Malware Analysis Report

2024-11-15 08:43

Sample ID 240510-bcnfcshd6v
Target 1e40160ff1f09d7445f2cdcd24104701.bin
SHA256 f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c
Tags
zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c

Threat Level: Known bad

The file 1e40160ff1f09d7445f2cdcd24104701.bin was found to be: Known bad.

Malicious Activity Summary

zgrat rat

ZGRat

Detect ZGRat V1

Zgrat family

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:00

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:00

Reported

2024-05-10 01:02

Platform

win7-20240220-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2196 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2196 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2616 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2616 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2616 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2616 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2616 wrote to memory of 2432 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2616 wrote to memory of 2432 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2616 wrote to memory of 2432 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2432 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2432 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2432 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 1232 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1232 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1232 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1232 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1232 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1232 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 1232 wrote to memory of 836 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 836 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 836 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 836 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2204 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2204 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2204 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2204 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2204 wrote to memory of 1444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2204 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2204 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2204 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 320 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2296 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2296 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2296 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2296 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2296 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2296 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2296 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2296 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 1980 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 1980 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 1980 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 612 wrote to memory of 1028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 612 wrote to memory of 1028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 612 wrote to memory of 1028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 612 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 612 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 612 wrote to memory of 1780 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 612 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 612 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 612 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2344 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2804 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UUMu1rrm8x.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp

Files

memory/2196-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

memory/2196-1-0x0000000000390000-0x000000000056E000-memory.dmp

memory/2196-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2196-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2196-4-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2196-6-0x0000000000570000-0x000000000057E000-memory.dmp

memory/2196-10-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2196-12-0x00000000005C0000-0x00000000005D8000-memory.dmp

memory/2196-9-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2196-15-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2196-14-0x0000000000580000-0x000000000058C000-memory.dmp

memory/2196-8-0x00000000005A0000-0x00000000005BC000-memory.dmp

memory/2196-17-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2196-16-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat

MD5 7baa87e6af6e0ab2e63d6e011542d037
SHA1 0d5fedae3decc1a05113008cd13e44f020d5eeb9
SHA256 936579c0cdf2634135b8315fc0c2122f12c9cb75f5f13f58a98458acec94f32a
SHA512 7d168997d46cbbd9dac32548ffe716f5d500686ad08a3e1613c1286c161710721a55f487dc4550dff96aeaa62bdc37d6bcb07df706ebafb95a7aa61bb5b0f263

memory/2196-23-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2432-24-0x0000000000F90000-0x000000000116E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat

MD5 1a5b5c581b703216433a601eb74bf716
SHA1 7c5cda8554cf821c267763f3dae06fbfa4d32a76
SHA256 daade1e9094bb7e8043d9ae6a4611aca4861731e43446df99446a9f7d22f47ef
SHA512 7ca9c867251da8e3c6b29fe957c9a9009ef925b66af5385ae7bdb682d02a0883361723d2cf28e3364db16a675f844d4b5789c500c1c7bb9fc90ef12fd6ffd406

C:\Users\Admin\AppData\Local\Temp\UUMu1rrm8x.bat

MD5 041dc6e4455c326e9d0fcabbc40cdac9
SHA1 d3592393b08b9b18fe2db774e06412f87a351006
SHA256 0ebd95c1ac3d6f0107e14c48f8a0a14d336aceaf7e253148e417d76cc45539f9
SHA512 c855083b842285ed0ac67afdf795574c06697f4f926a03b1e0d265b4b269aae4d0fdc697c1cc4028010bc6556133381378f647d70a2b72d82899c7b39affbda6

memory/320-43-0x00000000011B0000-0x000000000138E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat

MD5 dd5915764bf16cceb54627ecc91ec993
SHA1 efc906659030f1fe4c7848d3bb5939da5ecb47ae
SHA256 71dbb1b34f8f93049950f951500c150efdd29d92d83e8bb361505cb83687da4b
SHA512 181f438f2ae14330f0e29b4377588847b5f2c296aed96a04eaf083fe85aacc1ab956de9ea1cd12746a8e15326c22f62b5ba81dec5f28b2b1909b2f57a77aa559

C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat

MD5 aefd6a68c2c6fa2210110f50cdf80d52
SHA1 07df3b6a86223f0256642f798f50efd7dc77a4b1
SHA256 f188253068e96ca968a2ed1e35e0c767dde8e29fb16201eeec8d27860caaaf99
SHA512 c20d738c059fc597df2bcc7598cba0a94909c347fccbc503103e8f4b926c5f70bcc93c064e41d550780d0027b2d184e9fd55c54f5887d6751078c2f78de7edae

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat

MD5 ab6385959f208c6233400bdb781cf311
SHA1 ad5d3f8a31373d86cf0bd43f87d5b94ce74ebd01
SHA256 f62d02a8e3c0b79f81ed0ba558c4551de2da5da0dae23cca4076135ee899a391
SHA512 b141ce56dd293885e9c14038ec0db0fe92c733df8762215c653bdc626af6280ca5b51d712382e56ba6e736395ac884b374cadf04674d3dc6cd711d98db5ad8d3

C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat

MD5 52dfc30d55e7aa4f211ab803d77dede9
SHA1 43755693aeb724341ec1d1858942565ae841af38
SHA256 7dd60de281278d85614fccb7fd38f2c86a210840953fb8495240897db8768860
SHA512 7743a4e17ad9ad53aae5485f0b49ea4cfcc7d1bef820a362125c0581ddbc269ef2c08918d52f06d06d44daaed5aea523cdb86154a04862cf9960d14b24dfdf06

C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat

MD5 582e6cd595ae09acae91998d7d8e949a
SHA1 9b5c838a38c1c399d2b19a6a399ec5bfebd00839
SHA256 2a3058e456f2528bc88d7b657862c411a59e00aecf2a8fe064c60b9b36664283
SHA512 89d76b600e3fb9a0e4cdca6ed66d969d3acd6de77ace79473cc19798dd8434b9a927a9e3807fb6a43fb48a6bacff72b6ea20042ac81e2cb2bf8b27ebae7d8200

memory/1740-90-0x0000000001260000-0x000000000143E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat

MD5 001a5e30eb601687a8ecf42a5b1a3b0e
SHA1 5d939e89c5d32463cea998649a0071cf9cdc7e18
SHA256 ea5eed2fd6333f3455429785881e04c285b6f36a7a22e3466154700bca39663f
SHA512 0b8a08d2a83280480760735c1167bd5bf0e1b88b52723639161e1494b8edcebf9e6b98ffd6474959a08aa8cac66763400a31b55a5ce3ef9c0ecb449030979229

C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat

MD5 13345bda9a7089cb4614ca37088fd8f9
SHA1 ebe532ed26f6c0ef07ff2f1905be59a6b4678b05
SHA256 54e705247bda1f850674c7886d19ddf57e49092f79c93b88569dd8fb9b4f5e88
SHA512 bdbe216aab548d1dbbbc1cb1e7f37b78729b90de27f5e3a096b9cdd3e09ee00ab855d9e26ac3746f32994e74c22b365433b4d2d23daac3c264c3d16c9a313811

C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat

MD5 bd54ff99c8f38dfdbbb78c1d88458b61
SHA1 0f44f24d21beb6387cca79bd43cf7df38a9abf4d
SHA256 ccbf666200d81d0b20983fc71ae0f80843f6593cd591599e52ad14a36a842da9
SHA512 fdf4523ad6e2d9addada6e895f1f4f4e953aca47cc3224bc7d0af5c30d5bf4fb02ed29b909b4fb202c63833c4fe859f7a11a254eb7fbe5d8dab96d785e5a3bec

memory/2676-119-0x00000000012F0000-0x00000000014CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat

MD5 0e34a41661b4072ff4018d572e1beb61
SHA1 485d4d87c3e9b19c1961d265abb7c0a826c6ab1a
SHA256 01128fc889dc198fbb759d6f59f05a952bbc3e3f30274ffaa1c40919cb47e486
SHA512 680c773beb7943c5ae223323e0dd295765eb0a78c1e3644c211484331b3a6dd13790df7f5c9372ad05084c4958d764402c84f21c4b737d6977872d2e6ac479ea

C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat

MD5 12f8c617dd4adfbf0f6f321e3d79b64d
SHA1 9bce99b58b00eb1b72dcafde8b00cf6c59869db1
SHA256 41d476613b61af5a283543f80714fb11a7f2af1332ee202b42423fab466f3f16
SHA512 1b840d06222af12251d4e1f8aae578832d144c4dec9b1d8b75474c24e9488260fa27cd0077a4d754928c3a6adaf1ef85247ef0d21dc17f70c3c6b469dfb46f5c

C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat

MD5 b4ae2da665aa4a5121022248daa3df5c
SHA1 fcdf5a915921cc257298287080ea1c2b4b5f3b94
SHA256 c7995191feaca8d997769bc699224598392cc0960e85acf825203b83d767b74f
SHA512 d95c7ad2dd03b27632a0b7c8b2d20cb6ab749093fd71dd3be0b5f68123337a50e139dceffcfb873b515b40af9e6204f30d10e35931b93e5adc5f60ae2d4aaddd

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:00

Reported

2024-05-10 01:02

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 1900 wrote to memory of 4772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1900 wrote to memory of 4772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1900 wrote to memory of 4376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1900 wrote to memory of 4376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1900 wrote to memory of 3700 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 1900 wrote to memory of 3700 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 3700 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 3700 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2352 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2352 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2352 wrote to memory of 4808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2352 wrote to memory of 4808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2352 wrote to memory of 4268 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2352 wrote to memory of 4268 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 4268 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 4268 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 4416 wrote to memory of 4396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4416 wrote to memory of 4396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4416 wrote to memory of 4052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4416 wrote to memory of 4052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4416 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 4416 wrote to memory of 2068 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2068 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2068 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 4428 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4428 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4428 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4428 wrote to memory of 2280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4428 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 4428 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 4324 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 4324 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 3860 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3860 wrote to memory of 1160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3860 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3860 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3860 wrote to memory of 3664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 3860 wrote to memory of 3664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 3664 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 3664 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2700 wrote to memory of 4512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2700 wrote to memory of 4512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2700 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2700 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2700 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2700 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 2284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 2284 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 4476 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4476 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4476 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4476 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4476 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 4476 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 4596 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 4596 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe C:\Windows\System32\cmd.exe
PID 1628 wrote to memory of 4316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1628 wrote to memory of 4316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1628 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1628 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1628 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
PID 1628 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WEfJS3myHd.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MYvr7swJ3g.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w46Kl20HUF.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FiOhdEFLkG.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe

"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xIvSFn08gA.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 77.221.157.108:80 77.221.157.108 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 108.157.221.77.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 177.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.177:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 77.221.157.108:80 77.221.157.108 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 77.221.157.108:80 77.221.157.108 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 77.221.157.108:80 77.221.157.108 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp
RU 77.221.157.108:80 77.221.157.108 tcp

Files

memory/2796-0-0x00000000003B0000-0x000000000058E000-memory.dmp

memory/2796-1-0x00007FF95A033000-0x00007FF95A035000-memory.dmp

memory/2796-2-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-3-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-4-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-6-0x0000000002650000-0x000000000265E000-memory.dmp

memory/2796-8-0x0000000002680000-0x000000000269C000-memory.dmp

memory/2796-10-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-9-0x000000001B340000-0x000000001B390000-memory.dmp

memory/2796-12-0x000000001B0D0000-0x000000001B0E8000-memory.dmp

memory/2796-14-0x0000000002660000-0x000000000266C000-memory.dmp

memory/2796-16-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-15-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-17-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-18-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-22-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-24-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-27-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

memory/2796-26-0x000000001BAD0000-0x000000001BC3A000-memory.dmp

memory/2796-28-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat

MD5 7094ddd3b3d9af46205f004d01eb55db
SHA1 fc5f7865607400f8aa55f74db9c18a212afc5652
SHA256 e7fa2c7b1f6cea9acddcb5876e0b37662aa3da8617318ecce65bf1031494f45d
SHA512 e9533c16ef361286fe9733b24d81a37d1cf9a8e669b11453bbfcc09b9140ba214081747e1c7756c1d69f525f042e51392521799114195d3ade187908f915aeb8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1e40160ff1f09d7445f2cdcd24104701.exe.log

MD5 f8b2fca3a50771154571c11f1c53887b
SHA1 2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f
SHA256 0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6
SHA512 b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

memory/3700-31-0x00007FF9598B0000-0x00007FF95A371000-memory.dmp

memory/3700-40-0x00007FF9598B0000-0x00007FF95A371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat

MD5 651d346c8d618f9e9a87ef2033acbe22
SHA1 1c4002fddb81265ad4988b212d29ee1a026663c5
SHA256 bb7173a913a5c01f259f71cf03780d13b5555ee9da7d0de822e3ebdc4281c6af
SHA512 ca93678bfbdadb46dbae198ba6cb7abebe2719b20fcedd464ec511688764aba8beef3e876c29930206ed316e38dbca3524feb7c411c41bdaa23debf0d1ceb57a

C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat

MD5 b13ac39fdfe19f75146c3c36fd4b6909
SHA1 7a1b059cc1989f374036bd2286225c7439900798
SHA256 900884129f10acf37f74a8e93f16016658d084fd4a53bbd554b3c5bf95129232
SHA512 5261c116cddd5f3b54d8bf9050ce385fcdb9506df4f44cd3929ef27d0f9a5de9e0572fd7190c7d520a35d9d8606b78437ce3cac7ca7e54340cb654c7075f66ef

C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat

MD5 423a843829db69465889b09d9dce535c
SHA1 70b0493d8a6e19d905169da43a95a20d3cf8d1f3
SHA256 2abc757a0b02f34b9ce847c2bf43751911d938f4735cbaae420d3373de092dc3
SHA512 7150dca783d3d6ddf9fa1f5ac96d67dd190dd5320dfe990c228a1b8685fdbe27fa6a5ce06f5b4865a513989a37724e918c7b088165d24d1e9f96dd7ddef9f7b0

C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat

MD5 194d24d20ceadce7232d1fd90d35b083
SHA1 9a5f5924281fbdb4557dd523b59a474394fbe96c
SHA256 dd1c4efad91e3bb8b8af60dc28ac8b6e4a131da0ffa226abc80fe3dd71208148
SHA512 3c7a3d53b3bf4ab641e060765574b8c999531fa98d4ff9a068d6c2932cb606461d09e7cd6e53b88bd133b425d5e6a2be55ce91d13118a01626a7ea8d9aff05d0

C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat

MD5 eaf35a7cb2e749cbedb2f37c0593a4dc
SHA1 5618e31c11fe8be5f19645bc6f5099f64003fb07
SHA256 6242e6bb10a0facf9504cd03398f5ba52dab1eea6f7d236d9ef0306b2c51dce4
SHA512 89fdbecdd947861528e5390fbe60b5c38e07305bd745e96bbd980242412f9afb787526b3c090f76208ea838aa239c4b2b22041601970ca75c112aa333897f826

C:\Users\Admin\AppData\Local\Temp\WEfJS3myHd.bat

MD5 f29de7d11a40a1cfb4335508a0e57e81
SHA1 1b991c235884a0150d982fed654cf734dab91a33
SHA256 f734292e74fea0e6b121903174812b2347adc22cd0f64fc42b7dbc2c771da7f5
SHA512 7bc1ec827f84bba4e6b4f7d044fad211af3ca2ff69db77ab84c9a3c208c5f36e31fdbe0e024c55792aab477800e1d59873f17721fca17feae6fa30ac159cd1d5

C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat

MD5 214d40b952318ef831d6c4acc8c6bb90
SHA1 786964ce6bea1deb417db7f5f96df49382fa5d94
SHA256 c0bf7569f5fd0ded277cc576751a858a8c39cfd67b750b47d13004e8c3aa927c
SHA512 04d09c7afa149538fbd2e003f1c9fe49a973b02866b7f373fcddcecffcd8a0ab823ed6af0e6c8e2b3901265af64fee7da9253acc1e885669d3f86d179ddfc842

C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat

MD5 4e4ff7d6d34695548896646a046b6e63
SHA1 b87a4c1a71b1de17f66efbb61e7671b781c4c9e4
SHA256 136b918a3086aa2041ae0ed0510f9aaeaaed6ee916a38b4fa55d7e0009bb5d91
SHA512 07f6c7fef460042d0a7b5112773e5314016ef012a6fb059bfc866a110030aeb1cc41295a867d25150bd03f3449ced68c44e49cb160b46677a3943453a4ea7531

C:\Users\Admin\AppData\Local\Temp\MYvr7swJ3g.bat

MD5 5122621c2e270714e11632f94582b2de
SHA1 13fab1d450b1759967bf45df70eb7279eea0eac4
SHA256 79a0fbbf54fc5d38a2ae9f48f04142faa885bccc9063a32d98f586bb69a98b9e
SHA512 bc3dc546572a5ccc50531eb09fedcd168be7b84b2ccc0111194bf1501c28f15e3265dcdb2d1f6ffde7be36e3d997603be5d5f2d2907101d37de057104e3424a9

C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat

MD5 741461711893cf457ad9bc7d9593252e
SHA1 53bbfc652b6603dd5979f02861e8d4fa2060967b
SHA256 024deab044943c5b0bfe8014dbda12a6ca258c0a9022c472ddd5f50e550be904
SHA512 9ac002a315a7dde5801a3845b2b01b9d0b32680e3ecd2a22f850045c108ccfd96681da20213f2d2f5e0f1c5e81e50831895e2c0ca533dbb7e63f92eee9ca4fe2

C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat

MD5 0c1ee96513fc858587a19400f86c860a
SHA1 174608f6fdf1a0083f5ee27b9e2e317475f19f38
SHA256 c7790365bef52e77d7701368d7679369f5e1b24f17e03038baa1ab5d23b2f5ef
SHA512 f8704b97176a5b6351911b07a594caed07cee23563827099661b9e9ccfc1f8417222a6f24cbcbac18238c7da32544dcd365d55de84dcdb9ea30b3b297dc7b0de

C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat

MD5 955136ea799b87a2be9231701bdb95b7
SHA1 198b0c030ccba14224e3f2db3bb7f55179937928
SHA256 bbfcc1de2a0cc0a296c69908f583659587da5c2ddd54df8217a11f6fc4384c97
SHA512 b151145bb3a2bb5a9c709200fcc1269feaf08edaef2c1013fe531506cecb61973c31510c6594762bd4cb9eefb71a4770b4cadce6b228892934041b79cd90df4f

C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat

MD5 61948e305f41bf7c0d254f49443c2e6d
SHA1 c8c9c5fd4cea10042699d4836809421c276875cf
SHA256 30b43d9c6c644a49ef23d5c4dce00a4716701ccc13bfd1ab55491c31505a3acc
SHA512 8ea421d6d4cd9fcaed58c893159157637d024be4e43900bf69c7a77d835ad8453062e5ccbaff8dcbcc543ec364faff354b47be55c36ed896761f96de0a64d1bf

C:\Users\Admin\AppData\Local\Temp\w46Kl20HUF.bat

MD5 23705d99d8ddcf6aafc33f23e29e2ed7
SHA1 36bf526d4c75f5b87ddd0aec3ce894f99f3908ba
SHA256 d4700d73b4ef01ac990b4ff2f84abbe4c199ffdc2bdcd413ab34c5c24b494c95
SHA512 882ff0b44d2ceb86b6312d6f2747adba65af438f9fcac199166bcb9f681a407c5434a87627a8b0d63a0322b6afcff6aa9a4895dc57b5319969d5b5135577ad72

C:\Users\Admin\AppData\Local\Temp\FiOhdEFLkG.bat

MD5 5233d843420639858c171b97ac912e27
SHA1 433c3c661d2d13a47db296836d20b6dfd87bbfe6
SHA256 704ccf063aa7b1e251186eb8f8789cb19fdd5420386d51e9e602cd88b2833ec6
SHA512 3513e26d971047ecb2d677ab405627c19101bc2edf4714521b889793c961a4b12c2b39c2bc17617fcc626868409d7ad18c841d5954e9275cf029e28d2d817744

C:\Users\Admin\AppData\Local\Temp\xIvSFn08gA.bat

MD5 2c343cf86778d32b75ec7ea25d91c9f9
SHA1 15c2d165f20f7cb5d23ac0f9ca9273a89fde7665
SHA256 0fe82eaf418b9ad1448be6d60fe5ad63e49e325297149c65401b5a4733187455
SHA512 be5cfbe15428a2b4be1d0931bb97b699c59e14e6be94580971e8c2da8a436b094b7f9f67d0051c402b3221679b2580b16350c558e01be08ef94ce7bf993a15ab