zgrat | f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97

Analysis

max time kernel
294s
max time network
298s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
Size

1.7MB
MD5

596404d266d7105282abdc1c6ad1ad25
SHA1

9ba501299f1f8930e705d2deaad6c2fd896ffb5b
SHA256

f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97
SHA512

884dbb24455fae479e3351a1a28b4ae13635ed3c0ff5c0e1a822837bff6a53891a332e6fef14e933c34d358ef91edc742ca73294c06bf33426436972967574ce
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 19 IoCs

resource	yara_rule
behavioral1/memory/2340-0-0x0000000000890000-0x0000000000A50000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000018f81-26.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-76.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-77.dat	family_zgrat_v1
behavioral1/memory/608-78-0x0000000000150000-0x0000000000310000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-99-0x0000000000BB0000-0x0000000000D70000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000018f81-98.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-119.dat	family_zgrat_v1
behavioral1/memory/2960-120-0x0000000000380000-0x0000000000540000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000018f81-141.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-164.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-185.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-206.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-226.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-247.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-268.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-285.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-306.dat	family_zgrat_v1
behavioral1/files/0x0008000000018f81-351.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 27 IoCs

pid	Process
608	spoolsv.exe
2516	conhost.exe
2960	spoolsv.exe
2900	spoolsv.exe
2640	spoolsv.exe
2468	spoolsv.exe
2816	spoolsv.exe
1892	spoolsv.exe
1236	spoolsv.exe
1284	spoolsv.exe
2768	spoolsv.exe
3000	spoolsv.exe
368	spoolsv.exe
980	spoolsv.exe
2524	spoolsv.exe
1556	spoolsv.exe
2220	spoolsv.exe
572	spoolsv.exe
1060	spoolsv.exe
2572	spoolsv.exe
2988	spoolsv.exe
1572	spoolsv.exe
756	spoolsv.exe
1712	spoolsv.exe
2364	spoolsv.exe
2768	spoolsv.exe
2784	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
53	raw.githubusercontent.com
17	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
11	raw.githubusercontent.com
15	raw.githubusercontent.com
55	raw.githubusercontent.com
9	raw.githubusercontent.com
21	raw.githubusercontent.com
51	raw.githubusercontent.com
57	raw.githubusercontent.com
35	raw.githubusercontent.com
45	raw.githubusercontent.com
49	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
13	raw.githubusercontent.com
47	raw.githubusercontent.com
19	raw.githubusercontent.com
31	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
7	raw.githubusercontent.com
29	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	spoolsv.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
968	PING.EXE
2064	PING.EXE
2056	PING.EXE
1612	PING.EXE
2836	PING.EXE
2544	PING.EXE
1772	PING.EXE
1864	PING.EXE
1488	PING.EXE
2492	PING.EXE
1320	PING.EXE
2716	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	608	spoolsv.exe
Token: SeDebugPrivilege	2516	conhost.exe
Token: SeDebugPrivilege	2960	spoolsv.exe
Token: SeDebugPrivilege	2900	spoolsv.exe
Token: SeDebugPrivilege	2640	spoolsv.exe
Token: SeDebugPrivilege	2468	spoolsv.exe
Token: SeDebugPrivilege	2816	spoolsv.exe
Token: SeDebugPrivilege	1892	spoolsv.exe
Token: SeDebugPrivilege	1236	spoolsv.exe
Token: SeDebugPrivilege	1284	spoolsv.exe
Token: SeDebugPrivilege	2768	spoolsv.exe
Token: SeDebugPrivilege	3000	spoolsv.exe
Token: SeDebugPrivilege	368	spoolsv.exe
Token: SeDebugPrivilege	980	spoolsv.exe
Token: SeDebugPrivilege	2524	spoolsv.exe
Token: SeDebugPrivilege	1556	spoolsv.exe
Token: SeDebugPrivilege	2220	spoolsv.exe
Token: SeDebugPrivilege	572	spoolsv.exe
Token: SeDebugPrivilege	1060	spoolsv.exe
Token: SeDebugPrivilege	2572	spoolsv.exe
Token: SeDebugPrivilege	2988	spoolsv.exe
Token: SeDebugPrivilege	1572	spoolsv.exe
Token: SeDebugPrivilege	756	spoolsv.exe
Token: SeDebugPrivilege	1712	spoolsv.exe
Token: SeDebugPrivilege	2364	spoolsv.exe
Token: SeDebugPrivilege	2768	spoolsv.exe
Token: SeDebugPrivilege	2784	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2724	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	28
PID 2340 wrote to memory of 2724	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	28
PID 2340 wrote to memory of 2724	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	28
PID 2340 wrote to memory of 3040	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	36
PID 2340 wrote to memory of 3040	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	36
PID 2340 wrote to memory of 3040	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	36
PID 2340 wrote to memory of 2700	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	29
PID 2340 wrote to memory of 2700	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	29
PID 2340 wrote to memory of 2700	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	29
PID 2340 wrote to memory of 2888	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	31
PID 2340 wrote to memory of 2888	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	31
PID 2340 wrote to memory of 2888	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	31
PID 2340 wrote to memory of 2256	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	35
PID 2340 wrote to memory of 2256	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	35
PID 2340 wrote to memory of 2256	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	35
PID 2340 wrote to memory of 2544	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	105
PID 2340 wrote to memory of 2544	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	105
PID 2340 wrote to memory of 2544	2340	f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe	105
PID 2544 wrote to memory of 1456	2544	PING.EXE	40
PID 2544 wrote to memory of 1456	2544	PING.EXE	40
PID 2544 wrote to memory of 1456	2544	PING.EXE	40
PID 2544 wrote to memory of 2976	2544	PING.EXE	41
PID 2544 wrote to memory of 2976	2544	PING.EXE	41
PID 2544 wrote to memory of 2976	2544	PING.EXE	41
PID 2544 wrote to memory of 608	2544	PING.EXE	42
PID 2544 wrote to memory of 608	2544	PING.EXE	42
PID 2544 wrote to memory of 608	2544	PING.EXE	42
PID 608 wrote to memory of 1728	608	spoolsv.exe	83
PID 608 wrote to memory of 1728	608	spoolsv.exe	83
PID 608 wrote to memory of 1728	608	spoolsv.exe	83
PID 1728 wrote to memory of 2100	1728	cmd.exe	46
PID 1728 wrote to memory of 2100	1728	cmd.exe	46
PID 1728 wrote to memory of 2100	1728	cmd.exe	46
PID 1728 wrote to memory of 2064	1728	cmd.exe	45
PID 1728 wrote to memory of 2064	1728	cmd.exe	45
PID 1728 wrote to memory of 2064	1728	cmd.exe	45
PID 1728 wrote to memory of 2516	1728	cmd.exe	117
PID 1728 wrote to memory of 2516	1728	cmd.exe	117
PID 1728 wrote to memory of 2516	1728	cmd.exe	117
PID 2516 wrote to memory of 1320	2516	conhost.exe	115
PID 2516 wrote to memory of 1320	2516	conhost.exe	115
PID 2516 wrote to memory of 1320	2516	conhost.exe	115
PID 1320 wrote to memory of 1904	1320	PING.EXE	50
PID 1320 wrote to memory of 1904	1320	PING.EXE	50
PID 1320 wrote to memory of 1904	1320	PING.EXE	50
PID 1320 wrote to memory of 840	1320	PING.EXE	51
PID 1320 wrote to memory of 840	1320	PING.EXE	51
PID 1320 wrote to memory of 840	1320	PING.EXE	51
PID 1320 wrote to memory of 2960	1320	PING.EXE	52
PID 1320 wrote to memory of 2960	1320	PING.EXE	52
PID 1320 wrote to memory of 2960	1320	PING.EXE	52
PID 2960 wrote to memory of 2168	2960	spoolsv.exe	58
PID 2960 wrote to memory of 2168	2960	spoolsv.exe	58
PID 2960 wrote to memory of 2168	2960	spoolsv.exe	58
PID 2168 wrote to memory of 3056	2168	cmd.exe	55
PID 2168 wrote to memory of 3056	2168	cmd.exe	55
PID 2168 wrote to memory of 3056	2168	cmd.exe	55
PID 2168 wrote to memory of 2220	2168	cmd.exe	124
PID 2168 wrote to memory of 2220	2168	cmd.exe	124
PID 2168 wrote to memory of 2220	2168	cmd.exe	124
PID 2168 wrote to memory of 2900	2168	cmd.exe	59
PID 2168 wrote to memory of 2900	2168	cmd.exe	59
PID 2168 wrote to memory of 2900	2168	cmd.exe	59
PID 2900 wrote to memory of 2772	2900	spoolsv.exe	60

C:\Users\Admin\AppData\Local\Temp\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe
"C:\Users\Admin\AppData\Local\Temp\f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\lsass.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gAFidYTcug.bat"
  2⤵
  PID:2544
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1456
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2976
- - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
    "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ugdhbmYnkA.bat"
      4⤵
      PID:1728
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2064
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2100
    - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        5⤵
        
        PID:2516
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QDva2PSBrt.bat"
        6⤵
        
        PID:1320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:840
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r3SRhMf8VT.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PSx7mMsuZM.bat"
        10⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2884
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Of3pucYXiA.bat"
        12⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ugdhbmYnkA.bat"
        14⤵
        
        PID:2592
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lq6d7xQt2k.bat"
        16⤵
        
        PID:1516
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G5G1KH0qyw.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ooinIVsngq.bat"
        20⤵
        
        PID:1056
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3FUfZROOvk.bat"
        22⤵
        
        PID:2752
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oxiuQmrpE1.bat"
        24⤵
        
        PID:3048
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat"
        26⤵
        
        PID:2996
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ITN63wlJd.bat"
        28⤵
        
        PID:2004
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ebxeZNirCF.bat"
        30⤵
        
        PID:1580
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OEGMIRuqZy.bat"
        32⤵
        
        PID:696
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GpPWS23HwZ.bat"
        34⤵
        
        PID:604
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7QXgceCiIA.bat"
        36⤵
        
        PID:2504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:2720
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cE1qBYVKAL.bat"
        38⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2920
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmto9DLwMv.bat"
        40⤵
        
        PID:1992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:2996
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UR8LTwG0HJ.bat"
        42⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:2824
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7oBPqXqtON.bat"
        44⤵
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:332
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5PKlq1uIop.bat"
        46⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:1304
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ikqvEHWfWg.bat"
        48⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:1344
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pvm5o68kgM.bat"
        50⤵
        
        PID:2796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:2776
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TgAsDsfjzl.bat"
        52⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:1964
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kPY472Oq9b.bat"
        54⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:2996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:2680
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BSBdtFHPxz.bat"
        56⤵
        
        PID:884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        57⤵
        Runs ping.exe
        
        PID:968
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1864
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2028

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3056

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2220

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2056

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2560

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1596

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1524

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1488

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1556

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1704

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1920

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1612

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2836

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1752

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1220

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2492

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:536

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1577213381-123577201-4435719271211419021-665782559828076818-3134786141919853724"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:876

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
1.5MB

MD5
c690dd2e82b6d33a67e53b26b2b2c550

SHA1
b427136c19111d1483dc84c92e12e36aaa2a60d1

SHA256
a9d3f1deaef0bef8b29780844606c2af9db656b230e0dfe828c7293bc6542226

SHA512
695a342cd712424c5a92b792218b7defd594ae72477ff43c629b951bcafe836454706da6e230e44d7c8b22328dbf10d925e549a810859907dc9da09cc189b9ab

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
269KB

MD5
3d2aac87b8a99fa858f09a6c84e11672

SHA1
8d79c26af43b7eb61861bab7681b512ce77ab621

SHA256
5cebdc1dc26d441eedae4996393971fe72c452825552e7bd035d1feda3c0fa2b

SHA512
96fe2e60ea7bb89d938d3c17f6d152e2428ea4fe9e2b7b5e8d4e6a0db54d44cd0b5818641ca77a15f487e3426f9dc316163d53e987a879bc9e97217d270c7180

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
267KB

MD5
1f41e1d9b56586d6e0f257d7a4598c49

SHA1
33aafc2315d6fb6aa2adebb3785297d4415e45fb

SHA256
6dedc9e7b3ae0a0aa8ea12049f06026133018c175b4333c94a36a670871a3d86

SHA512
d285b460fb4d4625fb2220d02017202fa061dd67b5475d0422341669320dc8383406b2bc4978ce04cf3082072412bfcbcc22b77f0855a353a83efe1a117064a1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
64KB

MD5
49d5f5072b5d33a964073ddbc3239936

SHA1
55a5c2cfac13f6ff90b6d345be4ed1fe58dfabec

SHA256
0c937e47820bfdc307e29dd95ea676697168d45f332fbece78151d63339747ae

SHA512
b739f16b08e60e2aa72a35aa20509e01af80bc217500538aa85cc90647c30698bdaa0f62566e496e6d1a257b037691d43af532f4557615db9586ce6d7853b87c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
273KB

MD5
69bc34a21b222b9b35afeff0d01ccf5c

SHA1
e362d92594517c68128ee6a1b3e9fe283b829ff6

SHA256
1ffd5318f33dedc8b2bb9932a1c88195e58be687e6308a9658e47d7db25e9fc9

SHA512
556b17c62bfea01cf866e588ce170e841042500e9dc166715b648ce9272fd1d27a0716d3a480a956af7cccdecd592911dfdc9676cf806f903589949edaf606ec

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
89KB

MD5
de764fd03b7007d97f3feed52706ff33

SHA1
3062199528bf2e3bb184e4cf63c48ac1c83ffbd7

SHA256
4123ee7c780acd05083a252e0a1eac782c2ca302385d5d26afadd8dd5566cd5e

SHA512
ec1b8f2b573c8cea59b77088cc72c18be5b217601d8d14dfe154b17e268f0ffdb26ed957ad2e917df705a83096d86b12c606ea3ec2f7ba98445fbe57e8a5d115

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
1.5MB

MD5
447b1313405b3f9b7decab4aa9838125

SHA1
ee064998dea813e3d53569aad8d8828327148da3

SHA256
41f7abb4c62abda82499dfa318d87064667e6439eefd812141c50bfda8c01ba7

SHA512
f84c7b87e57ede26edba1f97ed3a1665ef602a5b5f4b1038632c7670e22ead5208bd8451561999c9f4182d2e47ec12b3468ea6c614ec0d5cbff48bfe09f62fab

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
1.7MB

MD5
596404d266d7105282abdc1c6ad1ad25

SHA1
9ba501299f1f8930e705d2deaad6c2fd896ffb5b

SHA256
f5243c30785aeb51ff19c7476cfe98399a6e823ab6c900ab755cc1f1c7efef97

SHA512
884dbb24455fae479e3351a1a28b4ae13635ed3c0ff5c0e1a822837bff6a53891a332e6fef14e933c34d358ef91edc742ca73294c06bf33426436972967574ce

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
108KB

MD5
8fcf48d98da9338fba07537b91afcf9d

SHA1
a0c4f8d348cff5987c16d5fa838e71a29a427299

SHA256
e9c1e79a23ac5392542342f7a786c0c18e2d3cabc48ccb215e52db687c99c0d6

SHA512
2f01cf1306bb59d9a9dceab1da505c2f8cd10cfda538f95522e4367e8ed476fabd61acbd9e103c70befd53447909edf709b6d71ef6806a2a827074e55b95ab25

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
44KB

MD5
2797a651789e5b3685275493e57bf9f6

SHA1
ada36af0a2c8e19e719b8ab9fecb56d66382e96b

SHA256
5181d5e8c09de729c2657f64ae341f6c562ba3315ec65616e5b7e683476369fa

SHA512
d478a6c955f1e450c4b350b02fbc946700dad78d1ad3211159a0a48cddcc84cf0763da9b07b9ade8e190bc710f6d8244ab2039fd59631f584a83576a1bcb2fdb

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
107KB

MD5
5c4e4389e5a26de0ae25ec52078e396f

SHA1
1f3143fd40bc849a3a5fa8196ae3efce4d235cc0

SHA256
9afe004d7f900e912bf5616c500fd53f639afbc1ee292d790dadb7b76fa5213f

SHA512
b924044ca922288bf21c3fda8761e50a567454100d5095af915e03707947c10e8da8383687af61f1b3136dd4d305990450bc2f7f0dfb4d1d50fdef184535d060

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
570KB

MD5
3e6cb4fb035cc00d5bd72d8228140564

SHA1
ab6694e2f00ea40275d4143e0d64be614b677312

SHA256
869dc38859150724362120234502828e3a3d6f2393b7e283d823227b4c8b9753

SHA512
a1f885c078d5aa04f25884bb78ea8cd96b421f805bbc377e56d7478a78eb442c3a9ad07d1628f161d51e84b0d60fa95c0cc4d2ae34b8f66d674b709887db2a50

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
312KB

MD5
90ef6c7eac1bbd6d7d5d4bbd558ccce6

SHA1
4f5c2340b28c5a5e52c7f5afe39ab7a5c7f9eb93

SHA256
9986f01f2a42c80f61f1c334b64257d44287ec6b3a81586cfdf61c9730997fc0

SHA512
66b4cd3a38b19a9376a911906e536472ad33c3725c6799bff49af08b1eaf2ed22a5591984fce5ac25022bdc412dcf5165b54f8f32e4e5400ffddf73e3e1d6a9f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
423KB

MD5
f29b2c2d6cba18ce9758aa2cde3f951e

SHA1
290a9721ae6ab5adae9921c1963cb436f31c5830

SHA256
b35f9b95898d9f22504f4c6476859f7ef0dbe4bf58fa42ffa006830bf67d6e20

SHA512
357575abf756b3ab52795e296f1b5956676ef5f060b1e4af444e699302d9f6c70c00480d0a5f02c6256260ad03ec6a1ba0137999291a1a8ee9852993de0fce2c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe

Filesize
1.5MB

MD5
07350355dc473889a28593aa2a03fd5d

SHA1
41dc866ef8fbda6b9a9c826c39dd20a25b2cbe1e

SHA256
28bde0f086f617c3312986c16c1bd361a2e422cc7e650e0b821f1ae55d615ee1

SHA512
517c33aa7105d140b72eeeefef943b85cfc2088268b1a5b6972e0f891bc5562db5cb1588591b0e5b9ad88fe789efda42a26565f648d96e574eee88898ec1b6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FUfZROOvk.bat

Filesize
255B

MD5
b6bbe070684c0e6c6a0f872b446158a7

SHA1
25e391a253dceba16992d3288628165a03c75379

SHA256
e725170cfb884e74e66559afef54082e8599c201ed92b04a00862dbea2b3d08e

SHA512
c7e1398b528965317411adbe0931f13ba5a93f23caa12af19ef1c09fa7294c91bdcd942b198bab4cdfe69943b62001093c29d02dbd1f21fa699cc96ffffd6b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ITN63wlJd.bat

Filesize
207B

MD5
0a2fc16e2e9eca6334deead3b962ca7d

SHA1
890c1dec11f672c2726d13c012f50cc9defaa8e8

SHA256
34dd9a06d0316753147a41bd49485bdb7b1a94cd302fce8d8974fc25f6a40bf7

SHA512
00d0b133df55cbffbe9917cbd815cf2a45068c41e8fbc7f2825bf803ee140ede3a99c43eab02361aa0501fcaabcbda963371ca784c15d466994f8f74bbe2a8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5PKlq1uIop.bat

Filesize
255B

MD5
53c4ee541c27fab4caecdaecfdcbcdd9

SHA1
8407566918cc4b901cfd212d5a4aa0aff3825ac3

SHA256
6c1cc8a3177eecb8e7a8dae7fcb5fb696eb379d2dc0fad0e26632b77e7130c51

SHA512
223c25a22fdb1b34df953f53f539113d83b5f6356c5e8fd893f805718062b33c98b69dafbb18b005f9e87cf442dd6b9a307ddb2a265b0c3be2b65d8f27ede5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7QXgceCiIA.bat

Filesize
255B

MD5
942f11aa7c0711797aefc43a9bd4da7b

SHA1
ab02387264673504946ea3402afdc742ef5c85bd

SHA256
6f6a04d092d7f68fda07aad29b6b50bf31e46b9a34fc7c9171098505aaf737c1

SHA512
c7339d1e54467a44d922ce60644b6d38138c74fa20c6e784b369d7423f9df60cc5bc49d5e5f0f4b9507989030ce0fa6f16951b4922b9c67e688c512c62fc6bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7oBPqXqtON.bat

Filesize
255B

MD5
da44d4b4df3441c67a985bcc278be03c

SHA1
7ac3da868330fe3f9aa7a56b8562d7bc2ff84bb8

SHA256
0a081c13a5064c1ac477705b9f7bdd4f04ef8c70b25095dea2e18cc35d4239fc

SHA512
9397db675001dd166ffc9e67a1a9c8ea796263df399b52efdeba8db13377b7e18b4769c7c0c61a6e8b956fb394a75e58d285b9fa137944c979d4fc6325785cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8MS6cfT7hX.bat

Filesize
207B

MD5
141d8d505fbb78bbd8b4f794974471e3

SHA1
6a180db6a0c5e531e3815d4d5a14da07d7d45977

SHA256
2f48666ca0fe7d97e057a58eba0a8a328507f956494981794f83ce7874403066

SHA512
1cf45a759d36f31043b2ee5c67d43aafd2cd98aac353eef7949113fe0b536f3fbb9962127492968ec4f3ab26d2584185e6e3b26d47c8922707a47388e7f08b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\G5G1KH0qyw.bat

Filesize
207B

MD5
b8a9c625ee7cf63ab1c1886f69738e43

SHA1
0c336b7a6fdddbe7a46ec041728878282312269e

SHA256
b39126e1d212728829a44a9c422d4bf4ee0825af353d4f06290597437e879c70

SHA512
adaa1d9c50b2cd3e90069bc6847a9cb2590082b235d9ecb4dc97c69fd5739cf8cd1901e700d1990bb7805a15d0769b37e62b98185db14eeea92b8ebe2a103290

Download Submit
C:\Users\Admin\AppData\Local\Temp\GpPWS23HwZ.bat

Filesize
207B

MD5
72b11c0c1667270f66d6a3f2f5581aca

SHA1
7565f1e34fb470d8fa68a3e65f525a477177dd30

SHA256
beb555c4d7522574c1fa7a9c9127076e55092395a3fcdc2603315fba41615fe3

SHA512
080eb0a586d68fbc06e5a4fed4ae6a9fad35b5097d6ec94c7c471f6c43020be883e6360ae7ec207a61e4c313c65bbc1f0e958b5df13606dadc97b48f0c1b39e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lq6d7xQt2k.bat

Filesize
255B

MD5
f4de2f2a65ce2dab83e1678d716062ff

SHA1
08a2bf03e901dba05e59a77982a099ee1b613d0b

SHA256
22c90b5f1a708922902c44751cc8823db0de6c5c34a50f4e47544fb2ca13edbf

SHA512
51529a1dce1af09880bdec166f2a259a80bb0c48486a05cc39020a95b07903d0d1629eb0d6e6feb8685f23bdb0f77a2d30144691e7e39ab7af0115df3bab9aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEGMIRuqZy.bat

Filesize
207B

MD5
1060781c122884555b184ac8880fcf3d

SHA1
5d6c73717dc632a6f03198b244af9d1dd4f30343

SHA256
398b30744c1a40c30a7d5128248d2620250bca1f756e2d54777e8c61e6e83a3f

SHA512
823c4017a0169c2f290c4bdee01c029390aa35e9c9bf8a6690e7beb271a1948221cd000387e9ee8c74a1e17f51ed9a3a3a40a17b5e71895474308f800ad354c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Of3pucYXiA.bat

Filesize
255B

MD5
3efab1c42ca604d9738cced9f438a0fe

SHA1
cf74268bae9ac278c040e9a5d0bdc85b3b274086

SHA256
12571b8de1a3279e052c7ea57a5a987655e9377d311671291a278e309200952e

SHA512
74a94272662ed64ab627e9cff17235060b9d92d05ef62c68900c2bf3200e744994763d13c11fdb5220ed998a16f8d47b21c5e2cb8d9a346eddd9818158b57db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSx7mMsuZM.bat

Filesize
255B

MD5
8335dd52e2d6b2ec8c05afa29b9dc448

SHA1
2fbfc24326eee452c956ec879f47823ba0a8d536

SHA256
c33f697db49c81bb0e4806ef377a6557fcb34305d4fcd15fbc3de1cdf7ac263d

SHA512
680a13ade6e779a4b1867cb74a6cfda8a7c92358897e488e558ae571052d97c931bbb1574c01573f9c53df6a4631192b05bd37f93e7baf68ccde7c5d7ba5dce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QDva2PSBrt.bat

Filesize
255B

MD5
5b6ec9b284bd7e460f042eec6f6e65b8

SHA1
cd017634aa1ad991631bfd686f4568e75484eeed

SHA256
8ff56f5e21fc70b8efc664adff7e1a2a902c5b47cf0528a4b4662d4d1293e665

SHA512
3be599b3ebcd2b485d5cff8393670c2c5309103ee102453d43db0d99e72fbd2eaa96cd5929810b3632b3c95cd9a454fe1ee36507142555734a0a309aea1212e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\UR8LTwG0HJ.bat

Filesize
255B

MD5
88caac4bbdf0a64937bc6e4524a2a927

SHA1
9e3dfe041bc9fa4beab6c0f001094f22b2ed5973

SHA256
347473ee2113bfc6ab171f8048bbdd651ebc3bdb2895867b9fe9fbfad745a665

SHA512
f96488381b5470b20417d1be12497cfd1d3ed4c5ef30e5b96165908cc725abd1b0ede9a46b11ebb92605a624f77a6a540080d8657b6b241f917c67a635dccccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cE1qBYVKAL.bat

Filesize
255B

MD5
04bd9565c5a7938b405cce73e16d0063

SHA1
815c9f05e7fffa3b831f5e6240182f0a8da75804

SHA256
54b56685c19e4bf81d2be2c1affcaccfeba2a8eeb1a88d7601dfe8460c87bda6

SHA512
be80b39fbc4d4e6f265d59a0e07fa369df4ea69fda262f25ac102400f0fd866dc475142d8a8ab65019aa495ea6a73d9a1c5c1ed2626a47c968cc03346067e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebxeZNirCF.bat

Filesize
207B

MD5
a2f2526e03c245933d88f7815d1cb43a

SHA1
523d351259332bfa094ec179e3adf086f7917b4a

SHA256
6127e1b9c16fe225f3e603d52126913e7314766a00d5f7bebf8279efb4e47817

SHA512
17d864fe65ad0b2121c4cadb1d7a1a5875d44dfe5a8a9e436659c4dc5ceb22f7eb69fe874fad70babf8082702dcd5ced21ce9aa6aebf4a440a696f9417facadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAFidYTcug.bat

Filesize
255B

MD5
f3b3cfc0f6ac785e84505dcb8570eb88

SHA1
5f63c7e6cc798e2c5fb85927e7381c6eddb62758

SHA256
2e5f3e3974d5d799b440031150d301490b312b52d7b2689e2fe01dfbc7b3b196

SHA512
79c4fbb6eabddd4a1951cf895929992bedddc07fab377784e385d6f0731eb3315c84c4b2fa95fda4d73192aa97511e7d71d6cd536e6a0c3dc5cf0e8ad7fddc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmto9DLwMv.bat

Filesize
207B

MD5
3a7db5466953c70a83b54b543007f015

SHA1
86b3931b393b0a3fbd68ace25f1c3a6e8ed35172

SHA256
7166c56a274d8234369a88be5b951270c26200ce7debf5c2548b3db62552e282

SHA512
c6c4a20b7c3872419c9beba15150dbcb9e91afc4fe22f8444171432c04379c5f928e57a9edcf3ed1e1a7c503cc1becc5d5c7affc92710dba6ca6a49e70d0e41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooinIVsngq.bat

Filesize
207B

MD5
34e5f71f8da41b18291725660b49debf

SHA1
75fc4f77d1923c825e7d64cd282fa1648d7e722e

SHA256
89d113f37b1155ddc0b9063b4bcb4d3fdb9c4b7db0ef3ae645c4e3abd5edf862

SHA512
d1a02675cac480ea719ff3a07dc7e14ae78b84aaf9a7d66c3f3a96ae507cd6c82de632dee7bfbb69c63c2c48d01ceb9d1f63bc35b4583b5eb33fcac47de1371a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxiuQmrpE1.bat

Filesize
207B

MD5
a8860c5fe9bd214e3a5838d554e9415e

SHA1
03df18d2d940193e81a5d514494b85cf63c09fff

SHA256
d1cb3171192d951996bee331cd7997ffe0788c4d38e4c0d44d08de9837e378cd

SHA512
f66becc5bcfdc3c0e8c7d6fe09989c0d6c1b535a3d4a91568577482b0e95bbed788b7e054709e0a10d05032a5f13fa365925295f76b29d5aaffc055f816ecb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3SRhMf8VT.bat

Filesize
255B

MD5
581ac35e9c597e7931b9b2e3adb28bf2

SHA1
9a400de7dc3d42e06fa2d6dd3cd098df829cde64

SHA256
3656955ffb82c36b80c854720157ab004c52906274398cd711f0f02a448bf272

SHA512
403a8942760a1c0918bc14f8cb016c34a5fdd777d6c0af874bfd21b4628b654c88d5a082bb01f560f74001c558220ef7b3088a3b7f55ec6cec1d805ab05cfdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ugdhbmYnkA.bat

Filesize
207B

MD5
d28d366f85b7a15302cc7c387b016cc2

SHA1
c2fa3576b9b4a0acd81e7ee45627c8d3c03afd02

SHA256
2cee9b32116f5f38d7fdeae195ec02636aa0462b86f5e267d180f56790dc86c5

SHA512
82c469b7d0449780a2b25395b24673e015de17c4bb99cf6262fcf0e0a085ad72d0cd62b42e3a5d147b4ac20df107c52f46aecb02ee684f4df0525c7a70c077d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e687c79ab4c82eb8184106abbd02ac51

SHA1
9863d05e13344c4d124c52d06952741c5a0728a7

SHA256
7ab04ee1eecdd9ea8ecd2b8a7fe84feeeb39e5cda1106107dd26b87e9034fbd1

SHA512
646e660f5ca8c26fe6072e83946e530d38eb29048f495ff836bbf3095af6363fb2473cc9dde02704452b09ef5a7d2dda948e3fc5d8848543102d58fb005cb596

Download Submit
memory/608-91-0x0000000076E60000-0x0000000076E61000-memory.dmp

Filesize
4KB

Download
memory/608-84-0x0000000076E90000-0x0000000076E91000-memory.dmp

Filesize
4KB

Download
memory/608-78-0x0000000000150000-0x0000000000310000-memory.dmp

Filesize
1.8MB

Download
memory/608-79-0x000007FEF4A70000-0x000007FEF545C000-memory.dmp

Filesize
9.9MB

Download
memory/608-80-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/608-81-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/608-82-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/608-97-0x000007FEF4A70000-0x000007FEF545C000-memory.dmp

Filesize
9.9MB

Download
memory/608-87-0x0000000076E80000-0x0000000076E81000-memory.dmp

Filesize
4KB

Download
memory/608-88-0x0000000076E70000-0x0000000076E71000-memory.dmp

Filesize
4KB

Download
memory/608-83-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/2256-64-0x000007FEEEB60000-0x000007FEEF4FD000-memory.dmp

Filesize
9.6MB

Download
memory/2256-75-0x00000000026DB000-0x0000000002742000-memory.dmp

Filesize
412KB

Download
memory/2256-71-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/2340-8-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/2340-12-0x0000000076E70000-0x0000000076E71000-memory.dmp

Filesize
4KB

Download
memory/2340-55-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-0-0x0000000000890000-0x0000000000A50000-memory.dmp

Filesize
1.8MB

Download
memory/2340-17-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2340-15-0x0000000076E60000-0x0000000076E61000-memory.dmp

Filesize
4KB

Download
memory/2340-14-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2340-1-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2340-11-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2340-9-0x0000000076E80000-0x0000000076E81000-memory.dmp

Filesize
4KB

Download
memory/2340-6-0x0000000076E90000-0x0000000076E91000-memory.dmp

Filesize
4KB

Download
memory/2340-2-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2340-5-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2340-3-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2340-4-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2516-100-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-104-0x000000001A870000-0x000000001A8F0000-memory.dmp

Filesize
512KB

Download
memory/2516-99-0x0000000000BB0000-0x0000000000D70000-memory.dmp

Filesize
1.8MB

Download
memory/2516-106-0x0000000076E90000-0x0000000076E91000-memory.dmp

Filesize
4KB

Download
memory/2516-108-0x0000000076E80000-0x0000000076E81000-memory.dmp

Filesize
4KB

Download
memory/2516-101-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2516-118-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-112-0x0000000076E60000-0x0000000076E61000-memory.dmp

Filesize
4KB

Download
memory/2516-110-0x0000000076E70000-0x0000000076E71000-memory.dmp

Filesize
4KB

Download
memory/2516-102-0x000000001A870000-0x000000001A8F0000-memory.dmp

Filesize
512KB

Download
memory/2516-103-0x000000001A870000-0x000000001A8F0000-memory.dmp

Filesize
512KB

Download
memory/2700-70-0x0000000002A04000-0x0000000002A07000-memory.dmp

Filesize
12KB

Download
memory/2700-62-0x000007FEEEB60000-0x000007FEEF4FD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-74-0x0000000002A0B000-0x0000000002A72000-memory.dmp

Filesize
412KB

Download
memory/2724-57-0x000007FEEEB60000-0x000007FEEF4FD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-58-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2724-63-0x000007FEEEB60000-0x000007FEEF4FD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-65-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2724-67-0x000000000285B000-0x00000000028C2000-memory.dmp

Filesize
412KB

Download
memory/2724-59-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2888-61-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/2888-73-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2888-56-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2888-54-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2888-66-0x000000000253B000-0x00000000025A2000-memory.dmp

Filesize
412KB

Download
memory/2888-69-0x000007FEEEB60000-0x000007FEEF4FD000-memory.dmp

Filesize
9.6MB

Download
memory/2960-121-0x000007FEF4A70000-0x000007FEF545C000-memory.dmp

Filesize
9.9MB

Download
memory/2960-124-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2960-123-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2960-122-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2960-125-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2960-120-0x0000000000380000-0x0000000000540000-memory.dmp

Filesize
1.8MB

Download
memory/3040-68-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/3040-60-0x000007FEEEB60000-0x000007FEEF4FD000-memory.dmp

Filesize
9.6MB

Download
memory/3040-72-0x000000000241B000-0x0000000002482000-memory.dmp

Filesize
412KB

Download