Analysis Overview
SHA256
f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c
Threat Level: Known bad
The file 1e40160ff1f09d7445f2cdcd24104701.bin was found to be: Known bad.
Malicious Activity Summary
ZGRat
Detect ZGRat V1
Zgrat family
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 01:00
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Zgrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 01:00
Reported
2024-05-10 01:02
Platform
win7-20240220-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UUMu1rrm8x.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
Files
memory/2196-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
memory/2196-1-0x0000000000390000-0x000000000056E000-memory.dmp
memory/2196-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-4-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-6-0x0000000000570000-0x000000000057E000-memory.dmp
memory/2196-10-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-12-0x00000000005C0000-0x00000000005D8000-memory.dmp
memory/2196-9-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-15-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-14-0x0000000000580000-0x000000000058C000-memory.dmp
memory/2196-8-0x00000000005A0000-0x00000000005BC000-memory.dmp
memory/2196-17-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2196-16-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat
| MD5 | 7baa87e6af6e0ab2e63d6e011542d037 |
| SHA1 | 0d5fedae3decc1a05113008cd13e44f020d5eeb9 |
| SHA256 | 936579c0cdf2634135b8315fc0c2122f12c9cb75f5f13f58a98458acec94f32a |
| SHA512 | 7d168997d46cbbd9dac32548ffe716f5d500686ad08a3e1613c1286c161710721a55f487dc4550dff96aeaa62bdc37d6bcb07df706ebafb95a7aa61bb5b0f263 |
memory/2196-23-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
memory/2432-24-0x0000000000F90000-0x000000000116E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat
| MD5 | 1a5b5c581b703216433a601eb74bf716 |
| SHA1 | 7c5cda8554cf821c267763f3dae06fbfa4d32a76 |
| SHA256 | daade1e9094bb7e8043d9ae6a4611aca4861731e43446df99446a9f7d22f47ef |
| SHA512 | 7ca9c867251da8e3c6b29fe957c9a9009ef925b66af5385ae7bdb682d02a0883361723d2cf28e3364db16a675f844d4b5789c500c1c7bb9fc90ef12fd6ffd406 |
C:\Users\Admin\AppData\Local\Temp\UUMu1rrm8x.bat
| MD5 | 041dc6e4455c326e9d0fcabbc40cdac9 |
| SHA1 | d3592393b08b9b18fe2db774e06412f87a351006 |
| SHA256 | 0ebd95c1ac3d6f0107e14c48f8a0a14d336aceaf7e253148e417d76cc45539f9 |
| SHA512 | c855083b842285ed0ac67afdf795574c06697f4f926a03b1e0d265b4b269aae4d0fdc697c1cc4028010bc6556133381378f647d70a2b72d82899c7b39affbda6 |
memory/320-43-0x00000000011B0000-0x000000000138E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat
| MD5 | dd5915764bf16cceb54627ecc91ec993 |
| SHA1 | efc906659030f1fe4c7848d3bb5939da5ecb47ae |
| SHA256 | 71dbb1b34f8f93049950f951500c150efdd29d92d83e8bb361505cb83687da4b |
| SHA512 | 181f438f2ae14330f0e29b4377588847b5f2c296aed96a04eaf083fe85aacc1ab956de9ea1cd12746a8e15326c22f62b5ba81dec5f28b2b1909b2f57a77aa559 |
C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat
| MD5 | aefd6a68c2c6fa2210110f50cdf80d52 |
| SHA1 | 07df3b6a86223f0256642f798f50efd7dc77a4b1 |
| SHA256 | f188253068e96ca968a2ed1e35e0c767dde8e29fb16201eeec8d27860caaaf99 |
| SHA512 | c20d738c059fc597df2bcc7598cba0a94909c347fccbc503103e8f4b926c5f70bcc93c064e41d550780d0027b2d184e9fd55c54f5887d6751078c2f78de7edae |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat
| MD5 | ab6385959f208c6233400bdb781cf311 |
| SHA1 | ad5d3f8a31373d86cf0bd43f87d5b94ce74ebd01 |
| SHA256 | f62d02a8e3c0b79f81ed0ba558c4551de2da5da0dae23cca4076135ee899a391 |
| SHA512 | b141ce56dd293885e9c14038ec0db0fe92c733df8762215c653bdc626af6280ca5b51d712382e56ba6e736395ac884b374cadf04674d3dc6cd711d98db5ad8d3 |
C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat
| MD5 | 52dfc30d55e7aa4f211ab803d77dede9 |
| SHA1 | 43755693aeb724341ec1d1858942565ae841af38 |
| SHA256 | 7dd60de281278d85614fccb7fd38f2c86a210840953fb8495240897db8768860 |
| SHA512 | 7743a4e17ad9ad53aae5485f0b49ea4cfcc7d1bef820a362125c0581ddbc269ef2c08918d52f06d06d44daaed5aea523cdb86154a04862cf9960d14b24dfdf06 |
C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat
| MD5 | 582e6cd595ae09acae91998d7d8e949a |
| SHA1 | 9b5c838a38c1c399d2b19a6a399ec5bfebd00839 |
| SHA256 | 2a3058e456f2528bc88d7b657862c411a59e00aecf2a8fe064c60b9b36664283 |
| SHA512 | 89d76b600e3fb9a0e4cdca6ed66d969d3acd6de77ace79473cc19798dd8434b9a927a9e3807fb6a43fb48a6bacff72b6ea20042ac81e2cb2bf8b27ebae7d8200 |
memory/1740-90-0x0000000001260000-0x000000000143E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat
| MD5 | 001a5e30eb601687a8ecf42a5b1a3b0e |
| SHA1 | 5d939e89c5d32463cea998649a0071cf9cdc7e18 |
| SHA256 | ea5eed2fd6333f3455429785881e04c285b6f36a7a22e3466154700bca39663f |
| SHA512 | 0b8a08d2a83280480760735c1167bd5bf0e1b88b52723639161e1494b8edcebf9e6b98ffd6474959a08aa8cac66763400a31b55a5ce3ef9c0ecb449030979229 |
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat
| MD5 | 13345bda9a7089cb4614ca37088fd8f9 |
| SHA1 | ebe532ed26f6c0ef07ff2f1905be59a6b4678b05 |
| SHA256 | 54e705247bda1f850674c7886d19ddf57e49092f79c93b88569dd8fb9b4f5e88 |
| SHA512 | bdbe216aab548d1dbbbc1cb1e7f37b78729b90de27f5e3a096b9cdd3e09ee00ab855d9e26ac3746f32994e74c22b365433b4d2d23daac3c264c3d16c9a313811 |
C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat
| MD5 | bd54ff99c8f38dfdbbb78c1d88458b61 |
| SHA1 | 0f44f24d21beb6387cca79bd43cf7df38a9abf4d |
| SHA256 | ccbf666200d81d0b20983fc71ae0f80843f6593cd591599e52ad14a36a842da9 |
| SHA512 | fdf4523ad6e2d9addada6e895f1f4f4e953aca47cc3224bc7d0af5c30d5bf4fb02ed29b909b4fb202c63833c4fe859f7a11a254eb7fbe5d8dab96d785e5a3bec |
memory/2676-119-0x00000000012F0000-0x00000000014CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat
| MD5 | 0e34a41661b4072ff4018d572e1beb61 |
| SHA1 | 485d4d87c3e9b19c1961d265abb7c0a826c6ab1a |
| SHA256 | 01128fc889dc198fbb759d6f59f05a952bbc3e3f30274ffaa1c40919cb47e486 |
| SHA512 | 680c773beb7943c5ae223323e0dd295765eb0a78c1e3644c211484331b3a6dd13790df7f5c9372ad05084c4958d764402c84f21c4b737d6977872d2e6ac479ea |
C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat
| MD5 | 12f8c617dd4adfbf0f6f321e3d79b64d |
| SHA1 | 9bce99b58b00eb1b72dcafde8b00cf6c59869db1 |
| SHA256 | 41d476613b61af5a283543f80714fb11a7f2af1332ee202b42423fab466f3f16 |
| SHA512 | 1b840d06222af12251d4e1f8aae578832d144c4dec9b1d8b75474c24e9488260fa27cd0077a4d754928c3a6adaf1ef85247ef0d21dc17f70c3c6b469dfb46f5c |
C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat
| MD5 | b4ae2da665aa4a5121022248daa3df5c |
| SHA1 | fcdf5a915921cc257298287080ea1c2b4b5f3b94 |
| SHA256 | c7995191feaca8d997769bc699224598392cc0960e85acf825203b83d767b74f |
| SHA512 | d95c7ad2dd03b27632a0b7c8b2d20cb6ab749093fd71dd3be0b5f68123337a50e139dceffcfb873b515b40af9e6204f30d10e35931b93e5adc5f60ae2d4aaddd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 01:00
Reported
2024-05-10 01:02
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WEfJS3myHd.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MYvr7swJ3g.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w46Kl20HUF.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FiOhdEFLkG.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xIvSFn08gA.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.157.221.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.166.122.92.in-addr.arpa | udp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
| RU | 77.221.157.108:80 | 77.221.157.108 | tcp |
Files
memory/2796-0-0x00000000003B0000-0x000000000058E000-memory.dmp
memory/2796-1-0x00007FF95A033000-0x00007FF95A035000-memory.dmp
memory/2796-2-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-3-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-4-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-6-0x0000000002650000-0x000000000265E000-memory.dmp
memory/2796-8-0x0000000002680000-0x000000000269C000-memory.dmp
memory/2796-10-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-9-0x000000001B340000-0x000000001B390000-memory.dmp
memory/2796-12-0x000000001B0D0000-0x000000001B0E8000-memory.dmp
memory/2796-14-0x0000000002660000-0x000000000266C000-memory.dmp
memory/2796-16-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-15-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-17-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-18-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-22-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-24-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-27-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2796-26-0x000000001BAD0000-0x000000001BC3A000-memory.dmp
memory/2796-28-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SWAv0lnPhs.bat
| MD5 | 7094ddd3b3d9af46205f004d01eb55db |
| SHA1 | fc5f7865607400f8aa55f74db9c18a212afc5652 |
| SHA256 | e7fa2c7b1f6cea9acddcb5876e0b37662aa3da8617318ecce65bf1031494f45d |
| SHA512 | e9533c16ef361286fe9733b24d81a37d1cf9a8e669b11453bbfcc09b9140ba214081747e1c7756c1d69f525f042e51392521799114195d3ade187908f915aeb8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1e40160ff1f09d7445f2cdcd24104701.exe.log
| MD5 | f8b2fca3a50771154571c11f1c53887b |
| SHA1 | 2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f |
| SHA256 | 0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6 |
| SHA512 | b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a |
memory/3700-31-0x00007FF9598B0000-0x00007FF95A371000-memory.dmp
memory/3700-40-0x00007FF9598B0000-0x00007FF95A371000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat
| MD5 | 651d346c8d618f9e9a87ef2033acbe22 |
| SHA1 | 1c4002fddb81265ad4988b212d29ee1a026663c5 |
| SHA256 | bb7173a913a5c01f259f71cf03780d13b5555ee9da7d0de822e3ebdc4281c6af |
| SHA512 | ca93678bfbdadb46dbae198ba6cb7abebe2719b20fcedd464ec511688764aba8beef3e876c29930206ed316e38dbca3524feb7c411c41bdaa23debf0d1ceb57a |
C:\Users\Admin\AppData\Local\Temp\fYqjwDText.bat
| MD5 | b13ac39fdfe19f75146c3c36fd4b6909 |
| SHA1 | 7a1b059cc1989f374036bd2286225c7439900798 |
| SHA256 | 900884129f10acf37f74a8e93f16016658d084fd4a53bbd554b3c5bf95129232 |
| SHA512 | 5261c116cddd5f3b54d8bf9050ce385fcdb9506df4f44cd3929ef27d0f9a5de9e0572fd7190c7d520a35d9d8606b78437ce3cac7ca7e54340cb654c7075f66ef |
C:\Users\Admin\AppData\Local\Temp\c4BTxhTwZ3.bat
| MD5 | 423a843829db69465889b09d9dce535c |
| SHA1 | 70b0493d8a6e19d905169da43a95a20d3cf8d1f3 |
| SHA256 | 2abc757a0b02f34b9ce847c2bf43751911d938f4735cbaae420d3373de092dc3 |
| SHA512 | 7150dca783d3d6ddf9fa1f5ac96d67dd190dd5320dfe990c228a1b8685fdbe27fa6a5ce06f5b4865a513989a37724e918c7b088165d24d1e9f96dd7ddef9f7b0 |
C:\Users\Admin\AppData\Local\Temp\B0uJAwGmBV.bat
| MD5 | 194d24d20ceadce7232d1fd90d35b083 |
| SHA1 | 9a5f5924281fbdb4557dd523b59a474394fbe96c |
| SHA256 | dd1c4efad91e3bb8b8af60dc28ac8b6e4a131da0ffa226abc80fe3dd71208148 |
| SHA512 | 3c7a3d53b3bf4ab641e060765574b8c999531fa98d4ff9a068d6c2932cb606461d09e7cd6e53b88bd133b425d5e6a2be55ce91d13118a01626a7ea8d9aff05d0 |
C:\Users\Admin\AppData\Local\Temp\O2a76Ow1QW.bat
| MD5 | eaf35a7cb2e749cbedb2f37c0593a4dc |
| SHA1 | 5618e31c11fe8be5f19645bc6f5099f64003fb07 |
| SHA256 | 6242e6bb10a0facf9504cd03398f5ba52dab1eea6f7d236d9ef0306b2c51dce4 |
| SHA512 | 89fdbecdd947861528e5390fbe60b5c38e07305bd745e96bbd980242412f9afb787526b3c090f76208ea838aa239c4b2b22041601970ca75c112aa333897f826 |
C:\Users\Admin\AppData\Local\Temp\WEfJS3myHd.bat
| MD5 | f29de7d11a40a1cfb4335508a0e57e81 |
| SHA1 | 1b991c235884a0150d982fed654cf734dab91a33 |
| SHA256 | f734292e74fea0e6b121903174812b2347adc22cd0f64fc42b7dbc2c771da7f5 |
| SHA512 | 7bc1ec827f84bba4e6b4f7d044fad211af3ca2ff69db77ab84c9a3c208c5f36e31fdbe0e024c55792aab477800e1d59873f17721fca17feae6fa30ac159cd1d5 |
C:\Users\Admin\AppData\Local\Temp\Tl03UWnGtn.bat
| MD5 | 214d40b952318ef831d6c4acc8c6bb90 |
| SHA1 | 786964ce6bea1deb417db7f5f96df49382fa5d94 |
| SHA256 | c0bf7569f5fd0ded277cc576751a858a8c39cfd67b750b47d13004e8c3aa927c |
| SHA512 | 04d09c7afa149538fbd2e003f1c9fe49a973b02866b7f373fcddcecffcd8a0ab823ed6af0e6c8e2b3901265af64fee7da9253acc1e885669d3f86d179ddfc842 |
C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat
| MD5 | 4e4ff7d6d34695548896646a046b6e63 |
| SHA1 | b87a4c1a71b1de17f66efbb61e7671b781c4c9e4 |
| SHA256 | 136b918a3086aa2041ae0ed0510f9aaeaaed6ee916a38b4fa55d7e0009bb5d91 |
| SHA512 | 07f6c7fef460042d0a7b5112773e5314016ef012a6fb059bfc866a110030aeb1cc41295a867d25150bd03f3449ced68c44e49cb160b46677a3943453a4ea7531 |
C:\Users\Admin\AppData\Local\Temp\MYvr7swJ3g.bat
| MD5 | 5122621c2e270714e11632f94582b2de |
| SHA1 | 13fab1d450b1759967bf45df70eb7279eea0eac4 |
| SHA256 | 79a0fbbf54fc5d38a2ae9f48f04142faa885bccc9063a32d98f586bb69a98b9e |
| SHA512 | bc3dc546572a5ccc50531eb09fedcd168be7b84b2ccc0111194bf1501c28f15e3265dcdb2d1f6ffde7be36e3d997603be5d5f2d2907101d37de057104e3424a9 |
C:\Users\Admin\AppData\Local\Temp\J5Gb9Mxbfq.bat
| MD5 | 741461711893cf457ad9bc7d9593252e |
| SHA1 | 53bbfc652b6603dd5979f02861e8d4fa2060967b |
| SHA256 | 024deab044943c5b0bfe8014dbda12a6ca258c0a9022c472ddd5f50e550be904 |
| SHA512 | 9ac002a315a7dde5801a3845b2b01b9d0b32680e3ecd2a22f850045c108ccfd96681da20213f2d2f5e0f1c5e81e50831895e2c0ca533dbb7e63f92eee9ca4fe2 |
C:\Users\Admin\AppData\Local\Temp\JQt66VEtJ1.bat
| MD5 | 0c1ee96513fc858587a19400f86c860a |
| SHA1 | 174608f6fdf1a0083f5ee27b9e2e317475f19f38 |
| SHA256 | c7790365bef52e77d7701368d7679369f5e1b24f17e03038baa1ab5d23b2f5ef |
| SHA512 | f8704b97176a5b6351911b07a594caed07cee23563827099661b9e9ccfc1f8417222a6f24cbcbac18238c7da32544dcd365d55de84dcdb9ea30b3b297dc7b0de |
C:\Users\Admin\AppData\Local\Temp\IqQTfaxkTv.bat
| MD5 | 955136ea799b87a2be9231701bdb95b7 |
| SHA1 | 198b0c030ccba14224e3f2db3bb7f55179937928 |
| SHA256 | bbfcc1de2a0cc0a296c69908f583659587da5c2ddd54df8217a11f6fc4384c97 |
| SHA512 | b151145bb3a2bb5a9c709200fcc1269feaf08edaef2c1013fe531506cecb61973c31510c6594762bd4cb9eefb71a4770b4cadce6b228892934041b79cd90df4f |
C:\Users\Admin\AppData\Local\Temp\39SckRh7ya.bat
| MD5 | 61948e305f41bf7c0d254f49443c2e6d |
| SHA1 | c8c9c5fd4cea10042699d4836809421c276875cf |
| SHA256 | 30b43d9c6c644a49ef23d5c4dce00a4716701ccc13bfd1ab55491c31505a3acc |
| SHA512 | 8ea421d6d4cd9fcaed58c893159157637d024be4e43900bf69c7a77d835ad8453062e5ccbaff8dcbcc543ec364faff354b47be55c36ed896761f96de0a64d1bf |
C:\Users\Admin\AppData\Local\Temp\w46Kl20HUF.bat
| MD5 | 23705d99d8ddcf6aafc33f23e29e2ed7 |
| SHA1 | 36bf526d4c75f5b87ddd0aec3ce894f99f3908ba |
| SHA256 | d4700d73b4ef01ac990b4ff2f84abbe4c199ffdc2bdcd413ab34c5c24b494c95 |
| SHA512 | 882ff0b44d2ceb86b6312d6f2747adba65af438f9fcac199166bcb9f681a407c5434a87627a8b0d63a0322b6afcff6aa9a4895dc57b5319969d5b5135577ad72 |
C:\Users\Admin\AppData\Local\Temp\FiOhdEFLkG.bat
| MD5 | 5233d843420639858c171b97ac912e27 |
| SHA1 | 433c3c661d2d13a47db296836d20b6dfd87bbfe6 |
| SHA256 | 704ccf063aa7b1e251186eb8f8789cb19fdd5420386d51e9e602cd88b2833ec6 |
| SHA512 | 3513e26d971047ecb2d677ab405627c19101bc2edf4714521b889793c961a4b12c2b39c2bc17617fcc626868409d7ad18c841d5954e9275cf029e28d2d817744 |
C:\Users\Admin\AppData\Local\Temp\xIvSFn08gA.bat
| MD5 | 2c343cf86778d32b75ec7ea25d91c9f9 |
| SHA1 | 15c2d165f20f7cb5d23ac0f9ca9273a89fde7665 |
| SHA256 | 0fe82eaf418b9ad1448be6d60fe5ad63e49e325297149c65401b5a4733187455 |
| SHA512 | be5cfbe15428a2b4be1d0931bb97b699c59e14e6be94580971e8c2da8a436b094b7f9f67d0051c402b3221679b2580b16350c558e01be08ef94ce7bf993a15ab |