zgrat | ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Size

2.0MB
MD5

70d149f275ccc89790c5405849a9ad9f
SHA1

de1a99c487f1b78320142e64fa1531c65a1ad8e7
SHA256

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4
SHA512

899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7
SSDEEP

49152:yKB0Z0w15HQDEbwbIx0QEiY/ifrR6Vuo:yKB+1NQDETjAifH

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 9 IoCs

resource	yara_rule
behavioral2/memory/732-0-0x0000000000B70000-0x0000000000D6A000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023237-44.dat	family_zgrat_v1
behavioral2/files/0x0007000000023217-317.dat	family_zgrat_v1
behavioral2/files/0x0007000000023217-318.dat	family_zgrat_v1
behavioral2/files/0x0007000000023217-479.dat	family_zgrat_v1
behavioral2/files/0x0007000000023217-540.dat	family_zgrat_v1
behavioral2/files/0x0007000000023217-571.dat	family_zgrat_v1
behavioral2/files/0x0007000000023217-605.dat	family_zgrat_v1
behavioral2/files/0x0007000000023217-637.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 9 IoCs

resource	yara_rule
behavioral2/memory/732-0-0x0000000000B70000-0x0000000000D6A000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0006000000023237-44.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023217-317.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023217-318.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023217-479.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023217-540.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023217-571.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023217-605.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/files/0x0007000000023217-637.dat	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 15 IoCs

pid	Process
5136	SppExtComObj.exe
5712	SppExtComObj.exe
408	SppExtComObj.exe
5252	SppExtComObj.exe
4364	SppExtComObj.exe
4752	SppExtComObj.exe
1528	SppExtComObj.exe
6048	SppExtComObj.exe
3468	SppExtComObj.exe
5732	SppExtComObj.exe
4156	SppExtComObj.exe
5708	SppExtComObj.exe
4856	SppExtComObj.exe
3640	SppExtComObj.exe
5204	SppExtComObj.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
11	ipinfo.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sihost.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\66fc9ff0ee96c2	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3372	schtasks.exe
3688	schtasks.exe
1884	schtasks.exe
620	schtasks.exe
4052	schtasks.exe
1604	schtasks.exe
4684	schtasks.exe
968	schtasks.exe
2728	schtasks.exe
1168	schtasks.exe
3452	schtasks.exe
2516	schtasks.exe
2052	schtasks.exe
2168	schtasks.exe
2100	schtasks.exe
4912	schtasks.exe
2964	schtasks.exe
1840	schtasks.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	SppExtComObj.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	SppExtComObj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	SppExtComObj.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
4388	PING.EXE
5632	PING.EXE
5988	PING.EXE
3096	PING.EXE
5764	PING.EXE
1432	PING.EXE
4292	PING.EXE
5152	PING.EXE
5684	PING.EXE
3224	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	4364	SppExtComObj.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1528	SppExtComObj.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	5136	SppExtComObj.exe
Token: SeDebugPrivilege	5712	SppExtComObj.exe
Token: SeDebugPrivilege	408	SppExtComObj.exe
Token: SeDebugPrivilege	5252	SppExtComObj.exe
Token: SeDebugPrivilege	4364	SppExtComObj.exe
Token: SeDebugPrivilege	4752	SppExtComObj.exe
Token: SeDebugPrivilege	1528	SppExtComObj.exe
Token: SeDebugPrivilege	6048	SppExtComObj.exe
Token: SeDebugPrivilege	3468	SppExtComObj.exe
Token: SeDebugPrivilege	5732	SppExtComObj.exe
Token: SeDebugPrivilege	4156	SppExtComObj.exe
Token: SeDebugPrivilege	5708	SppExtComObj.exe
Token: SeDebugPrivilege	4856	SppExtComObj.exe
Token: SeDebugPrivilege	3640	SppExtComObj.exe
Token: SeDebugPrivilege	5204	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 1600	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	83
PID 732 wrote to memory of 1600	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	83
PID 732 wrote to memory of 3968	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	82
PID 732 wrote to memory of 3968	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	82
PID 732 wrote to memory of 404	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	81
PID 732 wrote to memory of 404	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	81
PID 732 wrote to memory of 4868	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	80
PID 732 wrote to memory of 4868	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	80
PID 732 wrote to memory of 5008	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	79
PID 732 wrote to memory of 5008	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	79
PID 732 wrote to memory of 2676	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	78
PID 732 wrote to memory of 2676	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	78
PID 732 wrote to memory of 3512	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	77
PID 732 wrote to memory of 3512	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	77
PID 732 wrote to memory of 4760	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	76
PID 732 wrote to memory of 4760	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	76
PID 732 wrote to memory of 2712	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	75
PID 732 wrote to memory of 2712	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	75
PID 732 wrote to memory of 3528	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	74
PID 732 wrote to memory of 3528	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	74
PID 732 wrote to memory of 4612	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 732 wrote to memory of 4612	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 732 wrote to memory of 1528	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	181
PID 732 wrote to memory of 1528	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	181
PID 732 wrote to memory of 4364	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	171
PID 732 wrote to memory of 4364	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	171
PID 732 wrote to memory of 1980	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	69
PID 732 wrote to memory of 1980	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	69
PID 732 wrote to memory of 736	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 732 wrote to memory of 736	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 732 wrote to memory of 2936	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	67
PID 732 wrote to memory of 2936	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	67
PID 732 wrote to memory of 4068	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	66
PID 732 wrote to memory of 4068	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	66
PID 732 wrote to memory of 1184	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	65
PID 732 wrote to memory of 1184	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	65
PID 732 wrote to memory of 1224	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	52
PID 732 wrote to memory of 1224	732	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	52
PID 1224 wrote to memory of 5528	1224	cmd.exe	49
PID 1224 wrote to memory of 5528	1224	cmd.exe	49
PID 1224 wrote to memory of 5920	1224	cmd.exe	50
PID 1224 wrote to memory of 5920	1224	cmd.exe	50
PID 1224 wrote to memory of 5136	1224	cmd.exe	84
PID 1224 wrote to memory of 5136	1224	cmd.exe	84
PID 5136 wrote to memory of 5496	5136	SppExtComObj.exe	109
PID 5136 wrote to memory of 5496	5136	SppExtComObj.exe	109
PID 5496 wrote to memory of 5576	5496	cmd.exe	107
PID 5496 wrote to memory of 5576	5496	cmd.exe	107
PID 5496 wrote to memory of 5556	5496	cmd.exe	106
PID 5496 wrote to memory of 5556	5496	cmd.exe	106
PID 5496 wrote to memory of 5712	5496	cmd.exe	153
PID 5496 wrote to memory of 5712	5496	cmd.exe	153
PID 5712 wrote to memory of 5616	5712	SppExtComObj.exe	157
PID 5712 wrote to memory of 5616	5712	SppExtComObj.exe	157
PID 5616 wrote to memory of 5884	5616	cmd.exe	155
PID 5616 wrote to memory of 5884	5616	cmd.exe	155
PID 5616 wrote to memory of 3096	5616	cmd.exe	154
PID 5616 wrote to memory of 3096	5616	cmd.exe	154
PID 5616 wrote to memory of 408	5616	cmd.exe	160
PID 5616 wrote to memory of 408	5616	cmd.exe	160
PID 408 wrote to memory of 4992	408	SppExtComObj.exe	164
PID 408 wrote to memory of 4992	408	SppExtComObj.exe	164
PID 4992 wrote to memory of 3372	4992	cmd.exe	162
PID 4992 wrote to memory of 3372	4992	cmd.exe	162

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
"C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dWM1bcXvBW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Default User\SppExtComObj.exe
    "C:\Users\Default User\SppExtComObj.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5136
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JXc0TkO1fo.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5496
    - - C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G4xkVEPKHy.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5616
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZMwbrXv0c.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat"
        10⤵
        
        PID:1504
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat"
        12⤵
        
        PID:2656
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dlM0lquDlv.bat"
        14⤵
        
        PID:232
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat"
        16⤵
        
        PID:5460
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat"
        18⤵
        
        PID:5032
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ODIA3Zf31.bat"
        20⤵
        
        PID:692
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aw9hvKlXqO.bat"
        22⤵
        
        PID:5948
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffZdJSdmJf.bat"
        24⤵
        
        PID:5852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:5684
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\21MOevrO8R.bat"
        26⤵
        
        PID:876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:3224
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat"
        28⤵
        
        PID:5176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3032
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dQkVphdv7k.bat"
        30⤵
        
        PID:5096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:5988
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oyk3mdJSzu.bat"
        32⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:3460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:900
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        33⤵
        
        PID:5544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat"
        34⤵
        
        PID:4772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:5500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:5584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sihost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
  2⤵
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sihost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5528

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5920

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5556

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5576

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3096

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5884

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4388

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3372

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:5764

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5748

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2332

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5004

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1432

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5960

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4292

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5296

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4624

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5524

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:5632

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:5152

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
28KB

MD5
b6875aec4704f2e99fd45061415d2d3f

SHA1
62c42c388cb13319bcbb96c364424a9e23b80497

SHA256
2aec1f9b077a6767a6e06d226f899a55836cbd44d9fd0079a43bda35d0d365bb

SHA512
e585af410f0c86a1585f5e342e9be42aae492b09c67be82a3b47db436163f100561d0cd7ffd9cc551381b4a8b9a270437058a36719a41684997692b7734cfbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
d630e0db449ad8976cacc63421267c72

SHA1
a83e66cf385b6fd0d0f3050c851945804f00cd78

SHA256
9bc1ab4c50e10a7292ac1c4515defda4e48a484fa474c5e69a80d5b1ef22fb49

SHA512
8c7de267fde85f9fb4521afb956a33fd1e69ec86b530d5f348b382fbbc0f777f9b3189f6fe3223822895c8262a626c8a30f6d3a83ccf7efe92ce4acc46e2b7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
adcf7694324db40696dec9e7145c7d9a

SHA1
6a5a093f6fec740444de5c219fd6af57f087d436

SHA256
b7678468701b0c13267926de54a86f833541a6d0420e466d62d1fa948bbfe054

SHA512
b5ad97789767fe51c37b603b3ec7015008a69699115330404193ceebb3158d5ae674062699b9cb62fa5635a7e78330d952e4438176bd9612d50c424845fb6896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat

Filesize
214B

MD5
70b55c5fe5b8d8ef5e95451bb84259ac

SHA1
6fe586bf1593ee139fc1980a4a93e7c9d34ba03e

SHA256
def52e4432d6c81f4951ea05f8913dd45bcbacb2495047adfd18a0344774f79d

SHA512
836ca83ba007ebfac318e78a506543ef5647ad818d522babd293b7cea656e94afc34c1ca62145d0fbf5ecede014773bab53811d8002b9710ac4269060482650c

Download Submit
C:\Users\Admin\AppData\Local\Temp\21MOevrO8R.bat

Filesize
166B

MD5
c130ad77d9d3ccc38b5a5fbb97a5efbe

SHA1
05184671c1dd33b838cf18b616f28084b706725b

SHA256
888686aa0ba7f6504b326f31d7192f07d49dea5bd9ad626135fb6d901501a51a

SHA512
bc43933fe368b18e67881899545a5996d6ffeac906e21774d578f5e404567e236a6441a128a485825183ac1ed51bea392731bdeb88120894c0f7ea0e3a991aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ODIA3Zf31.bat

Filesize
166B

MD5
a758588631e00b53f8846f9261c0af42

SHA1
47ef4c49bce555f5005a7f2c646ce7d5b32e7ced

SHA256
7f8bf64183996cf58dc1c81f7934d4305e0f1549e5359cb0e167b4c920907a15

SHA512
eb273722a4426d9d157bedb85722f801c11e2a09b67c68aefdebb18521bb7fbc7ff2897c54450e205b47e66f2ed258f668cb30203e70c1c7aa0a17eb67bd35d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A6hgcLYDdm.bat

Filesize
166B

MD5
dd46114f9f2c8d59aafcbc63cb1732fe

SHA1
6a44fcd765f35aa04f35d42a366e4b1f598cc630

SHA256
115d53479b4c1a73537e5d28cef37470e4dcf63fa7f2cb61cbf10b9700664e42

SHA512
f929ba9055106f73e4c760949a918538b34f7487ff26719e764432453a43a50992114d8540672fab21b6724b03812314e571317454f30711a91d2eccb3e14fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZMwbrXv0c.bat

Filesize
166B

MD5
5fcd4daafad6a9f4b4a3585bf222faaf

SHA1
fa9a8b5d6aeb66f54afa52fb626077fc248a6705

SHA256
56070d7ac14fabbca658b4764aeb1e5299f3ee4280a95618106e1a9ea131ad3b

SHA512
2f6aba14afdbc1d03ed9917427e2c17932d31a8ecefdf1661f3e92b4ebc11106dd8e934c8a315bd7f98384fd3b9811e9fa70f32d8bb375770f73485430899f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G4xkVEPKHy.bat

Filesize
166B

MD5
82862543d77adb64de6d740e2c352764

SHA1
b5845d5dd3679fc32363e17167bce2327d653a69

SHA256
413155829fdc4da69bc6efe8d8fbef93c49a9552a7de4af5f6ee2ba6cf5ba71b

SHA512
eb2b4768ef43610af7d4f02295cabb8db1af23e605787e3e2ef0bc9d70e019d08ca42d910d3201738799c8b551a0811e0371acada68f0ed5f95b3057e55ed59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JXc0TkO1fo.bat

Filesize
214B

MD5
fd3714378a15177c89ad7420f5bf067b

SHA1
9a0d17b2c2952bb45c2662c3f8bade4424ba7fdf

SHA256
d79d7a7d29c98e96119197ff5e08b0c54df3854e8426d0341680fe6dfa041d24

SHA512
ae74249d8875194e06b490658f26da6aee563000d437776b2d9ab7c04bd3bd3be8e8b8e1f146198ac0bd943e64b9558ebf2ab4e5e934c930bfd4d99291180549

Download Submit
C:\Users\Admin\AppData\Local\Temp\aw9hvKlXqO.bat

Filesize
166B

MD5
95bfa8fc6f19c64532404018dc6028a6

SHA1
69f59ad11ad533120a47c85238627f2384a48c27

SHA256
7955e2d27f6aa54d3d9202de9cce3471dcea99ce1f0fdf29dcdcce8539e7c77f

SHA512
407e6fc609acde233e3a207531192ad265befa5d66644a8bae5affe09f8f89dc24f3e01d418a8666cde11dde72ba4c3a8df839b98ee86457f0413634eab6b081

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQkVphdv7k.bat

Filesize
166B

MD5
ede94e13faffa15ea86c16d86a9243b8

SHA1
10f5ae5fcb911887028d6eae49ba6bb80ceae829

SHA256
06c877a6db3418066470f9db50041dbc1a5021f9fb61e3b2c5ce11e16963c8c8

SHA512
1fbe0da784281464a084d920493f18a09e1e64e3ae931b84854e73b37cbc3369ec2ab2f9aae9ee714d1ce65dc35fa836ba5b83c1e5a0342527f3cf12c81fa0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dWM1bcXvBW.bat

Filesize
214B

MD5
851d9d9aae55ac7e03e353313a91e875

SHA1
647aaafc7414c7fbbd095a0fa15bbdbc4264ddd8

SHA256
28aaf66626cbeccd8a281bd1054a02f2a590bf80ed701fcc7e48f247b441e1b4

SHA512
34dc81ced2552fc4c3f2f89250398b17e36de7347fe97dcb649ada768d8c7036268f4729c083bafc9c685516491cc7074c55509b5d7969f4c2a09ce17ea15f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlM0lquDlv.bat

Filesize
166B

MD5
95b9aa1f88403366db7c7fac172a4bb1

SHA1
54cde50a1eac54e1fc54f8778918bad84817af19

SHA256
18e53afdb8c1950ba842929bc7cba38d78f3c00f89ab29ca282277a9cc500035

SHA512
ab3177f2d55d8951f0fb72fbaf3209762bfa5a9b9b7d5a967cc88305d0029d8b4e2728ebf7bde7735289f9be991205cdf500f2de60f1703773dc4b874d9cffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffZdJSdmJf.bat

Filesize
166B

MD5
4f5ad5318019718a256b1b7c3858fe62

SHA1
f5047e79f6e905855b383c3ac5a488c84218d81e

SHA256
c76ed819063694d6e2a54fb0e918bd6b5ca064a8ea6904aea75bb5e425172ea6

SHA512
dfe9b476e41401c52cfebdf106912a2dff6d966fe9e4fb847eca3450770180a23e59064313ce08f4028f317e588d6175c53cb0613283c0a8cadf2acacc73a382

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2RXpaL3EF.bat

Filesize
214B

MD5
22e4dd728c95b425f85a272f557b6dfe

SHA1
d46f80a301d23a406b81dee6b4ec1937fa56e8da

SHA256
d10b733849986def19fe489e3ee584b7d9a4174603971b934d662338a352f60a

SHA512
c00b6dba9e5d14236d75c7918a1b05bcf3253cbe90a966bf240a729ac2013c2405cca7d7245c0d9909ffd8c57aa5c968d740d5153b41fa948158b6983891aa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\oyk3mdJSzu.bat

Filesize
214B

MD5
386264033ce93887ca7da40bd8196139

SHA1
d43662895592e99e4dbd9360a399b8ededc4c904

SHA256
3f8fa3a8c24af1a2048cf39a518a0394b17e9c57210182b3cace7b9e5c0b50dd

SHA512
07007320c2a34f847f25ec4d3b3da52106a2a1c52809a483e841a28d964a2b322474bf693493242297b887d593ccdf0972bcb9597bd12650f921c1fcccee2580

Download Submit
C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat

Filesize
214B

MD5
f4e261602936e0569933329da2e713f9

SHA1
ed84cca6187420dee871853cce52726d72400367

SHA256
60cacae54bf54bea6dcf57085b3d11550b29eea146bf6dba1916597b6f365b41

SHA512
496d72edc03e082bcb29d87860dc8742ed416f8ca023309a28e52f3a9daddcde95a8dc305c72484e4dc03ba8e37add8b55ef5fdc119d80ef8fc051f65e4c2424

Download Submit
C:\Users\Default User\SppExtComObj.exe

Filesize
15KB

MD5
9ae2e14b16ccda103aea9b774419055e

SHA1
8748455e882a3c19c4d7b37de8702cf4c7220c79

SHA256
48a670dcfd05259d5d5f8ab63b1561a076768f304ed5c0c2634ab1f539696dfe

SHA512
dbac7db36d22ce6e91cfd96d41d1d27a0b1c9234c313d37b89e3ae7c341ca1302250f5d90072697cb1ef36475e6079a3c690320ed3b074c975701827fb661126

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
79KB

MD5
7d399dd634840d74e8ae91222975d9fb

SHA1
c86949c9c9a168dd287b215edea074e2a5cc5680

SHA256
f84a9c3adeb67c59ce19b7ec3155884c8fc67ba7de5e760ffdac47592463f60b

SHA512
438f323d5d2e5b0b051abf247102f8a0593b6c72f5422782eb754c0489de46ce2f4e9d91af59d7a694203ef7c12e44bb7508933ce10e8960f8697987d715d993

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
67KB

MD5
5987e6ec2bbfce38811715a4faca7449

SHA1
33f545ba49044b177e7bb6440097c73a88e38781

SHA256
e7755cd3d6533fcbe27951c9acf68842ad266e1b337049cbe46551617015c67c

SHA512
ad439b553800d4d85299fab9e215b799afdb98dbe20dcc94cbae9f65bf3f6fa945625166163d493cb662cb2b8d6b5c91f7fc546bd37e634acfba011fa22106f6

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
38KB

MD5
1779ef2d296ec3be8df42660c3ac64f3

SHA1
7bc28f1795d5988078747445492d1cc2e034b708

SHA256
3e15b131aea569a0445a13fd7e48c0513bee04531a80da3207c0b2b244b7dfee

SHA512
f50bf63cd172d7d89466226d34ae1ad29fa11d45e3415a594fb2b5f9c2ea40256ac4458060ab86b929fd8c3abdabea08ee8c2c7dae95920d4fef8ca328b60d84

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
1KB

MD5
e17251365d1c6b664920ecde4a475a1a

SHA1
c1a32abda3fdca6017b524241fb706e5ec8caca8

SHA256
1b82e8bc10a8e7d170e156a3b892a5813333b335859bc9da72a93e6bba05e409

SHA512
8cc20aa0ac132f7d349a9d66e2611e2bddd6818545e5516a47fa01e9ed71da449b66f24103ee140932efdf9da2bd95862bea4b38b362b3075be9e0224115bd47

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
12KB

MD5
382cdcce07a3a491b49762f5be7044ee

SHA1
3e7028b46bbf8e2e65b7aa18ffba6584a1629260

SHA256
cd0682336b433665b53bd1a88298a6a06a1123307baa35711497ac7ccf414606

SHA512
42e1007760b4a49d6ce9ae1cf52670a79542f0998d5de1c63775f9eb001f6bd5d0b0859a2fe2ca5b4dc3b0ef059d8c804e7de0801ee31b17201ad8996f6d14ca

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
7KB

MD5
a37fddbcd8bfdf7a49efb07ae48353c7

SHA1
911ffc636f56e1f91a49ade8862a9be0b86986e9

SHA256
56fde0b8aaf82b25f456c0024f9bd4d10a5142d63596243bbcd3da36dbafb779

SHA512
40df3a4c6d836f2756f1ee4a843bf798b2c4e9b58829feddc2146045b4d456dfebc16c046427429904300752e6608f127ef36dd6766e197dd2e395cf4e4ace19

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
55KB

MD5
4c28d1fb2c5c92c6ab5cb8688d766989

SHA1
6dc529c7ee4fb1d513aaa966900766e300b8ea9f

SHA256
9dc28ffc222478422eb07b8e04a917b5c40f8c646ffb15c6def54e06be99a7d4

SHA512
f1012b20f4324ef5a3c69aff2ac866d91ac65b8af01a5a26d705be03906467789bc7472b211fa991eff2cb12eb77b8c804f9dd195b2596973480fdb0abe6d089

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
39KB

MD5
563eda3a24a60ac72d9e6209db6e838c

SHA1
33f4a67390b1cb7a861356e75d6fb3de4fb3d892

SHA256
fc5f5be154c3bafc8dc539cf199c589f8ccff1cc2cbb320f5e24e44e8c7c2c2e

SHA512
989e01369d93ae3900a1ef966198b715c74fc44073cff79cc5bfa6a74f36057b614ac86d52f98872c6f64100bcb5d6347433acf63a0f6cb904ed086287807859

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
190KB

MD5
0a1fe8eabfcbf77688ac015de4a8a534

SHA1
5f1663719d5a4f8dc842b5714d3b584471af7b13

SHA256
ea1a7f3164bfcd4a011ed33e82d29b8eb40fe7d6b4a01796b43724abe001a786

SHA512
791c9542b703a519bbbd035ee07d7e8f12f702d6918cbc257a3d49d38ef0e233dc5c9ac88f38dda8a5a017df602b8dda7c5c38ddfc5f2d34887d323e6fbb0e3f

Download Submit
C:\Users\Default\SppExtComObj.exe

Filesize
2.0MB

MD5
70d149f275ccc89790c5405849a9ad9f

SHA1
de1a99c487f1b78320142e64fa1531c65a1ad8e7

SHA256
ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

SHA512
899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7

Download Submit
memory/404-204-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/404-235-0x000002893F140000-0x000002893F150000-memory.dmp

Filesize
64KB

Download
memory/404-234-0x000002893F140000-0x000002893F150000-memory.dmp

Filesize
64KB

Download
memory/732-7-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/732-17-0x00007FFAEC3F0000-0x00007FFAEC3F1000-memory.dmp

Filesize
4KB

Download
memory/732-51-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/732-46-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/732-30-0x0000000002EE0000-0x0000000002EE8000-memory.dmp

Filesize
32KB

Download
memory/732-31-0x00007FFAEC3B0000-0x00007FFAEC3B1000-memory.dmp

Filesize
4KB

Download
memory/732-33-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

Filesize
48KB

Download
memory/732-34-0x00007FFAEC3A0000-0x00007FFAEC3A1000-memory.dmp

Filesize
4KB

Download
memory/732-26-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/732-5-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/732-6-0x00007FFAEC410000-0x00007FFAEC411000-memory.dmp

Filesize
4KB

Download
memory/732-0-0x0000000000B70000-0x0000000000D6A000-memory.dmp

Filesize
2.0MB

Download
memory/732-60-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/732-22-0x0000000002EA0000-0x0000000002EAE000-memory.dmp

Filesize
56KB

Download
memory/732-23-0x00007FFAEC3D0000-0x00007FFAEC3D1000-memory.dmp

Filesize
4KB

Download
memory/732-56-0x000000001CA60000-0x000000001CB75000-memory.dmp

Filesize
1.1MB

Download
memory/732-52-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/732-61-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/732-10-0x00007FFAEC4D0000-0x00007FFAEC58E000-memory.dmp

Filesize
760KB

Download
memory/732-9-0x0000000002DF0000-0x0000000002DFE000-memory.dmp

Filesize
56KB

Download
memory/732-4-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/732-2-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/732-3-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/732-1-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/732-28-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/732-27-0x00007FFAEC3C0000-0x00007FFAEC3C1000-memory.dmp

Filesize
4KB

Download
memory/732-25-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/732-20-0x0000000002E00000-0x0000000002E0E000-memory.dmp

Filesize
56KB

Download
memory/732-18-0x00007FFAEC3E0000-0x00007FFAEC3E1000-memory.dmp

Filesize
4KB

Download
memory/732-16-0x000000001B9D0000-0x000000001B9E8000-memory.dmp

Filesize
96KB

Download
memory/732-14-0x000000001BE90000-0x000000001BEE0000-memory.dmp

Filesize
320KB

Download
memory/732-12-0x0000000002EC0000-0x0000000002EDC000-memory.dmp

Filesize
112KB

Download
memory/732-13-0x00007FFAEC400000-0x00007FFAEC401000-memory.dmp

Filesize
4KB

Download
memory/1184-249-0x0000027C77280000-0x0000027C77290000-memory.dmp

Filesize
64KB

Download
memory/1184-250-0x0000027C77280000-0x0000027C77290000-memory.dmp

Filesize
64KB

Download
memory/1184-248-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1528-102-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/1528-140-0x00000211FF470000-0x00000211FF480000-memory.dmp

Filesize
64KB

Download
memory/1980-243-0x0000020B7DCA0000-0x0000020B7DCB0000-memory.dmp

Filesize
64KB

Download
memory/1980-241-0x0000020B7DCA0000-0x0000020B7DCB0000-memory.dmp

Filesize
64KB

Download
memory/1980-239-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/2676-247-0x00000235D88F0000-0x00000235D8900000-memory.dmp

Filesize
64KB

Download
memory/2676-246-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/2712-238-0x000001757C580000-0x000001757C590000-memory.dmp

Filesize
64KB

Download
memory/3512-58-0x000001EE5BDE0000-0x000001EE5BDF0000-memory.dmp

Filesize
64KB

Download
memory/3512-59-0x000001EE5BDE0000-0x000001EE5BDF0000-memory.dmp

Filesize
64KB

Download
memory/3528-242-0x000001FC31AB0000-0x000001FC31AC0000-memory.dmp

Filesize
64KB

Download
memory/3528-240-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/3528-244-0x000001FC31AB0000-0x000001FC31AC0000-memory.dmp

Filesize
64KB

Download
memory/3968-233-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/3968-236-0x0000021568B50000-0x0000021568B60000-memory.dmp

Filesize
64KB

Download
memory/4068-251-0x00000271504C0000-0x00000271504D0000-memory.dmp

Filesize
64KB

Download
memory/4364-74-0x0000015F99750000-0x0000015F99772000-memory.dmp

Filesize
136KB

Download
memory/4364-237-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/4612-245-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/4760-159-0x00000299FD600000-0x00000299FD610000-memory.dmp

Filesize
64KB

Download
memory/4760-116-0x00000299FD600000-0x00000299FD610000-memory.dmp

Filesize
64KB

Download
memory/4760-72-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/4868-62-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/5008-55-0x000001347FF80000-0x000001347FF90000-memory.dmp

Filesize
64KB

Download
memory/5008-57-0x000001347FF80000-0x000001347FF90000-memory.dmp

Filesize
64KB

Download
memory/5008-54-0x00007FFACE960000-0x00007FFACF421000-memory.dmp

Filesize
10.8MB

Download
memory/5136-347-0x000000001DAA0000-0x000000001DBB5000-memory.dmp

Filesize
1.1MB

Download