zgrat | ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Size

2.0MB
MD5

70d149f275ccc89790c5405849a9ad9f
SHA1

de1a99c487f1b78320142e64fa1531c65a1ad8e7
SHA256

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4
SHA512

899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7
SSDEEP

49152:yKB0Z0w15HQDEbwbIx0QEiY/ifrR6Vuo:yKB+1NQDETjAifH

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 7 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016441-41.dat	family_zgrat_v1
behavioral1/files/0x00270000000142ac-309.dat	family_zgrat_v1
behavioral1/files/0x00270000000142ac-339.dat	family_zgrat_v1
behavioral1/files/0x00270000000142ac-369.dat	family_zgrat_v1
behavioral1/files/0x00270000000142ac-400.dat	family_zgrat_v1
behavioral1/files/0x00270000000142ac-483.dat	family_zgrat_v1
behavioral1/files/0x00270000000142ac-499.dat	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2972	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2972	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 7 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016441-41.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00270000000142ac-309.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00270000000142ac-339.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00270000000142ac-369.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00270000000142ac-400.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00270000000142ac-483.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00270000000142ac-499.dat	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 11 IoCs

pid	Process
1660	csrss.exe
2220	csrss.exe
2868	csrss.exe
2984	csrss.exe
2540	csrss.exe
2432	csrss.exe
320	csrss.exe
2012	csrss.exe
3036	csrss.exe
2656	csrss.exe
2368	csrss.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\56085415360792	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\7-Zip\lsm.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\7-Zip\101b941d020240	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\wininit.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Windows\L2Schemas\56085415360792	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1668	schtasks.exe
2908	schtasks.exe
320	schtasks.exe
2036	schtasks.exe
2960	schtasks.exe
2656	schtasks.exe
2560	schtasks.exe
2944	schtasks.exe
484	schtasks.exe
2568	schtasks.exe
760	schtasks.exe
268	schtasks.exe
2872	schtasks.exe
2232	schtasks.exe
2880	schtasks.exe
1648	schtasks.exe
1788	schtasks.exe
2592	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
1636	PING.EXE
664	PING.EXE
1620	PING.EXE
1856	PING.EXE
2852	PING.EXE
1056	PING.EXE
2204	PING.EXE
1304	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	908	chcp.com
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1660	csrss.exe
Token: SeDebugPrivilege	2220	csrss.exe
Token: SeDebugPrivilege	2868	csrss.exe
Token: SeDebugPrivilege	2984	csrss.exe
Token: SeDebugPrivilege	2540	csrss.exe
Token: SeDebugPrivilege	2432	csrss.exe
Token: SeDebugPrivilege	320	csrss.exe
Token: SeDebugPrivilege	2012	csrss.exe
Token: SeDebugPrivilege	3036	csrss.exe
Token: SeDebugPrivilege	2656	csrss.exe
Token: SeDebugPrivilege	2368	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1724	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	87
PID 2548 wrote to memory of 1724	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	87
PID 2548 wrote to memory of 1724	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	87
PID 2548 wrote to memory of 1092	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	86
PID 2548 wrote to memory of 1092	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	86
PID 2548 wrote to memory of 1092	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	86
PID 2548 wrote to memory of 2536	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	84
PID 2548 wrote to memory of 2536	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	84
PID 2548 wrote to memory of 2536	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	84
PID 2548 wrote to memory of 1040	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	82
PID 2548 wrote to memory of 1040	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	82
PID 2548 wrote to memory of 1040	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	82
PID 2548 wrote to memory of 1544	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	81
PID 2548 wrote to memory of 1544	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	81
PID 2548 wrote to memory of 1544	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	81
PID 2548 wrote to memory of 1568	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	80
PID 2548 wrote to memory of 1568	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	80
PID 2548 wrote to memory of 1568	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	80
PID 2548 wrote to memory of 2764	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	78
PID 2548 wrote to memory of 2764	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	78
PID 2548 wrote to memory of 2764	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	78
PID 2548 wrote to memory of 1944	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	76
PID 2548 wrote to memory of 1944	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	76
PID 2548 wrote to memory of 1944	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	76
PID 2548 wrote to memory of 1624	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	75
PID 2548 wrote to memory of 1624	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	75
PID 2548 wrote to memory of 1624	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	75
PID 2548 wrote to memory of 1868	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2548 wrote to memory of 1868	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2548 wrote to memory of 1868	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2548 wrote to memory of 1316	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2548 wrote to memory of 1316	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2548 wrote to memory of 1316	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2548 wrote to memory of 1940	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	71
PID 2548 wrote to memory of 1940	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	71
PID 2548 wrote to memory of 1940	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	71
PID 2548 wrote to memory of 1920	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	69
PID 2548 wrote to memory of 1920	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	69
PID 2548 wrote to memory of 1920	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	69
PID 2548 wrote to memory of 1764	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2548 wrote to memory of 1764	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2548 wrote to memory of 1764	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2548 wrote to memory of 1872	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	67
PID 2548 wrote to memory of 1872	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	67
PID 2548 wrote to memory of 1872	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	67
PID 2548 wrote to memory of 908	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	94
PID 2548 wrote to memory of 908	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	94
PID 2548 wrote to memory of 908	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	94
PID 2548 wrote to memory of 952	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	65
PID 2548 wrote to memory of 952	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	65
PID 2548 wrote to memory of 952	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	65
PID 2548 wrote to memory of 652	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	64
PID 2548 wrote to memory of 652	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	64
PID 2548 wrote to memory of 652	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	64
PID 2548 wrote to memory of 2688	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	53
PID 2548 wrote to memory of 2688	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	53
PID 2548 wrote to memory of 2688	2548	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	53
PID 2688 wrote to memory of 1076	2688	cmd.exe	89
PID 2688 wrote to memory of 1076	2688	cmd.exe	89
PID 2688 wrote to memory of 1076	2688	cmd.exe	89
PID 2688 wrote to memory of 1736	2688	cmd.exe	60
PID 2688 wrote to memory of 1736	2688	cmd.exe	60
PID 2688 wrote to memory of 1736	2688	cmd.exe	60
PID 2688 wrote to memory of 1660	2688	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
"C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TJG1WhWtgR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1076
- - C:\Users\Public\Music\Sample Music\csrss.exe
    "C:\Users\Public\Music\Sample Music\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat"
      4⤵
      PID:1076
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1856
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2888
    - - C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HY3kVmQ00V.bat"
        6⤵
        
        PID:1704
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat"
        8⤵
        
        PID:1536
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDmqPzi1bE.bat"
        10⤵
        
        PID:2456
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bx5FrBeEju.bat"
        12⤵
        
        PID:816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2164
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cBuNLwd5vp.bat"
        14⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2576
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat"
        16⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:1304
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3REiUSKTh.bat"
        18⤵
        
        PID:636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1636
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat"
        20⤵
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:880
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrsChc0jod.bat"
        22⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:664
        
        C:\Users\Public\Music\Sample Music\csrss.exe
        
        "C:\Users\Public\Music\Sample Music\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yPEeb07IgF.bat"
        24⤵
        
        PID:1504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:1620
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\csrss.exe'
  2⤵
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\lsm.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2852

C:\Windows\system32\chcp.com
chcp 65001
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1056

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2000

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2844

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\lsm.exe

Filesize
76KB

MD5
bf32a8261d1ad40d1a8d9050e8d8f446

SHA1
5d371a16a4dd2a1364d323b74785bcdbdf7fd23b

SHA256
b3b4601fc1749eeb16e115a086f8e7247fd04e9294fd396000306f288ea4fa33

SHA512
485d29d2b94daf6d64eb7ff13a8673c73aa5d8c99e9aa6df1da76dd3744825b11020010781fa4425b0d25c74a1a4e454a9bd60ef98eb0411852e62b7d97d6808

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0a2e8c3f483913cad6ee469af3951e8

SHA1
b85b995121505c2e244ef92849f838b43a3b8015

SHA256
d0dbff8983a3654762081a430150679b7656e84d1a7eea392aa02e6dc441d44e

SHA512
b9a10318599e97f9ec87d4c33498b4ad2f26dd64bf06b3d8ff9f308e5e905131bd70c31b8df812808fa8af3b281dea691d07438b47ed36d849e561a56cdb94c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v3DIijE8M.bat

Filesize
220B

MD5
96d27a75e562149102ffcdb757511fb4

SHA1
e25a7b81d8358d09a2d9dea69461978dec1e346a

SHA256
157d5e11f1279019704f973ee3e8862ffe7127e67e668e5067a4a5d317bd64c8

SHA512
fb2706ee06986425ba679e5ce3948a98cf0e271a102ed8d4b1b0eca064ba095c40332e50f3d2253efab5f0c59b2c817db5393f7b3b8094154ec394c2566a6384

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat

Filesize
172B

MD5
810de1b37517375fc6aa75bb7d103b48

SHA1
1afad2cf660bb9148d5b330946dfe4236886c698

SHA256
2005d31c995f39b389ffe0a8dc68d1927b4b91271a4a3cd7de935a7969aa1f26

SHA512
05e09e9100c4b7834df240c1af3ce4b79420421d6fc7670799794b309ef2f7c78d006c1a33f6f7d8ce6babfbfca70f095227e578dabb0d08d233121b4b72d128

Download Submit
C:\Users\Admin\AppData\Local\Temp\AzylF6O5Hz.bat

Filesize
172B

MD5
b1d0f22f0f22867b453d6e0ce7a9a3c2

SHA1
d126e24b5277ae97d9926e893cbf3c326280ac3a

SHA256
9d82285700aecd1c83edbf67d5dedc139c3df5eede477a483e525563561c7700

SHA512
4bfa429aadfabc66fc1492c3eeb294bfc4c77396eee63282b6d2a05f87a10835b07d35d2893fbcfc285734b8501b3a49b9bf6f55143ae2347518cd68a1706353

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46E2.tmp

Filesize
18KB

MD5
7c22c4773c67a68d3a205ef4cf547981

SHA1
cadb5f86999fd25a6a5d7c2c8be809619fbe6834

SHA256
146aedd4d81b6e261b031206b34aab953847595c4bad263458e26a503ffe2835

SHA512
43f2ecbbf0d741060aeedb05237da6d38faf1ed3d3c08ec9ba43c6307201fd52ac7c32889ff820a2fb66c5d8867534a63a59d4325d7d18feaab6f9a556faf2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrsChc0jod.bat

Filesize
172B

MD5
e0fd62084c21305b54eecf1918d9e72d

SHA1
326719665a1cf9f56902331a46c61839c93a7c49

SHA256
2c6ca611be27530fb780ad6d6e339b25dae7cc7b7dc438706643c7076cce82b8

SHA512
f5afaad6eca96a5111428310832f551c000f732d2b9e03aba65ca23b205c152deaae4954d21dda053764faa646248493c1a8afc887b5338faf838a29418250d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HY3kVmQ00V.bat

Filesize
172B

MD5
56a7b4aa26b3f55ccd4210271a9cd780

SHA1
fd2b3316dc08e7f83d3ef818f13ae035fb834cf6

SHA256
8235c460a9b0a3bb6498fdec78ffb39be2ad257eec435c5d0b544014874d1e8b

SHA512
8b64dd392196bcd62f3d0cb563bbedcee54bab65c83c68205efc8f51149a492435b1c58b9d591f40b8f634d1cdc7fa5e91931a2bda691f8a4179c5bb305fdc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3REiUSKTh.bat

Filesize
172B

MD5
0c2d85c2820cc26436bebc1a7735add9

SHA1
bc693e1edbc01ef2559cb1fa2a299b5a20ef7a34

SHA256
167d2ab9cdd6a91c520629c3970fcc49e6cc4a5c84a4aaa8b09512b93c6c620d

SHA512
0212d2addcd1c3d083e7fbd7c1268ce42849d3a759368a2daff976b1ce3148982048096f50f9688df52d9f523688d31b246d4a42678e7e560fb3e67b80d175b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJG1WhWtgR.bat

Filesize
220B

MD5
22bae5da5d970ed5b3dadedcb43903c6

SHA1
7ed913ce7f9de9f72e62edd8c73c41eb868fe49f

SHA256
ea696e234759d3365600ed3117a005c01356805d7126d12afd1d5669907b170f

SHA512
ace46acf772016dfde88869d7191e64dbd228573c75461d04009e4a493384ed4537bf49461c37e705be9b908d0f374e58f0a40ab9b4a739c3ebaf7282674ac87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDmqPzi1bE.bat

Filesize
172B

MD5
3d3708e55db9bf8a702683fc9e1bc60f

SHA1
60cd50259ab1ebd8624760a6ce450a2b2debe467

SHA256
c72effde2a89a690492edff3e25b02e41b1f4e88174f0cee3ff28c94cdd0ee91

SHA512
b787bd069a8806bfeff2e618a9cbcaf4cbed9b555a7bc9d77e3e373f14f4a53c777aaa6d7cf26be19771c019c536a5697fc25f4dc3d750bb21c60ddb9d9a0444

Download Submit
C:\Users\Admin\AppData\Local\Temp\bx5FrBeEju.bat

Filesize
220B

MD5
9c7f127ee9a7dd3100e761b2525fa1fd

SHA1
cbd52d0da5133f3d86963c36e80025ab59d45743

SHA256
8539b4aa4335501cb8ad1e397324048f270dfc170f4019bd48ea00fff5770d95

SHA512
5692ff1368b91e05aef71c4657cde8658d57a6cb355ed9536e9bb8bb0e2685cd4e193d8b54557710002fc685ddaa3c4126afb6cfc9b95762a5058d32d3953336

Download Submit
C:\Users\Admin\AppData\Local\Temp\cBuNLwd5vp.bat

Filesize
220B

MD5
18a5831652318aa0f65bf86c3648830a

SHA1
8007ef5950b487525058e5dcb019c8304502d85c

SHA256
722e8bd1f9ac10638d09969787c379608031e6c70b113fee2f8a52983748b338

SHA512
f5783569ecfdadcba0429b185ea8fd1ce7065ccacbfba907f166b469f5c2b5cae9b6524ff575da843f11c41f48f572f56f325ee1fa73df87294c97841c8f9d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lV5no6Klb5.bat

Filesize
172B

MD5
a1424f3aac089293e1a58bfbe59c4268

SHA1
e38f5d3f21b62eee2d1f2d832b743d4cff1d0471

SHA256
1c360b057768d26120e54314c602636e9b41f47ec15505a0b2922b87ee3798da

SHA512
28a8b60dbf3b940d861abd4fa5899c0ca913a5e0a3c493382bb1bde2a6767babb82555a76584ba01b83595d956ef5cf9090beec7b7a0cf5ecf0576934d15b1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yPEeb07IgF.bat

Filesize
172B

MD5
90f67056a52e0265578e04676cdb9fab

SHA1
d56f76848e9137b447351e6ef1d85146f83ef797

SHA256
afa1c9c8c93ed5c0eaf623e1ee96dc58550462e37ba031e69f97a65777f1a17c

SHA512
ec08f5afcaa2a4c2ffe5e5ab1ae599a2d2291801544613c0a1c9914571d4d5e8084f97109fd392c6d95e04e741dad459fc3d5476ce98b3b6b07e93525a3ae295

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
908124cfec2a9889206441556759849a

SHA1
90f57dbc9a84e03ad8bc3411c17163253634730a

SHA256
498ac2a9adb35548e4c9a6d61329b1d21c038d152668afc6712929011a6022d7

SHA512
b18e6a5dfa42269c429ba5495c272d887a6ca0dc9cc57984e6dabff01cdef789253c4879cf0a53f058e377702d04e0abfefab8722af48f0c9c78aace14099f7b

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
26KB

MD5
bd265f4009bd746afe9a12081e06f2a3

SHA1
590fa9814dc290fe61bae29638f458ca31201c1f

SHA256
a2d69a71d40dcb9b1bb0d5b2708f3539ef3438c41813a517e00b5464f09cfefd

SHA512
42c0d142091ec0f9e15a016b5eb98780c90ac3fdbf8a5d02be89904d21fcf44c064da22e1bbdccbd1dc83fc71ea26b0dd90edbfd263e43081a18ecac8b1656d5

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
60KB

MD5
960ca4b33c7244406629197163264e10

SHA1
6dc98ecd09ccfe68ed79a38b95490d374e40ff4c

SHA256
5e7365d4b3c56bb4a114e72fbc3c99f4a8bbfbed8c2d14144e3ffe4378e9d601

SHA512
6672ff67c8e2caaef5960437cdd53b61a74540223c4f7b589238606f8fbe812d930be4b35ab52772dedf26f5767a128c0172b2e3d284c77cec1028293edadaa9

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
17KB

MD5
976bc4d4a5bb22ab75bea3f980b5d060

SHA1
2d384281f74f028562ee5085169698ae6e71220e

SHA256
36e23e414d8c949862af1e387225a7139c8ff32eddf791aa8241ca4f31c53ddd

SHA512
516981c7c132f1dcba02a2df01533cf465912ed0c87ea42c53604dab62a3a817f254ff6136b21020e0406858a4f223b9c414710bcc88eb054ed5ca10de2851e9

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
87KB

MD5
921aede88313c8714e281895f3546708

SHA1
f2bf49f1968c019555051b2dd1ae429a019e2e8d

SHA256
5486b2aa6d8c0c795ddf53794aa46c7a4c7382fe9bdcfa812199692d32c42c63

SHA512
0d54a997ad9d9920d67c7a7b38ba8a11e4d94c2eca443495541dbae9f7fb30e233e4d0c5e06a6d36a9c54b64bc7bfae39fcb371b53912f2f7d9433f93b34fc90

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
252KB

MD5
2262f57b36e87fe5fdfa6b7bdd6f0461

SHA1
1ee73bb0a11eff25186f2321b8d54f88d81dc421

SHA256
6da202e26117d94df77b8e973f8492b35348a85894ca712abbc64184e2544695

SHA512
1daae11fcee3eca60c0fe7027b470136a96dbeec3d3a324f2dd199c9f96ab7242962242c409ef8e600eba1f9f4bf946aea3a14a8bdc1a9e02acab14a3cd662b2

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
2.0MB

MD5
70d149f275ccc89790c5405849a9ad9f

SHA1
de1a99c487f1b78320142e64fa1531c65a1ad8e7

SHA256
ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

SHA512
899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
1.8MB

MD5
699f7ae19c1f95ca83dcf048919a1156

SHA1
11c53e23812def8f40ebba0d6cb8f03a79569c5c

SHA256
a99ba146891024a45280b253cb5376c190d227b3438dd3b04017b2a0c4d62699

SHA512
5979849560d397bab55c2b8ea324ed180bb4a9b5d1ecd11c982355776237ec25fd4b70dd7dee21c06f8b5b1f78377cc04673e121ce2dc35df93a26a5cddb0f29

Download Submit
C:\Users\Public\Music\Sample Music\csrss.exe

Filesize
1.2MB

MD5
134052b5886bdda7fd98cbb352bee53a

SHA1
32a923f193278c707c3a0f89cf1498a5142ca95f

SHA256
e4d4901c0cfeb4b64c7da4761a9a80ea546eb44b908f1e6ca5fd21cbe56d83ac

SHA512
5998852533dc269121b374e505c25b6e4e2b7a3a947c9fa353bddc15e37d2dbb08e3941acb7dbdd5770a4d61edc7e067953d418b20a7a4f161b0d1965beb7200

Download Submit
memory/652-232-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/652-224-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/652-218-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1040-208-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1040-215-0x000000000257B000-0x00000000025E2000-memory.dmp

Filesize
412KB

Download
memory/1040-207-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1040-214-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1040-212-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1040-211-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1092-205-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1092-204-0x0000000001D60000-0x0000000001DE0000-memory.dmp

Filesize
512KB

Download
memory/1092-206-0x0000000001D60000-0x0000000001DE0000-memory.dmp

Filesize
512KB

Download
memory/1092-209-0x0000000001D64000-0x0000000001D67000-memory.dmp

Filesize
12KB

Download
memory/1092-210-0x0000000001D6B000-0x0000000001DD2000-memory.dmp

Filesize
412KB

Download
memory/1092-193-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1092-114-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1092-117-0x0000000002030000-0x0000000002038000-memory.dmp

Filesize
32KB

Download
memory/1316-237-0x000000000246B000-0x00000000024D2000-memory.dmp

Filesize
412KB

Download
memory/1568-222-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/1568-216-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/1724-223-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1724-220-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1724-219-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1724-221-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1764-236-0x0000000001F44000-0x0000000001F47000-memory.dmp

Filesize
12KB

Download
memory/1764-231-0x0000000001F4B000-0x0000000001FB2000-memory.dmp

Filesize
412KB

Download
memory/1764-230-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1920-229-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1920-234-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1920-225-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1920-226-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1920-227-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/1944-213-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1944-217-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2536-228-0x000007FEED620000-0x000007FEEDFBD000-memory.dmp

Filesize
9.6MB

Download
memory/2536-235-0x00000000029FB000-0x0000000002A62000-memory.dmp

Filesize
412KB

Download
memory/2536-233-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2548-26-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-31-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2548-5-0x0000000077360000-0x0000000077361000-memory.dmp

Filesize
4KB

Download
memory/2548-104-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/2548-7-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2548-0-0x0000000000960000-0x0000000000B5A000-memory.dmp

Filesize
2.0MB

Download
memory/2548-13-0x00000000005F0000-0x0000000000608000-memory.dmp

Filesize
96KB

Download
memory/2548-14-0x0000000077340000-0x0000000077341000-memory.dmp

Filesize
4KB

Download
memory/2548-17-0x0000000077330000-0x0000000077331000-memory.dmp

Filesize
4KB

Download
memory/2548-18-0x0000000077320000-0x0000000077321000-memory.dmp

Filesize
4KB

Download
memory/2548-152-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-28-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/2548-29-0x00000000772F0000-0x00000000772F1000-memory.dmp

Filesize
4KB

Download
memory/2548-105-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/2548-27-0x0000000077300000-0x0000000077301000-memory.dmp

Filesize
4KB

Download
memory/2548-25-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2548-22-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2548-23-0x0000000077310000-0x0000000077311000-memory.dmp

Filesize
4KB

Download
memory/2548-20-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2548-16-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2548-11-0x0000000077350000-0x0000000077351000-memory.dmp

Filesize
4KB

Download
memory/2548-10-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/2548-8-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/2548-4-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/2548-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2548-2-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/2548-1-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download