zgrat | ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

Analysis

max time kernel
167s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Size

2.0MB
MD5

70d149f275ccc89790c5405849a9ad9f
SHA1

de1a99c487f1b78320142e64fa1531c65a1ad8e7
SHA256

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4
SHA512

899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7
SSDEEP

49152:yKB0Z0w15HQDEbwbIx0QEiY/ifrR6Vuo:yKB+1NQDETjAifH

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/2848-0-0x00000000001E0000-0x00000000003DA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023221-46.dat	family_zgrat_v1
behavioral2/files/0x0006000000023221-333.dat	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3868	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3868	schtasks.exe	85

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral2/memory/2848-0-0x00000000001E0000-0x00000000003DA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023221-46.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023221-333.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 9 IoCs

pid	Process
4080	WmiPrvSE.exe
1672	WmiPrvSE.exe
6008	WmiPrvSE.exe
6052	WmiPrvSE.exe
3432	WmiPrvSE.exe
3788	WmiPrvSE.exe
5412	WmiPrvSE.exe
4964	WmiPrvSE.exe
5900	WmiPrvSE.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
34	ipinfo.io

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\unsecapp.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\29c1c3cc0f7685	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\Windows Mail\WmiPrvSE.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\Windows Mail\24dbde2999530e	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\csrss.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\csrss.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Windows\RemotePackages\RemoteApps\886983d96e3d3e	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4052	schtasks.exe
3112	schtasks.exe
4548	schtasks.exe
1100	schtasks.exe
4752	schtasks.exe
4772	schtasks.exe
3584	schtasks.exe
3156	schtasks.exe
1320	schtasks.exe
60	schtasks.exe
4372	schtasks.exe
4872	schtasks.exe
3952	schtasks.exe
1164	schtasks.exe
3904	schtasks.exe
2456	schtasks.exe
4964	schtasks.exe
3088	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
5852	PING.EXE
4652	PING.EXE
5908	PING.EXE
5068	PING.EXE
3116	PING.EXE
5548	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	4080	WmiPrvSE.exe
Token: SeDebugPrivilege	1672	WmiPrvSE.exe
Token: SeDebugPrivilege	6008	WmiPrvSE.exe
Token: SeDebugPrivilege	6052	WmiPrvSE.exe
Token: SeDebugPrivilege	3432	WmiPrvSE.exe
Token: SeDebugPrivilege	3788	WmiPrvSE.exe
Token: SeDebugPrivilege	5412	WmiPrvSE.exe
Token: SeDebugPrivilege	4964	WmiPrvSE.exe
Token: SeDebugPrivilege	5900	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2576	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	107
PID 2848 wrote to memory of 2576	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	107
PID 2848 wrote to memory of 4568	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	108
PID 2848 wrote to memory of 4568	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	108
PID 2848 wrote to memory of 3996	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	109
PID 2848 wrote to memory of 3996	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	109
PID 2848 wrote to memory of 1172	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	110
PID 2848 wrote to memory of 1172	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	110
PID 2848 wrote to memory of 792	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	111
PID 2848 wrote to memory of 792	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	111
PID 2848 wrote to memory of 4996	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	112
PID 2848 wrote to memory of 4996	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	112
PID 2848 wrote to memory of 2740	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	113
PID 2848 wrote to memory of 2740	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	113
PID 2848 wrote to memory of 2764	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	142
PID 2848 wrote to memory of 2764	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	142
PID 2848 wrote to memory of 1940	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	141
PID 2848 wrote to memory of 1940	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	141
PID 2848 wrote to memory of 5092	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	140
PID 2848 wrote to memory of 5092	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	140
PID 2848 wrote to memory of 532	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	139
PID 2848 wrote to memory of 532	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	139
PID 2848 wrote to memory of 1652	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	137
PID 2848 wrote to memory of 1652	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	137
PID 2848 wrote to memory of 3788	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	134
PID 2848 wrote to memory of 3788	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	134
PID 2848 wrote to memory of 2432	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	132
PID 2848 wrote to memory of 2432	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	132
PID 2848 wrote to memory of 2376	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	130
PID 2848 wrote to memory of 2376	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	130
PID 2848 wrote to memory of 3104	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	128
PID 2848 wrote to memory of 3104	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	128
PID 2848 wrote to memory of 680	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	127
PID 2848 wrote to memory of 680	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	127
PID 2848 wrote to memory of 2216	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	125
PID 2848 wrote to memory of 2216	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	125
PID 2848 wrote to memory of 3516	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	143
PID 2848 wrote to memory of 3516	2848	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	143
PID 3516 wrote to memory of 6036	3516	cmd.exe	146
PID 3516 wrote to memory of 6036	3516	cmd.exe	146
PID 3516 wrote to memory of 5412	3516	cmd.exe	147
PID 3516 wrote to memory of 5412	3516	cmd.exe	147
PID 3516 wrote to memory of 4080	3516	cmd.exe	150
PID 3516 wrote to memory of 4080	3516	cmd.exe	150
PID 4080 wrote to memory of 3504	4080	WmiPrvSE.exe	152
PID 4080 wrote to memory of 3504	4080	WmiPrvSE.exe	152
PID 3504 wrote to memory of 4144	3504	cmd.exe	153
PID 3504 wrote to memory of 4144	3504	cmd.exe	153
PID 3504 wrote to memory of 5908	3504	cmd.exe	154
PID 3504 wrote to memory of 5908	3504	cmd.exe	154
PID 3504 wrote to memory of 1672	3504	cmd.exe	155
PID 3504 wrote to memory of 1672	3504	cmd.exe	155
PID 1672 wrote to memory of 1212	1672	WmiPrvSE.exe	156
PID 1672 wrote to memory of 1212	1672	WmiPrvSE.exe	156
PID 1212 wrote to memory of 6000	1212	cmd.exe	158
PID 1212 wrote to memory of 6000	1212	cmd.exe	158
PID 1212 wrote to memory of 5068	1212	cmd.exe	159
PID 1212 wrote to memory of 5068	1212	cmd.exe	159
PID 1212 wrote to memory of 6008	1212	cmd.exe	160
PID 1212 wrote to memory of 6008	1212	cmd.exe	160
PID 6008 wrote to memory of 2804	6008	WmiPrvSE.exe	161
PID 6008 wrote to memory of 2804	6008	WmiPrvSE.exe	161
PID 2804 wrote to memory of 5572	2804	cmd.exe	163
PID 2804 wrote to memory of 5572	2804	cmd.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
"C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\unsecapp.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\WmiPrvSE.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mkJHx0ZTJ5.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:6036
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5412
- - C:\Program Files\Windows Mail\WmiPrvSE.exe
    "C:\Program Files\Windows Mail\WmiPrvSE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FYUTXnTyLD.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4144
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:5908
    - - C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:5068
        
        C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9NLp60UiOc.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3116
        
        C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFOCGIGxkl.bat"
        10⤵
        
        PID:5164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3656
        
        C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDmqPzi1bE.bat"
        12⤵
        
        PID:5424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:5548
        
        C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"
        14⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2908
        
        C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FYUTXnTyLD.bat"
        16⤵
        
        PID:4600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:5852
        
        C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Osft0y9e1S.bat"
        18⤵
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:4652
        
        C:\Program Files\Windows Mail\WmiPrvSE.exe
        
        "C:\Program Files\Windows Mail\WmiPrvSE.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GDrybeBgh1.bat"
        20⤵
        
        PID:904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Install\{7AF60853-3BF3-4621-8184-C96FC7FB7214}\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Mail\WmiPrvSE.exe

Filesize
926KB

MD5
5c9b1b4a2d03daa8823910cb6a198350

SHA1
af507abd8e8616f0be6b5652cfca984c9fdfe409

SHA256
2b15935d2d25aba125e96439f5f8909c15d425e2356937e7380b7e35acd9927a

SHA512
8e8a32ebe0125beed139ba1d5ba7cb4c61b8f5883e8a1824e3f030ebc62013d4722d8323855e4c7ea59a5b556ce43987e9aad6ba5f83b8a75d6c8b13d80cc470

Download Submit
C:\Program Files\Windows Mail\WmiPrvSE.exe

Filesize
2.0MB

MD5
70d149f275ccc89790c5405849a9ad9f

SHA1
de1a99c487f1b78320142e64fa1531c65a1ad8e7

SHA256
ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

SHA512
899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
1KB

MD5
d630e0db449ad8976cacc63421267c72

SHA1
a83e66cf385b6fd0d0f3050c851945804f00cd78

SHA256
9bc1ab4c50e10a7292ac1c4515defda4e48a484fa474c5e69a80d5b1ef22fb49

SHA512
8c7de267fde85f9fb4521afb956a33fd1e69ec86b530d5f348b382fbbc0f777f9b3189f6fe3223822895c8262a626c8a30f6d3a83ccf7efe92ce4acc46e2b7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c571f748f85a6794b16e8e8ef10687ab

SHA1
becf11b355e41d6a51f2d97053c4d5319ee9d179

SHA256
c21d26af506fe324d5d7245d317b5eb2786dd1f9b99d020f79622b1c1bf3f937

SHA512
61ffd7c2e4b4feff2a09d82beea627fc11742359995c2c0abce0214ccdfe8a86bd9dffcf6bf84560ffbe768e69fdefa1d144a0cfb5146408562e24656d1cfee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9NLp60UiOc.bat

Filesize
170B

MD5
42975e46f2297c1fb53aa0f8e4399751

SHA1
a9aecdbe0f9f58d02a5aea02a0716b0cd8ad048a

SHA256
719fd3f164122d8916b9cd7fc6873837c6db2c7836c1ee1768bafd5e05faa13d

SHA512
e4887804f679f323fdfc6b2ff425a16b30aed3bc39ecb547da73affd13ebb3644e267165f67c9349b75a70df5ceb55e96fca6ea0fd986af73835e35c68a61708

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat

Filesize
218B

MD5
689d1cdafee259a7263d76cc1553a382

SHA1
e28f87654b4e9e5c2f1f7f7eacca0fa22cb631e3

SHA256
119f4e7cde88d51e8bf7b2e08658812c2c2ab41ec2ac3048686e9b97cd7782c2

SHA512
f7e4d76f2813c53e0b2cbbdcbfed7c02341d4354aa25a77fde31132dbedfaa4ae42cb7dc5d760a7a168d863707320f932f397afd327ef82ff7bafbcefd030ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYUTXnTyLD.bat

Filesize
170B

MD5
3ce3a6b78d4c18796238c5e994e95a64

SHA1
2c04a495b65bea0fea3c47e2f0347b174f85c077

SHA256
a8d88c8b00e94a147b1ebb30191194015b8ca1b86ff65927aca67edc9b0bea91

SHA512
2b8f69b565c0b68e9cd01bdaa1b0c9d57d0ba6cefc956c308bda0c60ed74dd927472cd004597e67acac9e616cbae66c9c4f0de3f8d497e4806e1b3f254a60733

Download Submit
C:\Users\Admin\AppData\Local\Temp\GDrybeBgh1.bat

Filesize
218B

MD5
9f7fc273ae2059bcd66c4aa2e26cc174

SHA1
de54374796862e5bc712989bb8b41dd186f2380b

SHA256
4ad66cc412144cb625ccdb8d4997ec7e7b6212e051d8312a5247ff0390623d76

SHA512
d595a81f073460d8d9052cfb86dce43a757c2ac11dde15f85e3443427c8fee328fc67a642241cb8b28afb93a09f051001fee9dff8d6b9199fda095bc49591f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Osft0y9e1S.bat

Filesize
170B

MD5
ac1a99f0733a97f8affe9a47231817c0

SHA1
a9af63d09bc7203fc803f38bd90abad66e612898

SHA256
3f6c609424c3f3215619e7d3f6284a0af8c921b9bc05746afbd2ba692687a0dd

SHA512
f88f077260f50b7d8485bb35ce6daa756d544e0f36a4aa4fae718c919699aa9d7c85397440a5a50200de6bf91155cd164b5866981fdfbb5aa90ee9898ccab108

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDmqPzi1bE.bat

Filesize
170B

MD5
5011175c5e09a44581f7370119aeda6a

SHA1
bde50e8732db3d70ce175d365a8394c5e1de8a97

SHA256
189db4665a505ba3e7ae7223c8d6bc84ae9684735881757c0240b83e57eff1cd

SHA512
66bea32dedb4c121ce95502828c1d480fa2ddbcd0bd644ff624e55a750476c4525eb6ca392de46b4d07ac6bfee8436b8a86204ad5fd488d9f8ce885f65b6472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat

Filesize
170B

MD5
d3c87383d3d6910691f5e4cb5fceaf98

SHA1
70a50d523e5311253551d03cf3aa3344610f5eeb

SHA256
5d024bd42d3438f2123ced5c4362367c0cfedb852f6eac2e65bfbaec321484a7

SHA512
10936fc2c52f03abe9eecf0cee51152f61afee9d6a56c845eb897c3309fd15aeeef48c362cabe381ef7818fa25d914fe51483e43660f4543b37286f0737c546f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fq0l3r1z.eby.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkJHx0ZTJ5.bat

Filesize
218B

MD5
4262b05f8117b5b7675cd4d6e48369bc

SHA1
8cdaeafc0b21b3ec29b18933226df96c9b46c1fa

SHA256
1f21f1a1041a86340e81a650df8a863233466c83dbfbe75c941cfc363f035032

SHA512
194d69cc78e8e3655aff3e9252fc214fb567cc306df4402886b1475e7de8fd3bd8e2a7df0d6044ab0e2f27e1be1dd9cbc43170a435decb0e43c61b7a9b5c595e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nFOCGIGxkl.bat

Filesize
218B

MD5
eef98697fb7b48da731834bdc1cd5bb0

SHA1
54f0158de35e415ffaee63a439af07e2af4739b5

SHA256
b4fc47ea80e0e491c079c2dcfc5776d41b5ccfc8ca02090df19a53da7c6624c8

SHA512
301f802e5827f7650cf67aca1fd2f9ca96dd7dbc2d56b9b9b82b93d0349cec077fedd95607e5967fb52675722734091aef1300429f19f2556f39ff65e464cde8

Download Submit
memory/532-239-0x0000013743FE0000-0x0000013743FF0000-memory.dmp

Filesize
64KB

Download
memory/680-250-0x000001A6D4170000-0x000001A6D4180000-memory.dmp

Filesize
64KB

Download
memory/680-249-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/792-238-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/1172-248-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/1940-237-0x00000202F5C40000-0x00000202F5C50000-memory.dmp

Filesize
64KB

Download
memory/1940-236-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2432-59-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2432-62-0x00000287FDD00000-0x00000287FDD10000-memory.dmp

Filesize
64KB

Download
memory/2576-243-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2576-245-0x0000028E2A7D0000-0x0000028E2A7E0000-memory.dmp

Filesize
64KB

Download
memory/2740-244-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2740-246-0x00000203A3580000-0x00000203A3590000-memory.dmp

Filesize
64KB

Download
memory/2740-247-0x00000203A3580000-0x00000203A3590000-memory.dmp

Filesize
64KB

Download
memory/2764-234-0x0000014EA74D0000-0x0000014EA74E0000-memory.dmp

Filesize
64KB

Download
memory/2764-156-0x0000014EA74D0000-0x0000014EA74E0000-memory.dmp

Filesize
64KB

Download
memory/2764-121-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2848-28-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/2848-15-0x000000001B1D0000-0x000000001B220000-memory.dmp

Filesize
320KB

Download
memory/2848-1-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2848-2-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/2848-3-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2848-4-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/2848-60-0x00007FFE53C20000-0x00007FFE53CDE000-memory.dmp

Filesize
760KB

Download
memory/2848-7-0x00007FFE53C20000-0x00007FFE53CDE000-memory.dmp

Filesize
760KB

Download
memory/2848-6-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/2848-9-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/2848-8-0x00007FFE539B0000-0x00007FFE539B1000-memory.dmp

Filesize
4KB

Download
memory/2848-10-0x00007FFE53C20000-0x00007FFE53CDE000-memory.dmp

Filesize
760KB

Download
memory/2848-12-0x0000000000D60000-0x0000000000D7C000-memory.dmp

Filesize
112KB

Download
memory/2848-54-0x00007FFE53C20000-0x00007FFE53CDE000-memory.dmp

Filesize
760KB

Download
memory/2848-49-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/2848-48-0x00007FFE53C20000-0x00007FFE53CDE000-memory.dmp

Filesize
760KB

Download
memory/2848-33-0x00007FFE53C20000-0x00007FFE53CDE000-memory.dmp

Filesize
760KB

Download
memory/2848-13-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2848-14-0x00007FFE539A0000-0x00007FFE539A1000-memory.dmp

Filesize
4KB

Download
memory/2848-63-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/2848-34-0x00007FFE53940000-0x00007FFE53941000-memory.dmp

Filesize
4KB

Download
memory/2848-36-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/2848-32-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/2848-31-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2848-29-0x00007FFE53950000-0x00007FFE53951000-memory.dmp

Filesize
4KB

Download
memory/2848-26-0x00007FFE53960000-0x00007FFE53961000-memory.dmp

Filesize
4KB

Download
memory/2848-0-0x00000000001E0000-0x00000000003DA000-memory.dmp

Filesize
2.0MB

Download
memory/2848-25-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/2848-23-0x00007FFE53970000-0x00007FFE53971000-memory.dmp

Filesize
4KB

Download
memory/2848-22-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/2848-19-0x00007FFE53980000-0x00007FFE53981000-memory.dmp

Filesize
4KB

Download
memory/2848-21-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/2848-18-0x0000000000D80000-0x0000000000D98000-memory.dmp

Filesize
96KB

Download
memory/2848-16-0x00007FFE53990000-0x00007FFE53991000-memory.dmp

Filesize
4KB

Download
memory/3104-241-0x0000026CE1B90000-0x0000026CE1BA0000-memory.dmp

Filesize
64KB

Download
memory/3104-240-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/3104-242-0x0000026CE1B90000-0x0000026CE1BA0000-memory.dmp

Filesize
64KB

Download
memory/3996-56-0x0000021648E40000-0x0000021648E50000-memory.dmp

Filesize
64KB

Download
memory/3996-55-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/3996-57-0x0000021648E40000-0x0000021648E50000-memory.dmp

Filesize
64KB

Download
memory/4568-102-0x000001E18FDE0000-0x000001E18FDF0000-memory.dmp

Filesize
64KB

Download
memory/4568-74-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/4568-137-0x000001E18FDE0000-0x000001E18FDF0000-memory.dmp

Filesize
64KB

Download
memory/4568-64-0x000001E1A84B0000-0x000001E1A84D2000-memory.dmp

Filesize
136KB

Download
memory/4996-235-0x000002382BDA0000-0x000002382BDB0000-memory.dmp

Filesize
64KB

Download
memory/4996-223-0x00007FFE36470000-0x00007FFE36F31000-memory.dmp

Filesize
10.8MB

Download
memory/5092-61-0x00000126C2570000-0x00000126C2580000-memory.dmp

Filesize
64KB

Download