zgrat | ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Size

2.0MB
MD5

70d149f275ccc89790c5405849a9ad9f
SHA1

de1a99c487f1b78320142e64fa1531c65a1ad8e7
SHA256

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4
SHA512

899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7
SSDEEP

49152:yKB0Z0w15HQDEbwbIx0QEiY/ifrR6Vuo:yKB+1NQDETjAifH

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 15 IoCs

resource	yara_rule
behavioral2/memory/1960-0-0x0000000000F60000-0x000000000115A000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023222-44.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-317.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-316.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-350.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-382.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-413.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-445.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-477.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-507.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-538.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-568.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-600.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-699.dat	family_zgrat_v1
behavioral2/files/0x000600000002321e-730.dat	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1584	schtasks.exe	71
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1584	schtasks.exe	71

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 15 IoCs

resource	yara_rule
behavioral2/memory/1960-0-0x0000000000F60000-0x000000000115A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023222-44.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-317.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-316.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-350.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-382.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-413.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-445.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-477.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-507.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-538.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-568.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-600.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-699.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x000600000002321e-730.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 14 IoCs

pid	Process
5356	OfficeClickToRun.exe
4844	OfficeClickToRun.exe
1636	OfficeClickToRun.exe
752	OfficeClickToRun.exe
3508	OfficeClickToRun.exe
5204	OfficeClickToRun.exe
1560	OfficeClickToRun.exe
5408	OfficeClickToRun.exe
2020	OfficeClickToRun.exe
3256	OfficeClickToRun.exe
2948	OfficeClickToRun.exe
3828	OfficeClickToRun.exe
5872	OfficeClickToRun.exe
1588	OfficeClickToRun.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io
12	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\e6c9b481da804f	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\wininit.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3504	schtasks.exe
2740	schtasks.exe
1072	schtasks.exe
3236	schtasks.exe
3480	schtasks.exe
3004	schtasks.exe
4028	schtasks.exe
4532	schtasks.exe
4832	schtasks.exe
436	schtasks.exe
3896	schtasks.exe
4380	schtasks.exe
4820	schtasks.exe
788	schtasks.exe
4044	schtasks.exe
3248	schtasks.exe
4052	schtasks.exe
1532	schtasks.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	OfficeClickToRun.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
3768	PING.EXE
760	PING.EXE
2124	PING.EXE
4936	PING.EXE
5860	PING.EXE
4940	PING.EXE
2976	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	60	w32tm.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	760	PING.EXE
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	5356	OfficeClickToRun.exe
Token: SeDebugPrivilege	4844	OfficeClickToRun.exe
Token: SeDebugPrivilege	1636	OfficeClickToRun.exe
Token: SeDebugPrivilege	752	OfficeClickToRun.exe
Token: SeDebugPrivilege	3508	OfficeClickToRun.exe
Token: SeDebugPrivilege	5204	OfficeClickToRun.exe
Token: SeDebugPrivilege	1560	OfficeClickToRun.exe
Token: SeDebugPrivilege	5408	OfficeClickToRun.exe
Token: SeDebugPrivilege	2020	OfficeClickToRun.exe
Token: SeDebugPrivilege	3256	OfficeClickToRun.exe
Token: SeDebugPrivilege	2948	OfficeClickToRun.exe
Token: SeDebugPrivilege	3828	OfficeClickToRun.exe
Token: SeDebugPrivilege	5872	OfficeClickToRun.exe
Token: SeDebugPrivilege	1588	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 4076	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	145
PID 1960 wrote to memory of 4076	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	145
PID 1960 wrote to memory of 2768	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	144
PID 1960 wrote to memory of 2768	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	144
PID 1960 wrote to memory of 2028	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	143
PID 1960 wrote to memory of 2028	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	143
PID 1960 wrote to memory of 4136	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	142
PID 1960 wrote to memory of 4136	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	142
PID 1960 wrote to memory of 60	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	162
PID 1960 wrote to memory of 60	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	162
PID 1960 wrote to memory of 2452	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	139
PID 1960 wrote to memory of 2452	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	139
PID 1960 wrote to memory of 448	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	138
PID 1960 wrote to memory of 448	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	138
PID 1960 wrote to memory of 760	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	178
PID 1960 wrote to memory of 760	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	178
PID 1960 wrote to memory of 4892	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	136
PID 1960 wrote to memory of 4892	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	136
PID 1960 wrote to memory of 4772	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	135
PID 1960 wrote to memory of 4772	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	135
PID 1960 wrote to memory of 1104	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	132
PID 1960 wrote to memory of 1104	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	132
PID 1960 wrote to memory of 5076	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	131
PID 1960 wrote to memory of 5076	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	131
PID 1960 wrote to memory of 3056	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	130
PID 1960 wrote to memory of 3056	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	130
PID 1960 wrote to memory of 2428	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	129
PID 1960 wrote to memory of 2428	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	129
PID 1960 wrote to memory of 4476	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	128
PID 1960 wrote to memory of 4476	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	128
PID 1960 wrote to memory of 3076	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	127
PID 1960 wrote to memory of 3076	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	127
PID 1960 wrote to memory of 3520	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	126
PID 1960 wrote to memory of 3520	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	126
PID 1960 wrote to memory of 1608	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	125
PID 1960 wrote to memory of 1608	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	125
PID 1960 wrote to memory of 4320	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	109
PID 1960 wrote to memory of 4320	1960	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	109
PID 4320 wrote to memory of 5456	4320	cmd.exe	117
PID 4320 wrote to memory of 5456	4320	cmd.exe	117
PID 4320 wrote to memory of 5832	4320	cmd.exe	120
PID 4320 wrote to memory of 5832	4320	cmd.exe	120
PID 4320 wrote to memory of 5356	4320	cmd.exe	147
PID 4320 wrote to memory of 5356	4320	cmd.exe	147
PID 5356 wrote to memory of 5976	5356	OfficeClickToRun.exe	151
PID 5356 wrote to memory of 5976	5356	OfficeClickToRun.exe	151
PID 5976 wrote to memory of 6052	5976	cmd.exe	150
PID 5976 wrote to memory of 6052	5976	cmd.exe	150
PID 5976 wrote to memory of 4940	5976	cmd.exe	149
PID 5976 wrote to memory of 4940	5976	cmd.exe	149
PID 5976 wrote to memory of 4844	5976	cmd.exe	155
PID 5976 wrote to memory of 4844	5976	cmd.exe	155
PID 4844 wrote to memory of 1340	4844	OfficeClickToRun.exe	159
PID 4844 wrote to memory of 1340	4844	OfficeClickToRun.exe	159
PID 1340 wrote to memory of 1300	1340	cmd.exe	157
PID 1340 wrote to memory of 1300	1340	cmd.exe	157
PID 1340 wrote to memory of 1224	1340	cmd.exe	156
PID 1340 wrote to memory of 1224	1340	cmd.exe	156
PID 1340 wrote to memory of 1636	1340	cmd.exe	160
PID 1340 wrote to memory of 1636	1340	cmd.exe	160
PID 1636 wrote to memory of 5776	1636	OfficeClickToRun.exe	164
PID 1636 wrote to memory of 5776	1636	OfficeClickToRun.exe	164
PID 5776 wrote to memory of 5952	5776	cmd.exe	163
PID 5776 wrote to memory of 5952	5776	cmd.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
"C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PDsOmRrZcw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5456
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5832
- - C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
    "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5356
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5976
    - - C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xDZppRkgYb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ujuZrulyBl.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat"
        10⤵
        
        PID:4376
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
        12⤵
        
        PID:3404
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ycxw1CWDXu.bat"
        14⤵
        
        PID:3324
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7mSN2TF6L.bat"
        16⤵
        
        PID:5560
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u4X4n42Gpx.bat"
        18⤵
        
        PID:1816
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BFBBgjIbh8.bat"
        20⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2124
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fSU5VqEBqK.bat"
        22⤵
        
        PID:5952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3480
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat"
        24⤵
        
        PID:468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:4936
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat"
        26⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:5860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5144
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTZEhVhqv7.bat"
        28⤵
        
        PID:4584
        
        C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe
        
        "C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\unsecapp.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4940

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:6052

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1224

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2976

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5140

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3768

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5856

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5008

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:6056

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5964

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5240

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5196

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2684

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
79KB

MD5
4c44453333fa3a5d291233af607376d7

SHA1
fb8f09a671185f8a60be5ec3868552a4f6c84428

SHA256
24e4b31f14384a77811afc0fc965752f2da4efa0b1da249a13c9b92ceb894844

SHA512
6941def1443fc09de51e6795eeec6496be7c826ea4de188881107d4762ffd4d0a7f14e10984bb7d924c6a49ee0d5bb60cff8a6c4195d584a8a261255ad43ef5f

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
207KB

MD5
d994f60267f5b5e9a4841caefcbd0656

SHA1
3bdaf98eb51e2bdeabcaae02843198ad38917327

SHA256
c4d402113177037f033208d2b327c8e135d1c8eb8946ea41ba582c58e8b8ea57

SHA512
28b2cf0135a40cfb5a30aef410916ec942c1aa9f87f627efaab0161d57caa1f8b8d6516703ec6fb9e51222c49ee9119fb362762abb8c3d98718aa7c373e7831b

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
94KB

MD5
dd51f042b08b73b3b9590d2e11b68c13

SHA1
f57a16b14f73ed36ad356d5667cb07b6d5399560

SHA256
8a728cea0d3592b37f09006b5ec6a296379f97e48314c94c5a06d776952dacbc

SHA512
153853d67bd6448460aaca85d28646d27c57d0aab3e47588a28c29196a7fbd45d7201756274d0069a3ad09b8c4017000fee8f8b1ee1ac5fc4bba5ac006409322

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
11KB

MD5
8b456db9dd637a9c6e3a5bff0add7ad6

SHA1
757cbf452da3b628cc54a52870f901be58fe7c27

SHA256
ea783a2b3b9d42d09420319473f79e6a43de10019517e386c52d14c1c2ba9cf4

SHA512
d7c19f164616182afeaa93a96adbc34cb5187f128c2cf715e36a01ad570bb4d137df53993833bc4aff812f71455e866b050faebf8d3be2812fff0ebeb8d31627

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
24KB

MD5
375dbe59586fd776ab18acb8fdec0207

SHA1
db65f5f9d20f84230e2503e4198da754296c97ca

SHA256
8488f7cb45db23761a83c1e4f9ebbe50530bbf993c9cf8106cb147309aa47ad0

SHA512
324a9b0777ab7264ab5a6db7a90282eacc4d9a79b475ca445046e1b702c3e4c22df2b5a71f8b0d46143cf27d403a4ad5bc98235ce83da9c91609b9d3a6632776

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
10KB

MD5
17cbc8909760ce42ca19dea2be3675a3

SHA1
2c91581ec5ad36e710e0faae66721419d4ea33e3

SHA256
8e61293fb2b5806d033a3e5ac3d07ce48fed2a4c02f32fdaf4552f49afaec834

SHA512
c25a0cf33d1ea7eaf26cc6c2e80532c330950fe43f4a9d52291f1eaca28dc084431394b9b650c53a6c2b83ba760eb60ef418bd30f07300d80813a26bc0cd964c

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
50KB

MD5
ae1b5f194abba3a85823a454caf9ed7c

SHA1
58d44d61dbf1c63dd2360731d1bc1532a6324911

SHA256
1a7bc8849620e158445888cf3764d92168cdabe1f2fe60eac3ca5ee4ca63dfd1

SHA512
d6bbd477176d13ab6d0511e18fbb496ee9cf67a652b8d5f77804eae8b6c01b5c3f734223760a22eeb405153259dd165f4226ceca62737e698f7fb638078568cd

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
57KB

MD5
2c8eb0b1bfa956044d0dd6988c69870e

SHA1
3e9bac305c9094edba8788123d674a85c1e125e1

SHA256
66eccbe8fb3ea29086fe23c1937a46e8ccd87404425fa040d7214240c56c722e

SHA512
6972a7aae7f295f66cdc087f686ba4b12f35dbfbb8a1b7ef3a8b643ae6ff2edc92528f37999bcd8234e4ab1f5424e77f85b31206bd708732701ae8946a5e97cf

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
1.4MB

MD5
400531e4c8775ba467722679d5bb337c

SHA1
5dd7cf51f961f856390deb84058a84e91226c494

SHA256
a3fcb40b47d4c6f29e50f82bd3fafc72d7ded0fc69be4d9cc35ead8b90f621cd

SHA512
cd515593977695c1cb39a363b2776d0f61311b0a622339acd3946884003709542e956f1b01fc3d6a919b8f7d1cde9707beafd3258392db3ed43d83a985bf6861

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
2.0MB

MD5
70d149f275ccc89790c5405849a9ad9f

SHA1
de1a99c487f1b78320142e64fa1531c65a1ad8e7

SHA256
ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

SHA512
899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
1022KB

MD5
869fbb689988b8a492bc7bc40c81916e

SHA1
fb824e327f0a177a12958686266b4ca1fd0e8b51

SHA256
fe5e81ec371f8e77d2c51821bf16b5aae5705653b1e282a9e16aae8521665945

SHA512
6bfe7a843cc21575b4296b55b4ae2642d49c8e6b1945e462155466870a0fa9e5186690d65ea6ab9fb4d0608dcc56b4efee0b129f52ca62e54ab2ecbc2d8d1acf

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
197KB

MD5
f3dc210674235bd1dea0eac55bcae4a5

SHA1
255b78dc3ba8953cc4d3fa9db20560642774a791

SHA256
71391cc1c432e7f361a6d19d57c0f816d8facf8ee7681b6564604ee9760e4f84

SHA512
25167085c58cae5251912a3dda874fb4591b16506cb69ee99a977be7d548365bd2102634067093a6d6576854684956cb976a36787fd26e2a02dee30216b7a4c1

Download Submit
C:\Program Files\Java\jre-1.8\lib\ext\OfficeClickToRun.exe

Filesize
45KB

MD5
fb1d3a21a6ff2ac1de99d8e9dfbf84cf

SHA1
ced1a1f3cb858753c6a4e384e179945e681c4e1d

SHA256
457fc5e0a150c3685a5fb28c1bb91fc2f79f504532636f8ae70c2c0f1f86fa9a

SHA512
4bad25ccbc55f767b4bfee2108b63471cc8e8f9d382d5edd0d32ed91d3415845b0251939488460ff5ff4b6d4a78824cb489d462851be9363db355ef3e5228f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
d630e0db449ad8976cacc63421267c72

SHA1
a83e66cf385b6fd0d0f3050c851945804f00cd78

SHA256
9bc1ab4c50e10a7292ac1c4515defda4e48a484fa474c5e69a80d5b1ef22fb49

SHA512
8c7de267fde85f9fb4521afb956a33fd1e69ec86b530d5f348b382fbbc0f777f9b3189f6fe3223822895c8262a626c8a30f6d3a83ccf7efe92ce4acc46e2b7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
13e5260e039b147eeccccd0e4e68df21

SHA1
882c8bfc8205ce8d216f82e3346bd4f494a87219

SHA256
053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd

SHA512
9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFBBgjIbh8.bat

Filesize
186B

MD5
262615f51f990c29e5878222eb30fa10

SHA1
47d7755f3a53ca9440b28583836052fcb78652ea

SHA256
272dbf911629289bf81991c17e16dceb0d952eee07bfeda662638fdccbc0d3e9

SHA512
60628d73925963e2b72404f73525e63df1fa96710bbac91938cbceadc5749390c618eca2f17471582ec2c785344eee72888c7ee469ee1148c903d22f1cb9501b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTZEhVhqv7.bat

Filesize
234B

MD5
d7258f27497f1ada6deae4281b9e8de7

SHA1
57a65fdcae790d32fa4011d455bee7618cbca783

SHA256
3a18469b34146d6784d919b8257d052dcb995bfbd0ea12c4875e76313fcc779d

SHA512
661936274732af707c6e3d4cf9e607de8cb64e9a704cf826e594bad5f780668888cd1c788e352cb9c2c62f86569de7ebf7b593249f22312e530e662b1b8ea377

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDsOmRrZcw.bat

Filesize
234B

MD5
935b5b26c12000f3b8131ae83a1904f6

SHA1
d379452ea89f1baa3772872944d6b75cc2cc9cc8

SHA256
a80a321e2306e09dc052de2612bd203087b89a5c7488fbd5d8db0be6babca33e

SHA512
7a3821cc1aae3177ea0c71e491df35d7f2ca975016b428503f2978aa882663ef1615d5949981ff59999e56c2a15fc79250d6285fcfc379dfa54a2a8cd2f8ae83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycxw1CWDXu.bat

Filesize
186B

MD5
f66348834302855cf4554d02cc9e6090

SHA1
51071ffeb44f1fb58c74f19bbcfe9905f733a0fe

SHA256
28f672cc86e5e3568f70085b2efdbc592a9d15592e5488c3bdbf07f2f4ac5629

SHA512
cc34543b32849e40aa77f7f38e94bffe4ff4da7ed872dd5c2af025b8d5acbfb252afd2900e592cd0d74afbf174071cf8a5bfaad9e39e32306c3aad516c9ccb41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgko1qbi.pls.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5cCzjWvuk.bat

Filesize
186B

MD5
45d83b7a3ca0be1c903dd74633b870d0

SHA1
11d360fa59cc982b01f69f98c7d9f8f7c50a9a19

SHA256
23199e50e0d8362e191a5edde907ecbc57341c289d1701d22270fa5a30333119

SHA512
84644cd7db920a7a6a020426658a59dcbbec41bec9ff6c1b8cc19784e616e2e11ad95a1afb7a4a1d0fd588f919ca8600247237f672ded48cf22c9da9e3d97344

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSU5VqEBqK.bat

Filesize
234B

MD5
c1e984c36b2d51e3a33a8b7de9158562

SHA1
ab1b989f233f27c3d9f09365f932b89b2705b102

SHA256
26ebce4e5895b5f90724a03af26528510fed2407ec21d5d2f5132504af745ea1

SHA512
e435a5f4dfe1010e7acb62f90703e7d1a1bebcb44174c811b11336cea1d0831c6dc669b689679cfd8ce35cb01f7caa977d767ec3317ff84257100cb68cf1595a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat

Filesize
186B

MD5
1573667951f40794a4391fb70e3c93fe

SHA1
ad23cf50f3db32139bf602a876f34e3946ad232b

SHA256
e9ee5d0de514fa67a119607506a5fb736ea501b33bbe15772670199077a212f6

SHA512
f8016dbad04cfcf8af5cc4d69687f5941ef9194bdd95c46cb7c5ac0e5c4589a00f02fe9a5d5af0203732408a3d1a9c9f84f7019214e3393ed7cf2e7ef6156859

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat

Filesize
186B

MD5
d8905f941fc37daae9d54511add16ad5

SHA1
114958d41cb26cf39d2a5222c1186b8c26802da7

SHA256
1e9aeb9a2fed665629b2fd121c2ce753e431ec5a773a7d4a729fd158baca5d30

SHA512
8119356312daf11d04dd0f9b8086ae30f60e1656fb6bfcfb54bfe321a1215d51b22180343585b9de7d56235876d2dd2a03ff27325d70cfe501c36048d9412b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4X4n42Gpx.bat

Filesize
234B

MD5
da5292d15feb84af79d964f2392f0ef4

SHA1
ad3a3625110c3bce24f87eecc5b7c4772cbf625a

SHA256
96266353515ae7a8ea0ac1e0d0bd8b54967862dd63da37152dd36698f0a672e5

SHA512
5ace631f2c623b190984073f90a8c54f72ca7dfe8b3e8b9d0e0b658a5bf0dcfb9a195d76b824cca3f878676d6679285a6cbdf0d6ea8a110137b7c19e6879f891

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujuZrulyBl.bat

Filesize
234B

MD5
48c2c65cd8fc62ca306a9312b42bb998

SHA1
50efaab94fc3e84441f798a364b391edbeffc710

SHA256
c0cd34360eb6480028937f76f326ba5d52a14a97859907984fd3f5ae483012bc

SHA512
c606e74f6c39884ff1105afea4cb473467a6a27feff8f360cb81ba090640c939d2dbe9457801c7a1d8d99b1e8381b77b6616b17d148524484848f8f325796aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDZppRkgYb.bat

Filesize
234B

MD5
9d8f577ae74a5e7e9202cd1cf1b90fd8

SHA1
ce84a23a175e62bc60a211e0f8a8c74f36151651

SHA256
249d7477a530a14d7748366ed927357a001569c3398b38669ef5e3a639dc4702

SHA512
13bde38ba0fc68ae2e931452ac46191e7e3704f97ef35f5f5e8f73eb62bdf5767903062c88c1d87d2c278dca67937ed17ae18e8282cab1bb949e616016f709e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7mSN2TF6L.bat

Filesize
234B

MD5
f82ed00cb06d41b861f2b782350d0e14

SHA1
9ca50c4155aa3dbbd3cc3be489e3620d488d2029

SHA256
9df96b0e98b1912ddaa905728c3bbde99e9bca1a5b9b81bc790b912c17c635ed

SHA512
36b2409964ab92fb81c8918e47aa2fa20197a206b927a3e0f304cbdfa42ced16bdfaf4079d06597a2630b94e801c5d147e915ef9a526cb0191de69c85df5eabb

Download Submit
C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe

Filesize
633KB

MD5
27bbf776188e36dbccddac63eea7fa94

SHA1
abaee08a4348bb89a417853b5e1ee3c1cfcccc36

SHA256
ed5de7841e375f23b160a36c939502bf76ad67ae3b3a435dc9fb8d2017060377

SHA512
3ffb03e4ab34485e8aae1a59bc10ced7a431d3f4b528583196445de8029ea076f4889abd769d79a3c5f228c7221b355237bb2270018b2b85918ecc82ae5a6512

Download Submit
memory/60-61-0x000001D2AF950000-0x000001D2AF960000-memory.dmp

Filesize
64KB

Download
memory/448-242-0x0000022933470000-0x0000022933480000-memory.dmp

Filesize
64KB

Download
memory/448-241-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/760-249-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/760-245-0x000001A65EC10000-0x000001A65EC20000-memory.dmp

Filesize
64KB

Download
memory/1104-250-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/1608-238-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/1608-240-0x000001AF31CD0000-0x000001AF31CE0000-memory.dmp

Filesize
64KB

Download
memory/1608-239-0x000001AF31CD0000-0x000001AF31CE0000-memory.dmp

Filesize
64KB

Download
memory/1960-7-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/1960-23-0x0000000003280000-0x000000000328E000-memory.dmp

Filesize
56KB

Download
memory/1960-1-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/1960-2-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/1960-3-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/1960-10-0x00007FFE42820000-0x00007FFE428DE000-memory.dmp

Filesize
760KB

Download
memory/1960-13-0x00007FFE42630000-0x00007FFE42631000-memory.dmp

Filesize
4KB

Download
memory/1960-12-0x00000000032A0000-0x00000000032BC000-memory.dmp

Filesize
112KB

Download
memory/1960-9-0x00007FFE42640000-0x00007FFE42641000-memory.dmp

Filesize
4KB

Download
memory/1960-17-0x00007FFE42620000-0x00007FFE42621000-memory.dmp

Filesize
4KB

Download
memory/1960-16-0x00000000032C0000-0x00000000032D8000-memory.dmp

Filesize
96KB

Download
memory/1960-14-0x0000000003310000-0x0000000003360000-memory.dmp

Filesize
320KB

Download
memory/1960-19-0x0000000001AC0000-0x0000000001ACE000-memory.dmp

Filesize
56KB

Download
memory/1960-31-0x00007FFE425E0000-0x00007FFE425E1000-memory.dmp

Filesize
4KB

Download
memory/1960-30-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/1960-60-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/1960-29-0x00000000032E0000-0x00000000032E8000-memory.dmp

Filesize
32KB

Download
memory/1960-34-0x00007FFE425D0000-0x00007FFE425D1000-memory.dmp

Filesize
4KB

Download
memory/1960-33-0x00000000032F0000-0x00000000032FC000-memory.dmp

Filesize
48KB

Download
memory/1960-27-0x0000000003290000-0x000000000329C000-memory.dmp

Filesize
48KB

Download
memory/1960-25-0x00007FFE425F0000-0x00007FFE425F1000-memory.dmp

Filesize
4KB

Download
memory/1960-24-0x00007FFE42600000-0x00007FFE42601000-memory.dmp

Filesize
4KB

Download
memory/1960-50-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/1960-21-0x00007FFE42610000-0x00007FFE42611000-memory.dmp

Filesize
4KB

Download
memory/1960-56-0x00007FFE42820000-0x00007FFE428DE000-memory.dmp

Filesize
760KB

Download
memory/1960-20-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/1960-8-0x00007FFE42820000-0x00007FFE428DE000-memory.dmp

Filesize
760KB

Download
memory/1960-52-0x00007FFE42820000-0x00007FFE428DE000-memory.dmp

Filesize
760KB

Download
memory/1960-4-0x00007FFE42820000-0x00007FFE428DE000-memory.dmp

Filesize
760KB

Download
memory/1960-46-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/1960-6-0x0000000001A70000-0x0000000001A7E000-memory.dmp

Filesize
56KB

Download
memory/1960-0-0x0000000000F60000-0x000000000115A000-memory.dmp

Filesize
2.0MB

Download
memory/2028-59-0x0000025D564A0000-0x0000025D564B0000-memory.dmp

Filesize
64KB

Download
memory/2028-58-0x0000025D564A0000-0x0000025D564B0000-memory.dmp

Filesize
64KB

Download
memory/2428-233-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/2428-235-0x000001AF177D0000-0x000001AF177E0000-memory.dmp

Filesize
64KB

Download
memory/2452-74-0x000001D6DFBF0000-0x000001D6DFC00000-memory.dmp

Filesize
64KB

Download
memory/2452-63-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/2768-57-0x0000026915800000-0x0000026915810000-memory.dmp

Filesize
64KB

Download
memory/2768-54-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/2768-55-0x0000026915800000-0x0000026915810000-memory.dmp

Filesize
64KB

Download
memory/2768-73-0x000002692DFA0000-0x000002692DFC2000-memory.dmp

Filesize
136KB

Download
memory/2948-661-0x000000001C0B0000-0x000000001C21A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-248-0x0000025B65450000-0x0000025B65460000-memory.dmp

Filesize
64KB

Download
memory/3056-246-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/3056-247-0x0000025B65450000-0x0000025B65460000-memory.dmp

Filesize
64KB

Download
memory/3076-243-0x000001F0F0200000-0x000001F0F0210000-memory.dmp

Filesize
64KB

Download
memory/3076-244-0x000001F0F0200000-0x000001F0F0210000-memory.dmp

Filesize
64KB

Download
memory/3256-629-0x000000001C4D0000-0x000000001C63A000-memory.dmp

Filesize
1.4MB

Download
memory/3520-129-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/3520-184-0x000002E4306C0000-0x000002E4306D0000-memory.dmp

Filesize
64KB

Download
memory/3520-194-0x000002E4306C0000-0x000002E4306D0000-memory.dmp

Filesize
64KB

Download
memory/3828-695-0x000000001BC90000-0x000000001BDFA000-memory.dmp

Filesize
1.4MB

Download
memory/4136-62-0x0000025FF1ED0000-0x0000025FF1EE0000-memory.dmp

Filesize
64KB

Download
memory/4892-236-0x0000024B3B640000-0x0000024B3B650000-memory.dmp

Filesize
64KB

Download
memory/4892-234-0x0000024B3B640000-0x0000024B3B650000-memory.dmp

Filesize
64KB

Download
memory/4892-231-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download
memory/5076-237-0x00007FFE26660000-0x00007FFE27121000-memory.dmp

Filesize
10.8MB

Download