zgrat | 9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948

Analysis

max time kernel
293s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
04/02/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
Size

1.7MB
MD5

794742e196658504969c2a0734f88bcb
SHA1

319842492ca9627b1baefe98c449a584227d064d
SHA256

9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948
SHA512

5c46d60e2b4dea9ecd076ddd180dae6cae90f42c5ed0b120f9d6b3162a7c3ab1a63643fda6e238d05c62c9eff5ff7135af776c50d465e94479096b89ccdf2b51
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 17 IoCs

resource	yara_rule
behavioral2/memory/2524-0-0x00000000000D0000-0x0000000000290000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000600000001abfc-26.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-287.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-286.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-308.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-329.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-349.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-369.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-389.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-409.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-429.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-449.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-469.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-488.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-508.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-528.dat	family_zgrat_v1
behavioral2/files/0x000600000001abfc-548.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 37 IoCs

pid	Process
4060	winlogon.exe
4852	winlogon.exe
3496	winlogon.exe
2904	winlogon.exe
3240	winlogon.exe
168	winlogon.exe
5028	winlogon.exe
1416	winlogon.exe
1612	winlogon.exe
1016	winlogon.exe
2788	winlogon.exe
4420	winlogon.exe
3940	winlogon.exe
2536	winlogon.exe
4656	winlogon.exe
4920	winlogon.exe
3028	winlogon.exe
3604	winlogon.exe
772	winlogon.exe
2924	winlogon.exe
164	winlogon.exe
2808	winlogon.exe
4348	winlogon.exe
936	winlogon.exe
4004	winlogon.exe
3608	winlogon.exe
3316	winlogon.exe
2724	winlogon.exe
4100	winlogon.exe
824	winlogon.exe
684	winlogon.exe
936	winlogon.exe
4944	winlogon.exe
3984	winlogon.exe
2300	winlogon.exe
2040	winlogon.exe
2824	winlogon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
42	raw.githubusercontent.com
50	raw.githubusercontent.com
59	raw.githubusercontent.com
27	raw.githubusercontent.com
24	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
60	raw.githubusercontent.com
61	raw.githubusercontent.com
13	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
23	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
3	raw.githubusercontent.com
28	raw.githubusercontent.com
37	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
58	raw.githubusercontent.com
18	raw.githubusercontent.com
26	raw.githubusercontent.com
41	raw.githubusercontent.com
22	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
14	raw.githubusercontent.com
49	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
57	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\RuntimeBroker.exe	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\9e8d7a4ca61bd9	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files\Microsoft Office\Updates\winlogon.exe	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files\Microsoft Office\Updates\cc11b995f2a76d	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files\Java\jre-1.8\bin\dtplugin\67941dfbfddbf1	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	winlogon.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1148	PING.EXE
5044	PING.EXE
4192	PING.EXE
4380	PING.EXE
2112	PING.EXE
1452	PING.EXE
428	PING.EXE
3964	PING.EXE
3996	PING.EXE
1452	PING.EXE
4896	PING.EXE
4420	PING.EXE
3132	PING.EXE
3768	PING.EXE
4472	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
Token: SeDebugPrivilege	4336	cmd.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	168	winlogon.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeIncreaseQuotaPrivilege	768	powershell.exe
Token: SeSecurityPrivilege	768	powershell.exe
Token: SeTakeOwnershipPrivilege	768	powershell.exe
Token: SeLoadDriverPrivilege	768	powershell.exe
Token: SeSystemProfilePrivilege	768	powershell.exe
Token: SeSystemtimePrivilege	768	powershell.exe
Token: SeProfSingleProcessPrivilege	768	powershell.exe
Token: SeIncBasePriorityPrivilege	768	powershell.exe
Token: SeCreatePagefilePrivilege	768	powershell.exe
Token: SeBackupPrivilege	768	powershell.exe
Token: SeRestorePrivilege	768	powershell.exe
Token: SeShutdownPrivilege	768	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeSystemEnvironmentPrivilege	768	powershell.exe
Token: SeRemoteShutdownPrivilege	768	powershell.exe
Token: SeUndockPrivilege	768	powershell.exe
Token: SeManageVolumePrivilege	768	powershell.exe
Token: 33	768	powershell.exe
Token: 34	768	powershell.exe
Token: 35	768	powershell.exe
Token: 36	768	powershell.exe
Token: SeIncreaseQuotaPrivilege	4576	powershell.exe
Token: SeSecurityPrivilege	4576	powershell.exe
Token: SeTakeOwnershipPrivilege	4576	powershell.exe
Token: SeLoadDriverPrivilege	4576	powershell.exe
Token: SeSystemProfilePrivilege	4576	powershell.exe
Token: SeSystemtimePrivilege	4576	powershell.exe
Token: SeProfSingleProcessPrivilege	4576	powershell.exe
Token: SeIncBasePriorityPrivilege	4576	powershell.exe
Token: SeCreatePagefilePrivilege	4576	powershell.exe
Token: SeBackupPrivilege	4576	powershell.exe
Token: SeRestorePrivilege	4576	powershell.exe
Token: SeShutdownPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeSystemEnvironmentPrivilege	4576	powershell.exe
Token: SeRemoteShutdownPrivilege	4576	powershell.exe
Token: SeUndockPrivilege	4576	powershell.exe
Token: SeManageVolumePrivilege	4576	powershell.exe
Token: 33	4576	powershell.exe
Token: 34	4576	powershell.exe
Token: 35	4576	powershell.exe
Token: 36	4576	powershell.exe
Token: SeIncreaseQuotaPrivilege	1320	powershell.exe
Token: SeSecurityPrivilege	1320	powershell.exe
Token: SeTakeOwnershipPrivilege	1320	powershell.exe
Token: SeLoadDriverPrivilege	1320	powershell.exe
Token: SeSystemProfilePrivilege	1320	powershell.exe
Token: SeSystemtimePrivilege	1320	powershell.exe
Token: SeProfSingleProcessPrivilege	1320	powershell.exe
Token: SeIncBasePriorityPrivilege	1320	powershell.exe
Token: SeCreatePagefilePrivilege	1320	powershell.exe
Token: SeBackupPrivilege	1320	powershell.exe
Token: SeRestorePrivilege	1320	powershell.exe
Token: SeShutdownPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeSystemEnvironmentPrivilege	1320	powershell.exe
Token: SeRemoteShutdownPrivilege	1320	powershell.exe
Token: SeUndockPrivilege	1320	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 768	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	82
PID 2524 wrote to memory of 768	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	82
PID 2524 wrote to memory of 1320	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	81
PID 2524 wrote to memory of 1320	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	81
PID 2524 wrote to memory of 4336	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	80
PID 2524 wrote to memory of 4336	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	80
PID 2524 wrote to memory of 168	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	78
PID 2524 wrote to memory of 168	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	78
PID 2524 wrote to memory of 4576	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	77
PID 2524 wrote to memory of 4576	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	77
PID 2524 wrote to memory of 1336	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	83
PID 2524 wrote to memory of 1336	2524	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	83
PID 1336 wrote to memory of 824	1336	cmd.exe	85
PID 1336 wrote to memory of 824	1336	cmd.exe	85
PID 1336 wrote to memory of 4552	1336	cmd.exe	117
PID 1336 wrote to memory of 4552	1336	cmd.exe	117
PID 1336 wrote to memory of 4060	1336	cmd.exe	88
PID 1336 wrote to memory of 4060	1336	cmd.exe	88
PID 4060 wrote to memory of 352	4060	winlogon.exe	92
PID 4060 wrote to memory of 352	4060	winlogon.exe	92
PID 352 wrote to memory of 3804	352	cmd.exe	90
PID 352 wrote to memory of 3804	352	cmd.exe	90
PID 352 wrote to memory of 3316	352	cmd.exe	89
PID 352 wrote to memory of 3316	352	cmd.exe	89
PID 352 wrote to memory of 4852	352	cmd.exe	93
PID 352 wrote to memory of 4852	352	cmd.exe	93
PID 4852 wrote to memory of 4320	4852	winlogon.exe	97
PID 4852 wrote to memory of 4320	4852	winlogon.exe	97
PID 4320 wrote to memory of 3100	4320	cmd.exe	95
PID 4320 wrote to memory of 3100	4320	cmd.exe	95
PID 4320 wrote to memory of 4672	4320	cmd.exe	94
PID 4320 wrote to memory of 4672	4320	cmd.exe	94
PID 4320 wrote to memory of 3496	4320	cmd.exe	98
PID 4320 wrote to memory of 3496	4320	cmd.exe	98
PID 3496 wrote to memory of 3232	3496	winlogon.exe	129
PID 3496 wrote to memory of 3232	3496	winlogon.exe	129
PID 3232 wrote to memory of 392	3232	chcp.com	101
PID 3232 wrote to memory of 392	3232	chcp.com	101
PID 3232 wrote to memory of 828	3232	chcp.com	100
PID 3232 wrote to memory of 828	3232	chcp.com	100
PID 3232 wrote to memory of 2904	3232	chcp.com	103
PID 3232 wrote to memory of 2904	3232	chcp.com	103
PID 2904 wrote to memory of 4212	2904	winlogon.exe	107
PID 2904 wrote to memory of 4212	2904	winlogon.exe	107
PID 4212 wrote to memory of 4860	4212	cmd.exe	105
PID 4212 wrote to memory of 4860	4212	cmd.exe	105
PID 4212 wrote to memory of 5044	4212	cmd.exe	104
PID 4212 wrote to memory of 5044	4212	cmd.exe	104
PID 4212 wrote to memory of 3240	4212	cmd.exe	108
PID 4212 wrote to memory of 3240	4212	cmd.exe	108
PID 3240 wrote to memory of 4544	3240	winlogon.exe	112
PID 3240 wrote to memory of 4544	3240	winlogon.exe	112
PID 4544 wrote to memory of 424	4544	cmd.exe	110
PID 4544 wrote to memory of 424	4544	cmd.exe	110
PID 4544 wrote to memory of 4136	4544	cmd.exe	109
PID 4544 wrote to memory of 4136	4544	cmd.exe	109
PID 4544 wrote to memory of 168	4544	cmd.exe	113
PID 4544 wrote to memory of 168	4544	cmd.exe	113
PID 168 wrote to memory of 4552	168	winlogon.exe	117
PID 168 wrote to memory of 4552	168	winlogon.exe	117
PID 4552 wrote to memory of 2776	4552	cmd.exe	115
PID 4552 wrote to memory of 2776	4552	cmd.exe	115
PID 4552 wrote to memory of 3768	4552	cmd.exe	114
PID 4552 wrote to memory of 3768	4552	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
"C:\Users\Admin\AppData\Local\Temp\9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\winlogon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\RuntimeBroker.exe'
  2⤵
  PID:168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\bin\dtplugin\9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe'
  2⤵
  PID:4336
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4332
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\ShellExperienceHost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\sysmon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMIoqcDtm3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:824
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4552
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:3768
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2776
- - C:\Program Files\Microsoft Office\Updates\winlogon.exe
    "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bQudXBuXpp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:352
    - - C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U51WDObLZJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lxpltA24Sk.bat"
        8⤵
        
        PID:3232
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rWoaKD2ur4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fa1oyizmeb.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ez7ZQMTyX4.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cplHXgq9QN.bat"
        16⤵
        
        PID:3712
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aSqT8qddOT.bat"
        18⤵
        
        PID:1380
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKdioc4MGu.bat"
        20⤵
        
        PID:4920
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7B3lpetaR.bat"
        22⤵
        
        PID:4876
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hzsSyDvNE9.bat"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xe7C8pmPDN.bat"
        26⤵
        
        PID:3456
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fa1oyizmeb.bat"
        28⤵
        
        PID:744
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sjVMp8zxrT.bat"
        30⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:3964
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sjVMp8zxrT.bat"
        32⤵
        
        PID:3476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:3996
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MiKQlKjHzt.bat"
        34⤵
        
        PID:2740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:1076
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        Runs ping.exe
        
        PID:4192
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DlQnvRVvYg.bat"
        36⤵
        
        PID:4384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:4380
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c1v93Hoh1X.bat"
        38⤵
        
        PID:3288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:4344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:1168
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3FUfZROOvk.bat"
        40⤵
        
        PID:1588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:4240
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU00hIhBOb.bat"
        42⤵
        
        PID:4964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        43⤵
        
        PID:4852
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcCl1WGSVA.bat"
        44⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        45⤵
        Runs ping.exe
        
        PID:1452
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bc4V3lt5Qz.bat"
        46⤵
        
        PID:4976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        47⤵
        
        PID:1512
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9nTU0UPEK4.bat"
        48⤵
        
        PID:4884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        Runs ping.exe
        
        PID:4896
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U51WDObLZJ.bat"
        50⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:3512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        51⤵
        
        PID:4324
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQnm3nkJb5.bat"
        52⤵
        
        PID:4724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:4736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2524
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKdioc4MGu.bat"
        54⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        55⤵
        
        PID:4892
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WSxKcEorbD.bat"
        56⤵
        
        PID:4208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        57⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        57⤵
        
        PID:1772
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ENo64DAh0.bat"
        58⤵
        
        PID:392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:3132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        Runs ping.exe
        
        PID:2112
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cplHXgq9QN.bat"
        60⤵
        
        PID:4860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:4364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:3576
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vUluF99a5g.bat"
        62⤵
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        63⤵
        
        PID:1128
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        63⤵
        Runs ping.exe
        
        PID:4472
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ttrehocny9.bat"
        64⤵
        
        PID:1192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:68
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        65⤵
        
        PID:2852
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R58NgmlZn3.bat"
        66⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        67⤵
        
        PID:2888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        67⤵
        Runs ping.exe
        
        PID:4420
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        67⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQnm3nkJb5.bat"
        68⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        69⤵
        
        PID:4060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        69⤵
        
        PID:596
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        69⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnbjzFmbPF.bat"
        70⤵
        
        PID:4916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        71⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        71⤵
        
        PID:1580
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        71⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HkN6qNcbmH.bat"
        72⤵
        
        PID:3816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        73⤵
        
        PID:4868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        73⤵
        Runs ping.exe
        
        PID:3132
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        73⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7B3lpetaR.bat"
        74⤵
        
        PID:3996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        75⤵
        
        PID:1936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        75⤵
        Runs ping.exe
        
        PID:1452
        
        C:\Program Files\Microsoft Office\Updates\winlogon.exe
        
        "C:\Program Files\Microsoft Office\Updates\winlogon.exe"
        75⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8cJcUuQgju.bat"
        76⤵
        
        PID:1076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        77⤵
        
        PID:4888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        77⤵
        Runs ping.exe
        
        PID:428

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3316

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3804

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4672

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3100

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:828

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:392

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:5044

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4860

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4136

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:424

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4880

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4928

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4444

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2472

C:\Windows\system32\chcp.com
chcp 65001
1⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4392

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1148

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1240

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2132

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1060

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3932

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
640KB

MD5
fc9c2389542176bebefe59172ba31668

SHA1
e2f60cc8efadb90788dad8b60215b6b2786bbca5

SHA256
add4645efad9a51a7387c4059ff2f28bb9666dbb98cfb75a124607baaeae963e

SHA512
0e8a1e72c41c796ea470c5df3667d277e45bbfff5b1ce20ecd69419e5af892f01f511c5636cf28c5a60576394894691ec925518c56f83008c1c31359964cc1eb

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
427KB

MD5
21dbc8b1a1e57fd19fc9509365bdd303

SHA1
da8dd6e5e9058c513cbe9d48ad50af2c372ed200

SHA256
cf173bd5f92d13310fb08ba8558dd314cf17e671d5802c09841da881e63d576d

SHA512
fd8ef1e0b6d2853e0e6687e9a12c18099018a367d82b6330ac3c6fde1e75ba426240491cd65ad38b940e93f7af4a47e41e717dbc420e4e2610f40951feabe14c

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
94KB

MD5
8b32de65885b19e560cd459f9cca66de

SHA1
b248198457c9566f5fb58fc0469aeaa34126d903

SHA256
efbf4003e40d80d950a4c7c106285a681717a39e1a1c04d24f0ee6be9fd1542d

SHA512
0dae55c22cbb3734f30c59e996a22e2c144aa76ff453248c6d340cc78d61783e4fa7373e09ec23ad2bbaa085f33270b8b32f1583f7af918df8f1ca1d0528f6cb

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
76KB

MD5
98b120bfe4f278b51c9facbba3d8b941

SHA1
6883425dcc3ec84aee69251d1c4ebc718241fa36

SHA256
a3f1db28f3d03f760d5327df4f87b993d754b06042bf6c1c841993bd46d59695

SHA512
6828024710008eb1567411ef76f0c3ed6bade272855673164f971384ce66e9c8f332073358d2def50dcd1de2a72dedca5c927489ab0fcd787472170eecf9a1ae

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
195KB

MD5
f82d32550a6c31b53abae8453b5e4272

SHA1
22f28ea581753fd36d0050403ab34aae6638dd67

SHA256
cf913a768cca3555cb0bf5cd5e2ce09174cf3f18b799b133eb41d007e99f6560

SHA512
1aa6364b15769f76dd20590412b3c293d33eb8a61e70b1e374afdbe0bea7ca2977e86342eb72b2926dda531cdc50ea3eb3537ba482ddfdf5574854a2d7330489

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
138KB

MD5
a2b385dfdb894f31dcbca20b3dd85bc3

SHA1
5c1caf757bb6535e3ab53995da59906f06914257

SHA256
63eb78a6925bdd0314c73e113bd3399b323cfa50f276f38bf3d4c81498080491

SHA512
b45c2c78a048ca45b5fe68721d108d23cad04d969ea562f973810e09d6d2d796f77b020dbcafeab7936a9de4f0a2c19d035f00485d5bd70025489dd78f9ba532

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
227KB

MD5
f466ddba16c925dcb1b81bea2dee7248

SHA1
7eebd4716f543f553cbfe380d61abcffa2d605cf

SHA256
52b120c2df93c840461c17a9da419e6c7050b7518892191d7e4471858360def8

SHA512
9f8ceec0333dea7a8b8b2b5e1c56e2f8f674f7f20078177a8639dc9a27e9f8aec947ce6cd810ac0364207b3d71f7c23a5ae84b8ebc3c3eb21cee36979a3e1371

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
164KB

MD5
ca9e4d3bd3c526a1b2b284b24b190232

SHA1
01c9df8c2afcfa57a90e0e21e17d9732ef2d716c

SHA256
f2ae7aee57f6a0b42ce1b26d386dd453f4d688676020bf74f390269e4ec54b30

SHA512
903f87bbb99036ecd814769d65433a8777cb61c839d5780ed9ae7de649ff35a16422703e213eef34861a3b1b1344fedbbd155eeb45ab11989851f8501322e469

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
71KB

MD5
96290384fb2a97effebf37c75759f110

SHA1
6ab2430461331f8e32090e85a68f33580258594f

SHA256
751fbad70bb68ec8218584aaccd7a1688e644b8d2fd2bb7a870810af4e45cb9a

SHA512
bca01a6dabe666e75b574edbecd9a382663d7728cadc82786f61feb511dc68bd76948cfae39b64e0beaa9e02dd3e818e9696d797486bf74aca392849a208f61b

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
122KB

MD5
eeeda49c56ba18c401348dfcf22e2918

SHA1
df10a78f16f3ecae7e42623a9acb154c64d1487a

SHA256
f497949c6c2ea344f82270ec737b0d9172e9b0367327c345c4468dc964a20eb2

SHA512
ea1674dc46eb55389e5b0e6ae7519d22398fbfa4058fde32c9261c4afcbd64d499bd8dd46be4a5ce5d3f038326a3677f46cc2b7633457cac4bff048ba131e814

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
179KB

MD5
a7555e3c5abeb06fbd5bd6a22253ce39

SHA1
a5dd8d848f7982b739405fb17eafef2760a0fca1

SHA256
43761d83bbec27de2c3bd44479839565126108d0f9e8bf7ea25c8e27be79617d

SHA512
3621fb75b4db1b21427a5e6b854d971436855ced5a4c2976667e727773c64c9421353bc4953e3c0b343d3bf593c0f03abf3ee8348f1e38b5d5cc3d0f925b997f

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
119KB

MD5
2409dde34933b82f4ad3f73cc16d9490

SHA1
0cbf0d5390adec24e348a24c2441a82fd146afda

SHA256
13b8ed028b9c1693a75eb2b104052f5abdb682448cd59cbf3805117b67ecc2cf

SHA512
d693f34f712f26c9d0a7ee37306537b187a023371be609ef2891ebe2fa759c631b4ab86f6153d4d8d99a94f6c10b8d249565adccb636ef6eb80a3b72f9061bbd

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
153KB

MD5
2631b67ae3a1c2db6dfb943674fd0623

SHA1
f6f691e83b87287b7d518fd74b5073c0b9fe73ca

SHA256
c0dfdbbb073ac3321fa0c4fb7066d707ed69ef7673e4c59b1a1967eb2c31b078

SHA512
3fd0c94d3996b19465769ecfe6a637ab1a996b6efe9dcc5dbb05b499a8fc324a68b0a805ed5b0773dbb16834edaf3bee20648cd51e56b92336aef831817db7b1

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
197KB

MD5
c7e4ac677b6a5ee172d3ea7b54b2c8e2

SHA1
2268b7544636af4f8d83e2a2801df1876b4f9dc1

SHA256
4be3ce899e2dc6ef8f9d29e58d0d7f9d1638c585f0fc2bbbd4858464a15fbdf8

SHA512
a299f701b644e97546852ae1ff47f3c48aa0e6703ab32b0a1634bd0d62d44ff4ed2b2ec9091b053a0bc185d75e77fb7c607c09b3e6cd9e272b5f744b47e501ba

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
73KB

MD5
f80a63b98d1686a957a52ae97d0f65c1

SHA1
154eaad5074dd1d2cd4d63b6677e8b7e8a210b56

SHA256
f5fb0ee572a5f353f1bc0723dc723fd6c56ef1406c9e1324fade0ca1ab5b27eb

SHA512
34e835f4d34076383a37182d95bedb3840cb10de606f43cb92e0f8b58f00802e264e822d3cc3e075f4960998d7276247e21cc16ffce4541e11f132529b822d80

Download Submit
C:\Program Files\Microsoft Office\Updates\winlogon.exe

Filesize
1.7MB

MD5
794742e196658504969c2a0734f88bcb

SHA1
319842492ca9627b1baefe98c449a584227d064d

SHA256
9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948

SHA512
5c46d60e2b4dea9ecd076ddd180dae6cae90f42c5ed0b120f9d6b3162a7c3ab1a63643fda6e238d05c62c9eff5ff7135af776c50d465e94479096b89ccdf2b51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1492431038f2e5ac11fa3dd2b82e6b87

SHA1
27186dc9bd1a0c399c223238dd05aca832e78c4d

SHA256
9c8fc73f0ee5b6e909c614951755ee65b11267e6e381f799c17e76ef239c0f31

SHA512
876150bce398f5a3b42c0642db7e3dbf46807d21b7c08a636fe6ca670745ce71421dfe739e8e8149d0b376bd5a57de616544955b74535103d59818d44c336395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
219fff31948db7e0b3ddf77779ee3359

SHA1
de2bad3b2d188d0a7d0cdaf3f01ed9f6cd5adab7

SHA256
b24a8d0907f9c7295c60fa931a31e1fac561a212643418e622c689f56de80bd7

SHA512
8479fe5b0edf88c973d63d6efed0afc7da0742efd6fe1a81a97b26460e485108e4cbd9297c5e8d5a253df36f3827fe2dfe8dbf1ed515d6617e375ef3c455c1e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8f539707406b117c3687e3c061597a9

SHA1
349de5bb05439d9a732b9b604ba368dafbd9053b

SHA256
46032bd70e7ea33287002768bc4d0dc8c06d17e23da81ac6adb403b9f39353ef

SHA512
dea7820ef605e4c5f71d62f29a050c52ecb1301c80cd4cb152803e6fdb6fa4a537f29b61472fcbcca8cc30a5d004bb3879c3690e177427cde0b2b9666d63e510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85ffe13c53f41d3d0a15fba593b1f55a

SHA1
705fd1ecbc42d966b8d8b4ce23a9a1396122fb5e

SHA256
b1ce56240f9b331bb6cc2890d73add836c65e289305978915f52cc243191811d

SHA512
0d4829bc947fd3a8743c29a56c3008b1519ef714a5f637db275dd6aef394c236d995fe447b37ef9a7b11b9c43cf731436b50130b670c3cb5303ec4510321be93

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FUfZROOvk.bat

Filesize
230B

MD5
39a4216107d472fb15babc3a4e330f50

SHA1
460a07d68fc24c424be1840be0f5bbe386adaf18

SHA256
bb7b7043f488387f1a3429fab64898981571b7039ca6aaa96de66bcbe7c1c4ee

SHA512
c7d953e060a74492be17413fbc6a929d19c0b66bb1f46da602e18e2885e7ec2f54472749581a357284040cc20e8ca3f2675653ba57b75b56fc23842469322d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ENo64DAh0.bat

Filesize
182B

MD5
45f8591103353552f6d61277beb41df5

SHA1
ffd9b42ce81dc206eb2b9d13c9eccd836a40aa2d

SHA256
9dcf69d8302aea20a98c23465a3393f150fdd7422bd45ff82ff0a5e062deee6a

SHA512
2aa01005227ac1910368abeb5f23c0b7f6b15ea2d9d673e95f9d19ad03fa7c88270abc09c9c5b87cad7aa8d40784a51e68c3068f517b9f4bd1d4f25404183801

Download Submit
C:\Users\Admin\AppData\Local\Temp\9nTU0UPEK4.bat

Filesize
182B

MD5
cd600ee5adfcb752a60e3438af6d7ebc

SHA1
2b6ae67486fac6015c7a0f47c21525ce5d497041

SHA256
25f383f8007ced84f46bc44ec405448917393f6ff5021cb7b25a083f37357ef2

SHA512
0ab9b8bb795cd759060eb2b8524242a7041d44d18b1785126c0d70dc41068fb7a416324f43b62acdcd1555394a75562573757fd1695f7b9b19997df6eb7a299e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcCl1WGSVA.bat

Filesize
182B

MD5
ead5d4bae4525f743e6d61e301f73b66

SHA1
5ed429068ddcb8b76d1f00d3c54a1af7c35d26d4

SHA256
6fa7cf04cd1856b3a3d2587ea7c9b016940c77e510c0a185010c45710bae8718

SHA512
aa3fcbf777b3bca1405c96ec0155b116669e24be0c37d8f527efcf8ef65ffda804655df7c1a8b8b8a90082b9c68173667f43cd2003f872b294baaade828787a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMIoqcDtm3.bat

Filesize
230B

MD5
36308ec405ce3e91bac6f75a913842d0

SHA1
dd5fe188be9f2297ee1fd05b09e51eb4617d5e68

SHA256
df691094272590f092d6598ce17f323ffd646e6e4756c931364645af40a8cf1d

SHA512
740baedb64c35dfcfa767a2dd26032bf3e09beb0561c5dea9caf15769c71a288238712c19b6cb643911370447e294c49b03a5737f906df1d21b0ef4185346795

Download Submit
C:\Users\Admin\AppData\Local\Temp\DlQnvRVvYg.bat

Filesize
182B

MD5
8fa2d8325b36ce50ea43613a3a42e28f

SHA1
7fc3e24ec40016c2d00ee811deaa097e0c08a165

SHA256
16d8a6f25f8a4834a453d4cc1e8b01705e14a395415bb88532a0b5be843dd681

SHA512
33a0b44414c3ff2aaf0f108764483ac4ed9042789d26cd74fc1ea1556025120368bd1db82ab91c45c37ac8565c3e3a9462d69dacc2a4c4a3795d979e325e9cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ez7ZQMTyX4.bat

Filesize
182B

MD5
2a4ed134a47279fa94bcc543b22d4e1c

SHA1
2f6f692c973b3256fa5769f9fafa34cfee9cce8c

SHA256
943b4c5bf0c3cf31b44a30b7a31bf13430c55b880f45aab8f24bb959fa6d8f59

SHA512
a3d2b78ada088f804261ddf253a8689ecfdd83e0ed7be0cfcdd90f11a49b0f9d660b8b6983b6ae8f5ac94c73fd056285ee17776952c5ac0b4e71914648c1bf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\MiKQlKjHzt.bat

Filesize
182B

MD5
068aae911469ecac733dcc1e192ceec7

SHA1
dc20f528224f53849cf1a2fa0eee4196b1a956b8

SHA256
640638a4281fd458c7db655a67df429432423d5970dca8fc0f1d8fc5394cd789

SHA512
cbc899251137f84325d1059aa83df06933f391ed88cb24f24afc919c79d75e80bd27db663104f6e8fd807010acb13e46b4ca9ad5272e082f4163fea894ddfc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7B3lpetaR.bat

Filesize
182B

MD5
2c31457c4fd3631a39a47159bd7a52dc

SHA1
c37bb7076af6edab4b5a8c1f69ee223a34367667

SHA256
622e3efe1f911d3e2ee3c830a83a73371494191b90a76a0599f32724b969b922

SHA512
125d0439f7fbdf4a7083b4a57f21ef18ef2876ecd59e68a0acdad6b31f2313ae17eacef10cdbc1bdcb342196de12e681c54c49db5addc23defe3b82230c384cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU00hIhBOb.bat

Filesize
230B

MD5
3613147d645489af6616499d37a7269e

SHA1
9d8b2306a547e88785ce46cc2412097bf4de6367

SHA256
bc9c53253b2fbcf9fbca17a49a6d01ece59ec9b96634a259043261d1a8790df4

SHA512
48b06a38d8a426c23659c10b35379aaacfd3e0511e1754e2e9e3374aa8c14d67d60753034bb9edb39693e9be8cfdc6cb2d5ec33999706dedba22d2cba592ca55

Download Submit
C:\Users\Admin\AppData\Local\Temp\U51WDObLZJ.bat

Filesize
230B

MD5
fb79a11489d09466797b5559778dea5d

SHA1
b97febe83a229d98a252f68bddfaa1cdb8f1bf40

SHA256
ac0d241c0ff8a6b9ceefe953aed79c699e4fce846f38d61ec892d5910d979faa

SHA512
a88977598ce6a7f90fa066f691b52863d4f8bcee57dc4fa037d5f65b1947ad8adf22700708d30c29794256acdb419c3c52f7e8f69b3869ad01a3bbc3b9010584

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSxKcEorbD.bat

Filesize
230B

MD5
46d3ab20aae1eab37985d9441c7e3c91

SHA1
c5fe3fbffbef27f030ad84e71376e871cd3b71ff

SHA256
33fe188de7b8042c4accfccf932479d3fe49bcfcb3ee1fb49bded57801b72005

SHA512
66dab38a519fd84ce742d4f93f80ebb7eb05a8523f6270b40c08b73f88592c3646c037437d3d10d83fb6a99f1fb5add95d1f24655e3f0ae2cf5ce042c80e0c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xe7C8pmPDN.bat

Filesize
230B

MD5
1dd172c9589b49eca6bc395c805fdbc5

SHA1
52d8fcc58789c55d18f8b5984e2617ace014f5cf

SHA256
34946e6fb082a9a6929982555bb97bfe93f81c29ffaf460c2d0a2d0e415432ae

SHA512
9b4a7e9f96c7e0801114daaa2eb5076e11c2e5b4252f11d74f68993ee48858e7381de068dea00261d7b790ce7ed292f3d1b4e5fde1728c6e98d87fddba8881e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aSqT8qddOT.bat

Filesize
230B

MD5
220278f899ef8adab90c2bfc90aa0c24

SHA1
83e96d4314748b6fa52a3e7e1e5f835cd53e0aa0

SHA256
30450e0d6a9e5fe1e99218133ec64e1a3ecf6d575308dda9f7423e5c2440c6f3

SHA512
70796a9b595b781671b17001273745e18e815d6567afbb35139ac42550009e3a1f681b86b693079beb90c8e7682ab21af16c112cc607d59ea114f356ba0b70eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQudXBuXpp.bat

Filesize
230B

MD5
0402115123279723e071f2fe6c778933

SHA1
0c498682f6670897ce1c47133e7c7018f6124920

SHA256
bbe0d36eb2d9258258101b8b8e506b9ec39cc6e6ad0dcc3c225268cac4295cab

SHA512
2c18c53e7b04e0e9b42c763ebd0a72191f0be8d4ebf48b19b2c4b581bde82e0d1fc0fc9d897076ea4cf2fc43ba1db836cbf530bba4199b36336fe44ff667cb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc4V3lt5Qz.bat

Filesize
230B

MD5
0e09692114e13f5c9b8ff948b2ac4b29

SHA1
70823a4a4d89baf85742291a82e52411d984c9a1

SHA256
83dcae3bf98925089d760b560d26a33f6eff75c8730d07b067230607074de1f0

SHA512
2c14893e3fefffd31b9751d7fb668b3718c1cd5662b40c49c20a2634f9c9a385f76d1ad268bb99cbfd34ac0fae9745e71df0d81a4920278490db75ab616ec70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1v93Hoh1X.bat

Filesize
230B

MD5
a48b3ae844487bad67b4f3a400f2e7e7

SHA1
6c36fbf942c4fb5f94c92a50c8a5e4cb8d0def0a

SHA256
526e6427d1f37825b7904b359fc9b059c14784f5b25a88d345a2bac0e50ff40a

SHA512
0d245ffcb133f7552e1a8ecebe5913e372d2f98696760c14342a42cd24568ad16141ec8491b098576a1b8d0a780666393ece77c63c6f31096e2089ecd651d695

Download Submit
C:\Users\Admin\AppData\Local\Temp\cplHXgq9QN.bat

Filesize
230B

MD5
f7b8b0124b9986977fc5feee26a5e69e

SHA1
e64204045e1515d47c9ce15d6780a6ed92631856

SHA256
38b354c205c0de766881c992a31d6eaf150e5d70d1bcb4274cdf2de4f3632b84

SHA512
f697510ce58a32b4487327dfd1048dbae9eb40e7674386d3dbce8bfbf2b2729adad872c423d3d0b6ee242e091378b9b07b33be1b8de262b33053b12c50b92596

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQnm3nkJb5.bat

Filesize
230B

MD5
2abee33fea3838112314cef4e2fa5556

SHA1
828aea35a35e27f86fd9c274ee059fc8c9f8c755

SHA256
d8272279149d68aaaf85f095a1d2d2a0e662028b8a697f864e72daeb8500c481

SHA512
0e4bf65faa2f545681ee2256cebb5d5fedc31619a86840aa84c2b5a62c83db880160d5bc2bd6bcfe8b3312b80eff05045280a2f17a14602306246a3cab922c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa1oyizmeb.bat

Filesize
230B

MD5
b45e35a3ac63e110c0ca7b50ffd742e4

SHA1
fb4a9318112bbac5f9302b77a4a8fbd8534beaa8

SHA256
ee4fc7cdb7e3d429dc4356f67ef2ed93d6921ff0b9fbecd9b537dcc0990bc1b5

SHA512
8a86248bb58927b09089c6767c635981cec8bdf773e3d691e05a06ab7dd91587cc0636ae6bc9ad47f34549b3f5bff05341d75808f37b806ea1a7217a3dddf450

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzsSyDvNE9.bat

Filesize
230B

MD5
935fe1e8997328505daaeb8c37c8dd2c

SHA1
4ee2854c204c3b4beca2d2d784998a01a3adb88c

SHA256
e005c8c71151f2bd86f5f346cbe943fc7831b1bf1884e6514f0dce73efdb8688

SHA512
7115cfedf0306e5e83718d283a23535b54628eb547bac8862d406d02dbd0acb9c0c11922bf8784c2ef13fa903c1649d12cffe0749f0eb0321576bd7d90fcc736

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxpltA24Sk.bat

Filesize
230B

MD5
00bac46631632295307a53b4c64a7138

SHA1
551b6cee1170a284dbf30e555160eb3b13c7766f

SHA256
b12839f8e9891f7855f2f9aed127565a907ce85034af22a0ac7e027c0110e7c6

SHA512
a503f8dc3fef668c10a5e023d5ed8b2c081819209f6a2626c8ab5d2facb002123b08d7195e2abc3b081922ad146c68c7c73daf0fa1b43d289db523c12bf5df07

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKdioc4MGu.bat

Filesize
230B

MD5
4667fe8bdb8c0d8da62daaacd53765ea

SHA1
1a88db3204fb5a355651a355f3c4360efd9e5007

SHA256
844ad923ec2f27a788b9214078b912df1906e2921b288cc41ec22b84cca4e3b3

SHA512
aab9274e263722985e6778979a361067fc9f5fd26b2a28db7cee77c5a4a924c39d5e8471f7bf412cf96982de8a2e7419f3beba0e9590d08416ca65c85fe582a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rWoaKD2ur4.bat

Filesize
182B

MD5
03c761ea59e8dcdd39c0640c4fb00767

SHA1
8dbf688a03f13d2240f00feccedf9d72e27f27e8

SHA256
2b5e6b7d9dd652772d98130ea6ba6298b3b544e77013fa6ca5638c794e40141e

SHA512
3ff39c8d0c08e75fceff14d9dd5697dc825eb65b4b442b57640815dd647e5e12cd2278101b75442f575b6c8382f3007d14b837381c2acde793197f7ed7f3fde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjVMp8zxrT.bat

Filesize
182B

MD5
40ca18267d5dc666d4d0921ae519a01d

SHA1
fa78861821e2d02554c2c97a2d653b97f9976cd8

SHA256
8d4980b38e93f32e1a354dc217e59d3cece2c958b79a508420ed2671844321b9

SHA512
30fe5a3f687f4761e5be0b774243a325fdb2876303f66f06172f00bb1d06bc1c9519cd3d0165f2536c7c03969243a9c3b8bc3b30275e836d425e8b6845bbff60

Download Submit
memory/168-70-0x000002E84C800000-0x000002E84C810000-memory.dmp

Filesize
64KB

Download
memory/168-63-0x000002E84C800000-0x000002E84C810000-memory.dmp

Filesize
64KB

Download
memory/168-283-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/168-68-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/168-267-0x000002E84C800000-0x000002E84C810000-memory.dmp

Filesize
64KB

Download
memory/168-187-0x000002E84C800000-0x000002E84C810000-memory.dmp

Filesize
64KB

Download
memory/768-258-0x000002267E270000-0x000002267E280000-memory.dmp

Filesize
64KB

Download
memory/768-275-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/768-60-0x000002267E270000-0x000002267E280000-memory.dmp

Filesize
64KB

Download
memory/768-65-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/768-62-0x000002267E270000-0x000002267E280000-memory.dmp

Filesize
64KB

Download
memory/768-75-0x000002267E500000-0x000002267E576000-memory.dmp

Filesize
472KB

Download
memory/768-118-0x000002267E270000-0x000002267E280000-memory.dmp

Filesize
64KB

Download
memory/1320-284-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-249-0x00000240E8CA0000-0x00000240E8CB0000-memory.dmp

Filesize
64KB

Download
memory/1320-51-0x00000240E8CA0000-0x00000240E8CB0000-memory.dmp

Filesize
64KB

Download
memory/1320-54-0x00000240E8CA0000-0x00000240E8CB0000-memory.dmp

Filesize
64KB

Download
memory/1320-265-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-43-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-116-0x00000240E8CA0000-0x00000240E8CB0000-memory.dmp

Filesize
64KB

Download
memory/2524-14-0x00007FFFC1AC0000-0x00007FFFC1AC1000-memory.dmp

Filesize
4KB

Download
memory/2524-13-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/2524-0-0x00000000000D0000-0x0000000000290000-memory.dmp

Filesize
1.8MB

Download
memory/2524-1-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-2-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2524-3-0x000000001AE30000-0x000000001AE40000-memory.dmp

Filesize
64KB

Download
memory/2524-4-0x000000001AE30000-0x000000001AE40000-memory.dmp

Filesize
64KB

Download
memory/2524-17-0x0000000002470000-0x000000000247C000-memory.dmp

Filesize
48KB

Download
memory/2524-7-0x00007FFFC3140000-0x00007FFFC3141000-memory.dmp

Filesize
4KB

Download
memory/2524-15-0x00007FFFC1AB0000-0x00007FFFC1AB1000-memory.dmp

Filesize
4KB

Download
memory/2524-10-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/2524-8-0x000000001AE30000-0x000000001AE40000-memory.dmp

Filesize
64KB

Download
memory/2524-37-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-53-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-11-0x00007FFFC1AD0000-0x00007FFFC1AD1000-memory.dmp

Filesize
4KB

Download
memory/2524-6-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/4060-291-0x000000001B190000-0x000000001B1A0000-memory.dmp

Filesize
64KB

Download
memory/4060-299-0x00007FFFC1AB0000-0x00007FFFC1AB1000-memory.dmp

Filesize
4KB

Download
memory/4060-289-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4060-297-0x00007FFFC1AD0000-0x00007FFFC1AD1000-memory.dmp

Filesize
4KB

Download
memory/4060-307-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4060-298-0x00007FFFC1AC0000-0x00007FFFC1AC1000-memory.dmp

Filesize
4KB

Download
memory/4060-290-0x000000001B190000-0x000000001B1A0000-memory.dmp

Filesize
64KB

Download
memory/4060-293-0x000000001B190000-0x000000001B1A0000-memory.dmp

Filesize
64KB

Download
memory/4060-292-0x00007FFFC3140000-0x00007FFFC3141000-memory.dmp

Filesize
4KB

Download
memory/4060-288-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-47-0x0000022939080000-0x0000022939090000-memory.dmp

Filesize
64KB

Download
memory/4336-256-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-64-0x00000229513B0000-0x00000229513D2000-memory.dmp

Filesize
136KB

Download
memory/4336-34-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4336-181-0x0000022939080000-0x0000022939090000-memory.dmp

Filesize
64KB

Download
memory/4336-66-0x0000022939080000-0x0000022939090000-memory.dmp

Filesize
64KB

Download
memory/4336-259-0x0000022939080000-0x0000022939090000-memory.dmp

Filesize
64KB

Download
memory/4336-279-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4576-247-0x00000218E26A0000-0x00000218E26B0000-memory.dmp

Filesize
64KB

Download
memory/4576-69-0x00000218E26A0000-0x00000218E26B0000-memory.dmp

Filesize
64KB

Download
memory/4576-58-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4576-149-0x00000218E26A0000-0x00000218E26B0000-memory.dmp

Filesize
64KB

Download
memory/4576-266-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download
memory/4852-315-0x00007FFFC3140000-0x00007FFFC3141000-memory.dmp

Filesize
4KB

Download
memory/4852-313-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/4852-311-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/4852-312-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/4852-310-0x00007FFFA7550000-0x00007FFFA7F3C000-memory.dmp

Filesize
9.9MB

Download