015754ee7b5e9938304a2c3e928632c59d9e6fdabd5720b16002c82feb6d8a4bc071dc6a6503cec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZn61weJC7.bat

Filesize
234B

MD5
3f98422b955f74939e96f05aa16518e1

SHA1
ea0e1a19a08e9efe68ad7f632482e3a0b4d584a7

SHA256
0498e4bcf38aa059bfbd49564847084d7436119dc143f57bfef564aa3b10e1da

SHA512
5edb0d084bc9a108568084178cbfdfb3069013bcd888d1a71473589975e824a49e6b9255ff59f2e212fbe1f8dada6497011526691f7dfa28a1675f6f1c8737ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nLkZH0FaUe.bat

Filesize
234B

MD5
4a144b174abedf01a5f470ec37c6ee40

SHA1
bd9af782bf1669df7345da8c4817e94ce628cac6

SHA256
0b87cb2b88291f8f1d65a58c4445722b019900b61f02c40835f9ae922a987c3d

SHA512
99cc2058f544ce18754515073f677871fec1b2092ab49b7b21b93ea6ddced18736fd2869d79ce120cdd18f976b9999658673d550769e9b783b06bee7124f79bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssTJE63VGf.bat

Filesize
186B

MD5
80fb5bbd89e9bb9092bc4b739cc87e42

SHA1
cf7a15df8980d8a1d01a33e1f718c3fb113fd8ec

SHA256
4053f8bbed6de1b136eb6a03e158a83a5abf074251f52bb9ccde0eda51aba6dd

SHA512
90cbaac652f63c8a426d1a79d1556a576332dacb136d0ce3d2b15e581d815e23d72018cb2d25acc957af435b93d511e15c30c5a3bc2ecea96c8c7bad5d8dfa12

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0Tv0d3iAQ.bat

Filesize
186B

MD5
ecc6527b0ec21ea1bb71c437e61fb685

SHA1
50b1d55fbbc8fb6b0200cbd0f8c8054da2abca1c

SHA256
c0fb2df187b777fe7ebb4e23185425fdcd0d325d66a3384b2e40500fe06e46f4

SHA512
ca85e7aa2c8528796895ed88a81db697f00edbaa7ca1cf281646cacece50fd24c5c05dc7b8cc55d46d198ed58478ae2a697eaa981e0b6286b22e957bc33fdbd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylROGge0Sy.bat

Filesize
186B

MD5
f73c720914de4855d562641b549bbc90

SHA1
21084b0e5d61189cce427aea40b2b567353d8d70

SHA256
6784c59c2cc4eb45e8a552569095016812f01bbaba8db07ed8cedd157d95d13f

SHA512
cffaec6df1649580c0316db77975cbe1f7a95eb3c8e842670b70a8b36b13656dab5202e44d6ef136894d8886d0dd2c971dc1b91c8846248f108b27a00d66a583

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d87fddf3096982f6a885bdf984d86fe

SHA1
f252a9abc4945958f82e36b377dee3303c4e3a2c

SHA256
8bb1166684402fcfb4aa32afc0bdbf30e9c08a99ee8367e128eda81262a5c340

SHA512
15fcfe8b9f57c3f3a65d4fa3da74c03bc5c68a6cb3f3176d11f407760e77821addf6c338a289bb8a4f6da2004e3d6c84edd3fd9d59733824f40dedf30ae259a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d87fddf3096982f6a885bdf984d86fe

SHA1
f252a9abc4945958f82e36b377dee3303c4e3a2c

SHA256
8bb1166684402fcfb4aa32afc0bdbf30e9c08a99ee8367e128eda81262a5c340

SHA512
15fcfe8b9f57c3f3a65d4fa3da74c03bc5c68a6cb3f3176d11f407760e77821addf6c338a289bb8a4f6da2004e3d6c84edd3fd9d59733824f40dedf30ae259a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d87fddf3096982f6a885bdf984d86fe

SHA1
f252a9abc4945958f82e36b377dee3303c4e3a2c

SHA256
8bb1166684402fcfb4aa32afc0bdbf30e9c08a99ee8367e128eda81262a5c340

SHA512
15fcfe8b9f57c3f3a65d4fa3da74c03bc5c68a6cb3f3176d11f407760e77821addf6c338a289bb8a4f6da2004e3d6c84edd3fd9d59733824f40dedf30ae259a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IIGBHBEUCGLGITZYDO6R.temp

Filesize
7KB

MD5
1d87fddf3096982f6a885bdf984d86fe

SHA1
f252a9abc4945958f82e36b377dee3303c4e3a2c

SHA256
8bb1166684402fcfb4aa32afc0bdbf30e9c08a99ee8367e128eda81262a5c340

SHA512
15fcfe8b9f57c3f3a65d4fa3da74c03bc5c68a6cb3f3176d11f407760e77821addf6c338a289bb8a4f6da2004e3d6c84edd3fd9d59733824f40dedf30ae259a4

Download Submit
C:\Windows\TAPI\Idle.exe

Filesize
1.7MB

MD5
4843f62f3e35dcc7432a3c05b7b4b7a4

SHA1
91ce8f9ef83e4cda548a5f9c636eebab21772866

SHA256
bdce4c9fa0f6bf4886615a0ce0b2473dc33cc2058d257fe9aa3eadcd425d0bbd

SHA512
5eaafaa328730b6212108edd3287bee81cef5b67360b10272e08dc7b1b7814b47fc0ff57a2ce3d9a3bbc088dc2bb8bfe841d380baefe69c2572a9073ec650e02

Download Submit
memory/1612-100-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-83-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1612-81-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1612-85-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/1612-82-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1612-80-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/1612-79-0x0000000001230000-0x00000000013F0000-memory.dmp

Filesize
1.8MB

Download
memory/1612-88-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/1612-84-0x0000000000CF0000-0x0000000000D70000-memory.dmp

Filesize
512KB

Download
memory/1612-94-0x0000000077730000-0x0000000077731000-memory.dmp

Filesize
4KB

Download
memory/1612-93-0x0000000077740000-0x0000000077741000-memory.dmp

Filesize
4KB

Download
memory/1864-104-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1864-113-0x0000000077740000-0x0000000077741000-memory.dmp

Filesize
4KB

Download
memory/1864-102-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-103-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1864-106-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1864-107-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/1864-109-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/1864-111-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/1864-121-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-115-0x0000000077730000-0x0000000077731000-memory.dmp

Filesize
4KB

Download
memory/2244-16-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2244-3-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2244-4-0x000000001AA60000-0x000000001AAE0000-memory.dmp

Filesize
512KB

Download
memory/2244-7-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/2244-8-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/2244-0-0x0000000000AF0000-0x0000000000CB0000-memory.dmp

Filesize
1.8MB

Download
memory/2244-5-0x000000001AA60000-0x000000001AAE0000-memory.dmp

Filesize
512KB

Download
memory/2244-41-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-1-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-14-0x0000000077740000-0x0000000077741000-memory.dmp

Filesize
4KB

Download
memory/2244-2-0x000000001AA60000-0x000000001AAE0000-memory.dmp

Filesize
512KB

Download
memory/2244-11-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/2244-13-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2244-17-0x0000000077730000-0x0000000077731000-memory.dmp

Filesize
4KB

Download
memory/2244-10-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2380-126-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2380-124-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-123-0x00000000002C0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download
memory/2380-125-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/2380-127-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/2380-128-0x000000001B220000-0x000000001B2A0000-memory.dmp

Filesize
512KB

Download
memory/2380-130-0x0000000077760000-0x0000000077761000-memory.dmp

Filesize
4KB

Download
memory/2612-68-0x000007FEEEC90000-0x000007FEEF62D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-64-0x000000000246B000-0x00000000024D2000-memory.dmp

Filesize
412KB

Download
memory/2612-61-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/2612-60-0x000007FEEEC90000-0x000007FEEF62D000-memory.dmp

Filesize
9.6MB

Download
memory/2612-91-0x000007FEEEC90000-0x000007FEEF62D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-69-0x000000000245B000-0x00000000024C2000-memory.dmp

Filesize
412KB

Download
memory/2620-66-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/2620-58-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2620-62-0x000007FEEEC90000-0x000007FEEF62D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-70-0x000000000248B000-0x00000000024F2000-memory.dmp

Filesize
412KB

Download
memory/2820-65-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/2820-63-0x000007FEEEC90000-0x000007FEEF62D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-76-0x00000000028DB000-0x0000000002942000-memory.dmp

Filesize
412KB

Download
memory/2840-74-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2840-71-0x000007FEEEC90000-0x000007FEEF62D000-memory.dmp

Filesize
9.6MB

Download
memory/2840-75-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2840-92-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2908-59-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2908-73-0x000000000254B000-0x00000000025B2000-memory.dmp

Filesize
412KB

Download
memory/2908-72-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2908-67-0x000007FEEEC90000-0x000007FEEF62D000-memory.dmp

Filesize
9.6MB

Download