zgrat | ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Size

3.5MB
MD5

57c35a58ecb435c7975af0d43f3d603b
SHA1

c7bb75bf3b93128ed53997301b8f2d94a49a9787
SHA256

ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b
SHA512

f186273b9b2bdafaa63b884dba5eb07def3a11582964e644b107b6d586cce5f8e324be298368313d1eface07d8f90a03017626a991251038342951cc81c90618
SSDEEP

98304:U3oPPSKkooFPSJWRp0rDDf221usZ2gz9OwY:UZK+JSBZ2gT

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4644-1-0x0000000000B20000-0x0000000000EAC000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4644-1-0x0000000000B20000-0x0000000000EAC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4720	PING.EXE
4808	PING.EXE
5016	PING.EXE
2120	PING.EXE
2820	PING.EXE
4080	PING.EXE
3836	PING.EXE
1768	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

pid	Process
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	3740	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	3100	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	5016	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1116	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2860	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	384	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2104	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2408	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2488	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1624	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2220	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	4248	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	3120	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	4524	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exeee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.execmd.exe

description	pid	Process	procid_target
PID 4644 wrote to memory of 452	4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	91
PID 4644 wrote to memory of 452	4644	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	91
PID 452 wrote to memory of 3864	452	cmd.exe	93
PID 452 wrote to memory of 3864	452	cmd.exe	93
PID 452 wrote to memory of 4008	452	cmd.exe	94
PID 452 wrote to memory of 4008	452	cmd.exe	94
PID 452 wrote to memory of 3740	452	cmd.exe	99
PID 452 wrote to memory of 3740	452	cmd.exe	99
PID 3740 wrote to memory of 5004	3740	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	102
PID 3740 wrote to memory of 5004	3740	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	102
PID 5004 wrote to memory of 1536	5004	cmd.exe	104
PID 5004 wrote to memory of 1536	5004	cmd.exe	104
PID 5004 wrote to memory of 4496	5004	cmd.exe	105
PID 5004 wrote to memory of 4496	5004	cmd.exe	105
PID 5004 wrote to memory of 3100	5004	cmd.exe	106
PID 5004 wrote to memory of 3100	5004	cmd.exe	106
PID 3100 wrote to memory of 3960	3100	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	107
PID 3100 wrote to memory of 3960	3100	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	107
PID 3960 wrote to memory of 2392	3960	cmd.exe	109
PID 3960 wrote to memory of 2392	3960	cmd.exe	109
PID 3960 wrote to memory of 1768	3960	cmd.exe	110
PID 3960 wrote to memory of 1768	3960	cmd.exe	110
PID 3960 wrote to memory of 5016	3960	cmd.exe	112
PID 3960 wrote to memory of 5016	3960	cmd.exe	112
PID 5016 wrote to memory of 3400	5016	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	113
PID 5016 wrote to memory of 3400	5016	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	113
PID 3400 wrote to memory of 1592	3400	cmd.exe	115
PID 3400 wrote to memory of 1592	3400	cmd.exe	115
PID 3400 wrote to memory of 2896	3400	cmd.exe	116
PID 3400 wrote to memory of 2896	3400	cmd.exe	116
PID 3400 wrote to memory of 1116	3400	cmd.exe	118
PID 3400 wrote to memory of 1116	3400	cmd.exe	118
PID 1116 wrote to memory of 2888	1116	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	119
PID 1116 wrote to memory of 2888	1116	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	119
PID 2888 wrote to memory of 1644	2888	cmd.exe	121
PID 2888 wrote to memory of 1644	2888	cmd.exe	121
PID 2888 wrote to memory of 4720	2888	cmd.exe	122
PID 2888 wrote to memory of 4720	2888	cmd.exe	122
PID 2888 wrote to memory of 2860	2888	cmd.exe	123
PID 2888 wrote to memory of 2860	2888	cmd.exe	123
PID 2860 wrote to memory of 4436	2860	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	124
PID 2860 wrote to memory of 4436	2860	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	124
PID 4436 wrote to memory of 1452	4436	cmd.exe	126
PID 4436 wrote to memory of 1452	4436	cmd.exe	126
PID 4436 wrote to memory of 4808	4436	cmd.exe	127
PID 4436 wrote to memory of 4808	4436	cmd.exe	127
PID 4436 wrote to memory of 384	4436	cmd.exe	128
PID 4436 wrote to memory of 384	4436	cmd.exe	128
PID 384 wrote to memory of 5028	384	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	130
PID 384 wrote to memory of 5028	384	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	130
PID 5028 wrote to memory of 4292	5028	cmd.exe	132
PID 5028 wrote to memory of 4292	5028	cmd.exe	132
PID 5028 wrote to memory of 5016	5028	cmd.exe	133
PID 5028 wrote to memory of 5016	5028	cmd.exe	133
PID 5028 wrote to memory of 2104	5028	cmd.exe	134
PID 5028 wrote to memory of 2104	5028	cmd.exe	134
PID 2104 wrote to memory of 3216	2104	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	135
PID 2104 wrote to memory of 3216	2104	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	135
PID 3216 wrote to memory of 3232	3216	cmd.exe	137
PID 3216 wrote to memory of 3232	3216	cmd.exe	137
PID 3216 wrote to memory of 3664	3216	cmd.exe	138
PID 3216 wrote to memory of 3664	3216	cmd.exe	138
PID 3216 wrote to memory of 2408	3216	cmd.exe	139
PID 3216 wrote to memory of 2408	3216	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
"C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qSPJl9JANk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3864
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4008
- - C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
    "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GxEp7zFCwB.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1536
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ucUGghGnf.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sMcwJl1juU.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        9⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wjTqpsj0q4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        11⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BLXo76X4ph.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        13⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VzpByHn75i.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4292
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        15⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZMh4UPVO0I.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        17⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YhJZRZmgeT.bat"
        18⤵
        
        PID:988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        19⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\upHCHH0RIK.bat"
        20⤵
        
        PID:636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        21⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mkvvIrKbn0.bat"
        22⤵
        
        PID:208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        23⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7mooz1sjZ.bat"
        24⤵
        
        PID:5060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        25⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wjTqpsj0q4.bat"
        26⤵
        
        PID:1680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        27⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RVEN4vvioM.bat"
        28⤵
        
        PID:4036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe.log

Filesize
1KB

MD5
07309bd8d88aa32cac50b856dcde7ea4

SHA1
ff36ee74f17d7af6f2a59e4d868970b65d1181e2

SHA256
b9e8a168e9c52fef84060a8a9d03406e694b7b83fe5aacca905cc3f0bcf4b023

SHA512
3f0fa70207546a0150dad3bd4e817191561b2a97fcbb73db0bed9a6bb9462b10495c0aae11643d788b655893523c862f2c4a71f22ff611b2dfb4fe54a594bdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ucUGghGnf.bat

Filesize
230B

MD5
a18cd3ec7a1beaf095bb191018d05cb6

SHA1
49abdfe739c5e07737c7b6014a6674e8e7dc6540

SHA256
0d854cc3faf80cc4b9c13b87936b92817db63c68e65a56c90a42af64b578e9de

SHA512
e009b4e0ad0008154790628d989ead68eb4b7794d589cbd2ffee710e3cca780b40406922a62e96d54012804e8f7ee944c83ba09df52d5c4c5a99e639e865d5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLXo76X4ph.bat

Filesize
230B

MD5
d9a32c4e481a5dd180d6079e8c46319d

SHA1
726cd0db4f613befcdd510d543ca82d46b9944ed

SHA256
e72ced04cfe09d9c7bb3df61a4c2ee9a45c51f2b78a346fbec7cd7f1d4c53732

SHA512
45a3e81d5646dcc8697e49f2da048fe69ba9097a31117ddc1e33ab1b32f46203e1a193f5888621fda90987d9275951d03b891e2e57fab7e4f024c9ae31187080

Download Submit
C:\Users\Admin\AppData\Local\Temp\GxEp7zFCwB.bat

Filesize
278B

MD5
627e260221ba5327cde6f657eaac2e26

SHA1
d7760f0a874ccb80ce4ed7f81dc75383058560c7

SHA256
7a7bd3e9fb1d210531f8d0e20aef09846aa33c92e28212a1fbf1eb4cf2fb634f

SHA512
ea2778f03366b220155a1e469f5b5c8dfa1c16b49901d430264aa46c6c554d9fda66bd32328a338bbe7c896ab7475ff767153b62ed5142ab04c3e8b8d63f6e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVEN4vvioM.bat

Filesize
230B

MD5
faaa1aa6502150c9235cb275f8fcf5d7

SHA1
07374d17356d621a21a96f9487c39d6837d43790

SHA256
4a95f3d5ed19376023ef2b077495c19904c86633676998d9dbfc36d9bda7cbbf

SHA512
8ee78911f62246e82a681cb8f1e71348a763d4a573ae219b79cad307fa56cbb28d622443581b180c9a32047c09322e214f3b68d2967a6c66d65f6696f0878363

Download Submit
C:\Users\Admin\AppData\Local\Temp\VzpByHn75i.bat

Filesize
230B

MD5
cdacf20743c09de7f6706affd657a32d

SHA1
c00b3fbbb528920feb8cde23d6464077363c9db3

SHA256
3bf7a99bc7a0a9624f4424135e11022d69d3d63fa8bc58840d3a12a59f8c8322

SHA512
486759a2d8f7740540695ffac269010f86137010db9e579d6d02ad3c17804eac9c39e68c05dc49be1ff70efc136ec1c3a358a2130e02e953087986daeb01a275

Download Submit
C:\Users\Admin\AppData\Local\Temp\YhJZRZmgeT.bat

Filesize
278B

MD5
bdaf82926b26ae8b6038bea24825f3b2

SHA1
af1b7b4fc660fbb368678029832674300fa15305

SHA256
f3e7beee4a5b890005b4e527d12c2744bddbe7249f2d538407fb0cf5e9a8fe50

SHA512
6d02b9e6900d8ddb1f2c326f8c1cb7e20171182719eeee954846a6e07e48d56dc78466071ba158c46e9001d1e7a3a093e09bff260eaf2888395283683914fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMh4UPVO0I.bat

Filesize
278B

MD5
87f484b6c0c2e129772da1ccdcf34d17

SHA1
fd7e50b3ac72e909f15ee253a57f238f84e14b04

SHA256
0498a4a12c70fdf95c0292def5c7f5221285bc2ca76c928820765e158f4523d7

SHA512
f2a265a69dc9e8a10cd41acaf66f0fba05df2c8e53fb56677a5a200008bb91720aaa3ba50d6695a17f2a25b1caebbbbfd1430443823eff172101a612dced4d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkvvIrKbn0.bat

Filesize
230B

MD5
ed9e963c0eace6170819df9b89f6ed95

SHA1
a92df8b94a44fcbfe78c576b71eac4e4d13756c7

SHA256
24db4a1228d295ed77172857c00d674883d4eb4fae7d4e7a81a35141552a7618

SHA512
71be21c2e5b844e93a0b943dbfe3e14697730c8c52300eb6d47caded65eff48b24e63ca1a72c2a164fd0e6cf2dfd67f1183db391ab207e00d2f612b2c9bcfb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\qSPJl9JANk.bat

Filesize
278B

MD5
9acac73f610952d4f9873652a873288c

SHA1
6182bd4a2370320205255b56376c0dbfd69771be

SHA256
ba82264276f5cccbf093fa719520897e25fc6732de30cae38bffda25f2ca9389

SHA512
e319fcfa8a5227728db8308fd396b3e97495910deaa7c195d87241bcac1be4bac66699b4ad84aa4da05467731bdb46362530d886a2c6aec58a9bf7c9d6bf2657

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7mooz1sjZ.bat

Filesize
278B

MD5
681f524ace035e96786af572dcc375f5

SHA1
d99a964218d1055c5d499f9fbde30863d40cbbab

SHA256
3dbfc7f90b65b42a40c1bfa0139e6e003bce77ba62591706e3b6cf6162bf34cd

SHA512
ba487c6b6fcffbc49d155648c016ffae2d7def6dbbe012e4d3c651fad74157b3c3ba315788b5b4e89f30649f0ed208c63a01952bf603caa6362ea59dce2a0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMcwJl1juU.bat

Filesize
278B

MD5
857622a7bddd5043b9fb5d76c51f23ee

SHA1
eccdf85761a0893641ad28ac74749be96e81cc17

SHA256
6f1c3e3f27ad89c0fbdebc4a2ef665ae2ad6f1947d1cb35bd2f8979b77ea09d0

SHA512
667fb2895cd5b2b6315352c7e70ad301512ed657646757268bcaa3ddc4927d8462145ceaddcef2b00498a92cacc32d09e443e2f38ccfc7c269a69d6dd495376b

Download Submit
C:\Users\Admin\AppData\Local\Temp\upHCHH0RIK.bat

Filesize
230B

MD5
f056c04a0894da0f23837f8e06d0302d

SHA1
c133a471ff7c123f583bdae9ea1ff02b5ac5e592

SHA256
83c36d3d055f079a8a234c3a0b6f070acfaf7e61480c812d5a78d8a750f0d447

SHA512
3f569c83c780616d46b0bf06787df69c88ef963ad4ea021d32e02bec5255a659e18ca3f2661c16bfc84b1516157cb4a98ce3d61d6fa06bcd3685784855c86aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjTqpsj0q4.bat

Filesize
230B

MD5
1226e852e0513aba7e3bf64c57fc2bcb

SHA1
fcfc70adffd16c5c1e55ec4ab638d2b05b868991

SHA256
9ff5296ad9a15c24f2d6808ed048f9179b7efcabc3670ad00dadee498c8490d6

SHA512
90f4dc1a148ec3cae830da9dfd4a665fb496738bc6bfb8892998c4fe6649eeb0ca2de9c174bf007d0508fced63c752b77490386a84125dfd9979f4124a908785

Download Submit
memory/4644-20-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

Filesize
64KB

Download
memory/4644-51-0x000000001D130000-0x000000001D140000-memory.dmp

Filesize
64KB

Download
memory/4644-26-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-29-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-31-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4644-33-0x000000001D0D0000-0x000000001D0E6000-memory.dmp

Filesize
88KB

Download
memory/4644-28-0x000000001D0B0000-0x000000001D0C2000-memory.dmp

Filesize
72KB

Download
memory/4644-25-0x000000001BB60000-0x000000001BB6E000-memory.dmp

Filesize
56KB

Download
memory/4644-10-0x0000000003080000-0x000000000308E000-memory.dmp

Filesize
56KB

Download
memory/4644-35-0x000000001D0F0000-0x000000001D102000-memory.dmp

Filesize
72KB

Download
memory/4644-36-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-37-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-40-0x000000001BB80000-0x000000001BB8E000-memory.dmp

Filesize
56KB

Download
memory/4644-38-0x000000001D640000-0x000000001DB68000-memory.dmp

Filesize
5.2MB

Download
memory/4644-42-0x000000001BB90000-0x000000001BBA0000-memory.dmp

Filesize
64KB

Download
memory/4644-45-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-47-0x000000001D180000-0x000000001D1DA000-memory.dmp

Filesize
360KB

Download
memory/4644-44-0x000000001D110000-0x000000001D120000-memory.dmp

Filesize
64KB

Download
memory/4644-49-0x000000001D120000-0x000000001D12E000-memory.dmp

Filesize
56KB

Download
memory/4644-23-0x000000001BAE0000-0x000000001BAF0000-memory.dmp

Filesize
64KB

Download
memory/4644-53-0x000000001D140000-0x000000001D14E000-memory.dmp

Filesize
56KB

Download
memory/4644-55-0x000000001D3E0000-0x000000001D3F8000-memory.dmp

Filesize
96KB

Download
memory/4644-57-0x000000001D150000-0x000000001D15C000-memory.dmp

Filesize
48KB

Download
memory/4644-59-0x000000001D450000-0x000000001D49E000-memory.dmp

Filesize
312KB

Download
memory/4644-21-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-65-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-0-0x00007FFC73A83000-0x00007FFC73A85000-memory.dmp

Filesize
8KB

Download
memory/4644-12-0x000000001BB20000-0x000000001BB3C000-memory.dmp

Filesize
112KB

Download
memory/4644-13-0x000000001D060000-0x000000001D0B0000-memory.dmp

Filesize
320KB

Download
memory/4644-18-0x000000001BB40000-0x000000001BB58000-memory.dmp

Filesize
96KB

Download
memory/4644-15-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

Filesize
64KB

Download
memory/4644-16-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-8-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-7-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-6-0x000000001BAF0000-0x000000001BB16000-memory.dmp

Filesize
152KB

Download
memory/4644-4-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-3-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-2-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

Filesize
10.8MB

Download
memory/4644-1-0x0000000000B20000-0x0000000000EAC000-memory.dmp

Filesize
3.5MB

Download