zgrat | 893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a

Analysis

max time kernel
300s
max time network
303s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 22:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
Size

1.7MB
MD5

6721a03e5521c0dd8adc3cf0970debc6
SHA1

eeaa1b175abd7927114ac98a32ba64f4e6e85ee3
SHA256

893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a
SHA512

f1b3f286e7cdb6a3e1c6cf179feeb5bc4c58424d6b7b292367bec80fbb7050518a4bec70d09a2e1aa7d375c47b4aed1579b554abdb4827fc8bfbc962afe0a901
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/3028-0-0x0000000000D10000-0x0000000000ED0000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000016cdb-26.dat	family_zgrat_v1
behavioral1/memory/2868-81-0x00000000011C0000-0x0000000001380000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 28 IoCs

pid	Process
2868	dllhost.exe
2324	dllhost.exe
2224	dllhost.exe
3020	dllhost.exe
2804	dllhost.exe
2052	dllhost.exe
3040	dllhost.exe
2864	dllhost.exe
2976	dllhost.exe
1768	dllhost.exe
2724	dllhost.exe
1604	dllhost.exe
476	dllhost.exe
1320	dllhost.exe
2672	dllhost.exe
1824	dllhost.exe
2948	dllhost.exe
556	dllhost.exe
1340	dllhost.exe
2696	dllhost.exe
800	dllhost.exe
1644	dllhost.exe
2172	dllhost.exe
1992	dllhost.exe
1940	dllhost.exe
2836	dllhost.exe
1604	dllhost.exe
2160	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\smss.exe	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
File created	C:\Program Files (x86)\Google\69ddcba757bf72	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\smss.exe	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\69ddcba757bf72	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\b75386f1303e64	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	dllhost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	dllhost.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2616	PING.EXE
1816	PING.EXE
2936	PING.EXE
1120	PING.EXE
556	PING.EXE
2044	PING.EXE
2772	PING.EXE
240	PING.EXE
2136	PING.EXE
1904	PING.EXE
2292	PING.EXE
2964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2868	dllhost.exe
Token: SeDebugPrivilege	2324	dllhost.exe
Token: SeDebugPrivilege	2224	dllhost.exe
Token: SeDebugPrivilege	3020	dllhost.exe
Token: SeDebugPrivilege	2804	dllhost.exe
Token: SeDebugPrivilege	2052	dllhost.exe
Token: SeDebugPrivilege	3040	dllhost.exe
Token: SeDebugPrivilege	2864	dllhost.exe
Token: SeDebugPrivilege	2976	dllhost.exe
Token: SeDebugPrivilege	1768	dllhost.exe
Token: SeDebugPrivilege	2724	dllhost.exe
Token: SeDebugPrivilege	1604	dllhost.exe
Token: SeDebugPrivilege	476	dllhost.exe
Token: SeDebugPrivilege	1320	dllhost.exe
Token: SeDebugPrivilege	2672	dllhost.exe
Token: SeDebugPrivilege	1824	dllhost.exe
Token: SeDebugPrivilege	2948	dllhost.exe
Token: SeDebugPrivilege	556	dllhost.exe
Token: SeDebugPrivilege	1340	dllhost.exe
Token: SeDebugPrivilege	2696	dllhost.exe
Token: SeDebugPrivilege	800	dllhost.exe
Token: SeDebugPrivilege	1644	dllhost.exe
Token: SeDebugPrivilege	2172	dllhost.exe
Token: SeDebugPrivilege	1992	dllhost.exe
Token: SeDebugPrivilege	1940	dllhost.exe
Token: SeDebugPrivilege	2836	dllhost.exe
Token: SeDebugPrivilege	1604	dllhost.exe
Token: SeDebugPrivilege	2160	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2952	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	37
PID 3028 wrote to memory of 2952	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	37
PID 3028 wrote to memory of 2952	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	37
PID 3028 wrote to memory of 2788	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	36
PID 3028 wrote to memory of 2788	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	36
PID 3028 wrote to memory of 2788	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	36
PID 3028 wrote to memory of 2820	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	35
PID 3028 wrote to memory of 2820	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	35
PID 3028 wrote to memory of 2820	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	35
PID 3028 wrote to memory of 2792	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	33
PID 3028 wrote to memory of 2792	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	33
PID 3028 wrote to memory of 2792	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	33
PID 3028 wrote to memory of 2924	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	31
PID 3028 wrote to memory of 2924	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	31
PID 3028 wrote to memory of 2924	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	31
PID 3028 wrote to memory of 2704	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	38
PID 3028 wrote to memory of 2704	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	38
PID 3028 wrote to memory of 2704	3028	893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe	38
PID 2704 wrote to memory of 2768	2704	cmd.exe	39
PID 2704 wrote to memory of 2768	2704	cmd.exe	39
PID 2704 wrote to memory of 2768	2704	cmd.exe	39
PID 2704 wrote to memory of 1088	2704	cmd.exe	41
PID 2704 wrote to memory of 1088	2704	cmd.exe	41
PID 2704 wrote to memory of 1088	2704	cmd.exe	41
PID 2704 wrote to memory of 2868	2704	cmd.exe	42
PID 2704 wrote to memory of 2868	2704	cmd.exe	42
PID 2704 wrote to memory of 2868	2704	cmd.exe	42
PID 2868 wrote to memory of 1620	2868	dllhost.exe	44
PID 2868 wrote to memory of 1620	2868	dllhost.exe	44
PID 2868 wrote to memory of 1620	2868	dllhost.exe	44
PID 1620 wrote to memory of 2108	1620	cmd.exe	45
PID 1620 wrote to memory of 2108	1620	cmd.exe	45
PID 1620 wrote to memory of 2108	1620	cmd.exe	45
PID 1620 wrote to memory of 2076	1620	cmd.exe	46
PID 1620 wrote to memory of 2076	1620	cmd.exe	46
PID 1620 wrote to memory of 2076	1620	cmd.exe	46
PID 1620 wrote to memory of 2324	1620	cmd.exe	47
PID 1620 wrote to memory of 2324	1620	cmd.exe	47
PID 1620 wrote to memory of 2324	1620	cmd.exe	47
PID 2324 wrote to memory of 1072	2324	dllhost.exe	48
PID 2324 wrote to memory of 1072	2324	dllhost.exe	48
PID 2324 wrote to memory of 1072	2324	dllhost.exe	48
PID 1072 wrote to memory of 2168	1072	cmd.exe	50
PID 1072 wrote to memory of 2168	1072	cmd.exe	50
PID 1072 wrote to memory of 2168	1072	cmd.exe	50
PID 1072 wrote to memory of 2136	1072	cmd.exe	51
PID 1072 wrote to memory of 2136	1072	cmd.exe	51
PID 1072 wrote to memory of 2136	1072	cmd.exe	51
PID 1072 wrote to memory of 2224	1072	cmd.exe	54
PID 1072 wrote to memory of 2224	1072	cmd.exe	54
PID 1072 wrote to memory of 2224	1072	cmd.exe	54
PID 2224 wrote to memory of 1016	2224	dllhost.exe	55
PID 2224 wrote to memory of 1016	2224	dllhost.exe	55
PID 2224 wrote to memory of 1016	2224	dllhost.exe	55
PID 1016 wrote to memory of 2948	1016	cmd.exe	57
PID 1016 wrote to memory of 2948	1016	cmd.exe	57
PID 1016 wrote to memory of 2948	1016	cmd.exe	57
PID 1016 wrote to memory of 2936	1016	cmd.exe	58
PID 1016 wrote to memory of 2936	1016	cmd.exe	58
PID 1016 wrote to memory of 2936	1016	cmd.exe	58
PID 1016 wrote to memory of 3020	1016	cmd.exe	59
PID 1016 wrote to memory of 3020	1016	cmd.exe	59
PID 1016 wrote to memory of 3020	1016	cmd.exe	59
PID 3020 wrote to memory of 2740	3020	dllhost.exe	60

C:\Users\Admin\AppData\Local\Temp\893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe
"C:\Users\Admin\AppData\Local\Temp\893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FPf55YsT9G.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2768
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1088
- - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
    "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jw82jcrZC1.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2108
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2076
    - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8cJcUuQgju.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2136
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2936
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UBsuxMZs4V.bat"
        10⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2608
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2EHkno7yQP.bat"
        12⤵
        
        PID:784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1904
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Va8TbDE3pU.bat"
        14⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2384
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\emtbJLPzJ4.bat"
        16⤵
        
        PID:2156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2904
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJ33xL03Hm.bat"
        18⤵
        
        PID:2128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1120
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\91AFVPMIKS.bat"
        20⤵
        
        PID:1960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2292
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sq6qxpMr5a.bat"
        22⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:556
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wUPJtRJpO.bat"
        24⤵
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:592
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qn77QEoUih.bat"
        26⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:2044
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qhkY4Aj1yu.bat"
        28⤵
        
        PID:2600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1520
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hzsSyDvNE9.bat"
        30⤵
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2064
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cfpJnj91JY.bat"
        32⤵
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:2772
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnbjzFmbPF.bat"
        34⤵
        
        PID:2308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2136
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GyPdaK1JUk.bat"
        36⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:2188
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zxbGmHcY38.bat"
        38⤵
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:336
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        Runs ping.exe
        
        PID:240
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8VSEkwS9Ei.bat"
        40⤵
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:3036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:2616
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XvuXcjR4oO.bat"
        42⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        Runs ping.exe
        
        PID:1816
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6OOvELCCFB.bat"
        44⤵
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:1320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:1616
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VUt9EuWwAr.bat"
        46⤵
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:2400
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GcIoKmMeml.bat"
        48⤵
        
        PID:1996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\68XQM6FdCo.bat"
        50⤵
        
        PID:2508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:1528
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fyeXCadxko.bat"
        52⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        Runs ping.exe
        
        PID:2964
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSi1KDKJGR.bat"
        54⤵
        
        PID:1964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2768
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vfhrz6qhBW.bat"
        56⤵
        
        PID:2548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:320
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2EHkno7yQP.bat

Filesize
202B

MD5
88a53c9202a2bca1519d46f2de553efe

SHA1
4721a16373a3e9e43f905619f5477fdd03bbb56e

SHA256
a08ca4924d9419a30f96668343ef85ce5f44d5a4de5871e7667b86c453a07ea2

SHA512
09ec30bfc95e6d6078d54181023f235187f5cf91c5e9502ff6e24d6b1309041ed0fc31fc058a914bd361f4503797d48b897de41974797f86bcfe78a4fda6493a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wUPJtRJpO.bat

Filesize
250B

MD5
9423da0b1c78f01aa0bf29f63c4caae8

SHA1
17740bd809dc438ae325e28ca6cb405d1bfd15fe

SHA256
c467b4652c9e03d6b56cb69278cbe85943e674272e59675fda7f8f6b2c0e0600

SHA512
cd7ae787394361c883bd4d3f17f0958afebb26a11e190c0c989a137535c83785ff1640fdd76d8c301a0bca787bed3145b15a3bfb85d34da15a03e3258f702d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\6OOvELCCFB.bat

Filesize
250B

MD5
7ffd4a16ca78900ca22eaaeeabb765ef

SHA1
ee9fe11c6bd31b91c0744eb2e604db05db8ce02e

SHA256
f3a195ba0d6da0494ec5bd74ba68026ed714cb4541f943bcd64ecb4f95b4b028

SHA512
7e44287a38962ff6cbdc810fe104d50f4f83d6badae51b799c239aa58ce42d1e17d2c8eef36f3f6edd0e46d1a2a70c4f16358368c643fd391a43ba803a95d81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat

Filesize
202B

MD5
121c901c5316d5ada680d1e258705f3e

SHA1
f766f94434c89ab3382aeac57ea97e2c259956da

SHA256
b4880ca8014b47ce12319038a7a878c2756db6ec91d453c6d5be837095d9103b

SHA512
acb9cb91c1bfd2682190d7486ccd1a4d6b73fb8801a8959fa21c7c92f5e1fe3aeb288968df580955b8920e0bf18c1a2cad2e34919a182576348550e9921f014b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8VSEkwS9Ei.bat

Filesize
202B

MD5
d0d153dd835f0701b31026f04e6fd20b

SHA1
08852cef10ccf14abd45330cc8774ac2134ca909

SHA256
52e241922907ea804f8b375f8dfbff0a655ecb940de7f37ac84fe3d856be350f

SHA512
4fd2d2db4f0ca1e43e3d5f6b1a5e0d20704b80953f065a61fed021814137a7e0af8901b0848970f2b73ea6ef61c206bc6d5a11aebb45052817f7ba455a2d642e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cJcUuQgju.bat

Filesize
202B

MD5
c9c33355bead977bff6340e6bdc169f4

SHA1
b00c9589187bae755169405c2b9aba2e0838b26e

SHA256
8ccf883fae6953b5b394981c9c2a1d19a5d2283c5d53732963ce27c093c6ab94

SHA512
6cafcc578b46bd6f2e126a2500a85b0bb21a7f47cd16a30f28f40de36c6691a12b985295801cdd4f19ecebf012aecced49dfc945083169625547aa21ece15cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\91AFVPMIKS.bat

Filesize
202B

MD5
d623af00b7129bce596d6955413cffd0

SHA1
9720c98a88aab1c3027029da8178aded46239bc5

SHA256
78d389c15bd1b6fa648a7cae18fac68c1c674d0212eb1b408943b10fb9830542

SHA512
caf1d34dd1ad2568511298ea7430bb4713facd564d5a704be34ca8e478232a5779af3b59b5e532bedf1c32f06428aefc0eb3e3eebaeb306261e7b9a1ef29f484

Download Submit
C:\Users\Admin\AppData\Local\Temp\FPf55YsT9G.bat

Filesize
250B

MD5
37c12949a4bd1528267c8411ef261107

SHA1
a43d852aa0a196164ef1a3a46cdaa7df22f5a1cf

SHA256
ce38bd6375b4a53c2572881c2debfd8c34a13a6854807d58af9fc9e1798665e1

SHA512
447523a200db880677e5167c38fc4605ffe5d5c28c7797bfb25ad8d70666aa0dd4e913d395d34481d3c48f68702e7eab499ef202ad196f0405a026a11dc7e9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyPdaK1JUk.bat

Filesize
250B

MD5
ef0fd098d9d8af435baa81d5e3d91172

SHA1
9ce721839374c0298596294e6d4a737ba454c537

SHA256
c2b04f3edf54d3eccf0fb14ae50d33605d5cd65b74da6736c576817d9587028e

SHA512
5668cb6c43de21bf4b6a73aa58647a6c00e8ca9bcbb965947cb24d6674a5c9ad266aa69a9a8f57c85d4c8516305bd0062e4e65f46d8ea78ae11ea218789ceb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jw82jcrZC1.bat

Filesize
250B

MD5
8664683108d9a2eecfc70caf22a21071

SHA1
ed69521da4f060108b83f05f2b73527f39ed95e8

SHA256
e299ef9e3f3b20d9c7f55c98cda3aed1ded6008ff821279d33eaff4cff2e8416

SHA512
3cd7071d92ecbd4795e0098adc9310e999f877cd483c2cbe178d527d3f6384e6aedc65224722a7d685073c9ee37e3b5a34eaeeaa09abd4034696636ae3c8622a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qn77QEoUih.bat

Filesize
202B

MD5
acb75abac82b1fb644bea2040a602335

SHA1
4edf6a5d5d704d4d0eaa5a8133ddce1296a0b5dc

SHA256
8246bade53a49f3ddf981e0d5ea75c42feed769fbd84879a8ffddf7c66a8dbd2

SHA512
33ef46dd1f5a4d44c94e5b791d689661474f1a33bf12ba8ca7dd5ea7e0bb598fcda768f38bdbf3bd06efbac5de5389b3dd4634e9b8cd541b53c98877071e9f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sq6qxpMr5a.bat

Filesize
202B

MD5
b55ca22f401763630dac37b87c402914

SHA1
4cc3b24508ff9befe839da81fd8b3620d1c8a5f7

SHA256
1feba6f282c9fdec39929c93530ca5155db913423515b8f8a961b5138db444c1

SHA512
cbc8428a3ff45299f12f2d1728ad54bf61874ddd84d5c41dbf64ba8b8dfd045ecb0b6a525cfc565c289bf593951c473aa9b8c8885d5e360666a16ea28fd6d582

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ33xL03Hm.bat

Filesize
202B

MD5
3831bac6f28eea3ba786e09b46763489

SHA1
c30e96978947d9138d57afd768bef172571aebb4

SHA256
61558931b0533b87f8701c9d49887c9381679308efe25cd2acdb05a0abb006e4

SHA512
22bb1dbefcfb0735b648ebe01ffff289f27542ccb42cda641ab782c47b5b22ed34477e5b2767056833ff5b22b89344212294a2a9382186251244827c27bdd32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UBsuxMZs4V.bat

Filesize
250B

MD5
7a0517618a68426640a03d4d54c794e8

SHA1
b3fcc75a78f11228caea09d76ae131c92d701c1d

SHA256
48ccfd20efb66c042c5c486d26f6a0e5fc9d01eafe0d629fe256b765a49f1996

SHA512
8d87c7a002abc2ee8d889dbffe2c906cf30e093dc4dbcb2cc3657638a2f2b5631b40755798194f72bfdb57d39c4b5c5e27cf5d326d8418f2056df7d1f5b79742

Download Submit
C:\Users\Admin\AppData\Local\Temp\Va8TbDE3pU.bat

Filesize
250B

MD5
7c806b9af21bfda7492cf8a10cfaa514

SHA1
ad3a2c3e906848a1f1cf0bde80756c686fad1cee

SHA256
da5097d3835ee8f15f929bf64eb4e5552880a9fdb07b46e77ddbe430021b43fa

SHA512
324a0a3562c35f720e82f70b291ff07a4905ca93f278bc14060a1b74d2fbc31c6099017f415310d4737a3a4ad9472dfd75c20da37b2ffb72d44a0dc149d498b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XvuXcjR4oO.bat

Filesize
202B

MD5
db142ab3ab646534c009b64d625d0ad2

SHA1
1147ba2eb92f78095d627d904ef1dc5ec9fdf31f

SHA256
49ee85331e7e8daedcf9847dd0fa680fadf6ba57c2f2ede683e295073b695f28

SHA512
9af48ac1b261c0f61ccc5e6538c0cc961a648c1ae9b5ad913a210d52e5c771bf4a98108d9f783a9b2215feb2f7b93899d1209d8294ab9522584d32f01b642502

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfpJnj91JY.bat

Filesize
202B

MD5
1bd45a7fe4e2639a486aaca41423f04a

SHA1
c571dfc63dcaccf07b3c0b9d419f874f922b7f10

SHA256
1d33e2d8a174caa67e839716a15b3a38f191840f83df165246c9572f175ac354

SHA512
d0097fd78211751d9382ce11197c476290df4f02d96259ed0529874159b0287f04785d6c9aaa8335c20437c4622100a7db9bc1e0cfb6e23de1580366fcf55c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\emtbJLPzJ4.bat

Filesize
250B

MD5
d55deb522bbf719602b5dcf53fbd0bbb

SHA1
7495e971a2bec994ebf402a45da8a436b102bae4

SHA256
fd3b6fa2ff55ff08428ed62a09a78ae25c0dca41e20ee6ca214cef40e292de01

SHA512
7da23ffec471c1629195558fe4621fb829140bfc032b9d31635ecfff30deea9684fe6577e5ee0ebda45bb2cdbf112b7c9da068fe5d697f69c148c70707ac1811

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzsSyDvNE9.bat

Filesize
250B

MD5
e4661ec00325b8c0ca09db5c009e3465

SHA1
b0156ab8b716d5170a4bdbd3ba608b021039f9f1

SHA256
9da24cc53b35a99b3cf67d6538cf2528e8d756d257b470f8e840c13efc94823f

SHA512
4af3d6f86576bcf8eb2af0cf4ab5f9af86a3f35a115c9bbd29ade9420d1984b17fbdd6e60ce34a5802afa7cc7d9c286a76e9ba9c6ab0ed884c2b00e09b0baea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnbjzFmbPF.bat

Filesize
250B

MD5
7ada2006d8a14d01082a42a9ff4b0b8f

SHA1
dcf1a9d28b09be0ff22e18f9da18c90c041e08e8

SHA256
39ab9a7c723086782a9177d5c40ac57f97c06158e40867b3088012f4f1ed70ea

SHA512
137010cf6673ee75dbdb1881eeb8c257b9aa2ccf2a01bfc234a6744f31897689adeae453a7ea152b9fe5b58d539d042a0321bfe1c55f09065369136878db3752

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhkY4Aj1yu.bat

Filesize
250B

MD5
4482179b243a2a88567d6d37a0ee3aec

SHA1
be64e3c15a76803d9fc56232c3e61a42b8affdec

SHA256
ae021ba79bff3bdfc0f3c1511de5705583a7fe5dcee9d890b53b1bd2adc0bb65

SHA512
8a073df34c06c0009b467706fafc1c5a3c0ffbd88b934a08a568d3b3f4c3eb663919a863ffbc0efbdfcf856aec5153c35c7086a22cefc3f07ecc4b8e1c831c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxbGmHcY38.bat

Filesize
202B

MD5
6975adfcb355174d858e563c9ff36fb0

SHA1
d2aeb059f32177ca92e9b1d213287505d66419ad

SHA256
0d8479d7aac1e4f3bd8e0020f32bc0b3982645358b96b73a6ded6ad287be1166

SHA512
95ac4ce26bf463db74e8fad3ccb66c4327daf5c75f50061393918d43d5997f42101e8a56ad701e9d49f4405b567ac1bc2902220addd84a2a78b562b58be2f120

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9c0d5973ef77188874e80be553117a4c

SHA1
eafebaa28dd9dc5ac7614852c0c0bc5168fd5d45

SHA256
d11d5d731db7d22190161b2f93bbd6df4b467599df7362db18e9439ffdb0a6cd

SHA512
51f15ff8aaa11e2bc56123bf754b0b291d33004662519e1f22dc9f85655f28cbde5fcd744d2e6830888902272630c5f5cd035ae0254ac6faff3ee50c6d741957

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.7MB

MD5
6721a03e5521c0dd8adc3cf0970debc6

SHA1
eeaa1b175abd7927114ac98a32ba64f4e6e85ee3

SHA256
893facdeda8a6b489f34d583927a5924a7fef17b979b25b35db82e9061cd2e1a

SHA512
f1b3f286e7cdb6a3e1c6cf179feeb5bc4c58424d6b7b292367bec80fbb7050518a4bec70d09a2e1aa7d375c47b4aed1579b554abdb4827fc8bfbc962afe0a901

Download Submit
memory/2224-127-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2224-122-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2224-133-0x0000000076EB0000-0x0000000076EB1000-memory.dmp

Filesize
4KB

Download
memory/2224-132-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/2224-130-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/2224-121-0x000007FEF4AE0000-0x000007FEF54CC000-memory.dmp

Filesize
9.9MB

Download
memory/2224-125-0x000000001B5E0000-0x000000001B660000-memory.dmp

Filesize
512KB

Download
memory/2224-124-0x000000001B5E0000-0x000000001B660000-memory.dmp

Filesize
512KB

Download
memory/2324-105-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/2324-104-0x000000001B3D0000-0x000000001B450000-memory.dmp

Filesize
512KB

Download
memory/2324-103-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2324-107-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2324-112-0x0000000076EB0000-0x0000000076EB1000-memory.dmp

Filesize
4KB

Download
memory/2324-119-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-102-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download
memory/2324-113-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/2324-109-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/2788-65-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-73-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2788-77-0x00000000028DB000-0x0000000002942000-memory.dmp

Filesize
412KB

Download
memory/2788-60-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-61-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2788-53-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/2792-62-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-64-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/2792-67-0x000000000252B000-0x0000000002592000-memory.dmp

Filesize
412KB

Download
memory/2820-72-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2820-74-0x00000000029E4000-0x00000000029E7000-memory.dmp

Filesize
12KB

Download
memory/2820-76-0x00000000029E0000-0x0000000002A60000-memory.dmp

Filesize
512KB

Download
memory/2820-70-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-68-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-88-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/2868-84-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2868-82-0x000007FEF4AE0000-0x000007FEF54CC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-81-0x00000000011C0000-0x0000000001380000-memory.dmp

Filesize
1.8MB

Download
memory/2868-83-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2868-85-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2868-86-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2868-90-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/2868-92-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/2868-100-0x000007FEF4AE0000-0x000007FEF54CC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-94-0x0000000076EB0000-0x0000000076EB1000-memory.dmp

Filesize
4KB

Download
memory/2924-69-0x00000000024FB000-0x0000000002562000-memory.dmp

Filesize
412KB

Download
memory/2924-66-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2924-63-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-47-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2952-75-0x0000000002A94000-0x0000000002A97000-memory.dmp

Filesize
12KB

Download
memory/2952-78-0x0000000002A9B000-0x0000000002B02000-memory.dmp

Filesize
412KB

Download
memory/2952-71-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-14-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/3028-10-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/3028-17-0x0000000076EB0000-0x0000000076EB1000-memory.dmp

Filesize
4KB

Download
memory/3028-16-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/3028-0-0x0000000000D10000-0x0000000000ED0000-memory.dmp

Filesize
1.8MB

Download
memory/3028-12-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/3028-11-0x0000000076ED0000-0x0000000076ED1000-memory.dmp

Filesize
4KB

Download
memory/3028-48-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download
memory/3028-6-0x0000000076EE0000-0x0000000076EE1000-memory.dmp

Filesize
4KB

Download
memory/3028-8-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/3028-5-0x000000001B320000-0x000000001B3A0000-memory.dmp

Filesize
512KB

Download
memory/3028-4-0x000000001B320000-0x000000001B3A0000-memory.dmp

Filesize
512KB

Download
memory/3028-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3028-2-0x000000001B320000-0x000000001B3A0000-memory.dmp

Filesize
512KB

Download
memory/3028-1-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download