Malware Analysis Report

2024-11-30 20:04

Sample ID 240509-nz6axaga8x
Target 1D61E62339D38CA2A129710265C26A89.exe
SHA256 d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
Tags
zgrat execution persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

Threat Level: Known bad

The file 1D61E62339D38CA2A129710265C26A89.exe was found to be: Known bad.

Malicious Activity Summary

zgrat execution persistence rat spyware stealer

Detect ZGRat V1

Zgrat family

Process spawned unexpected child process

Modifies WinLogon for persistence

ZGRat

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 11:51

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 11:51

Reported

2024-05-09 11:53

Platform

win7-20231129-en

Max time kernel

128s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft Help\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft Help\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft Help\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft Help\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft Help\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1D61E62339D38CA2A129710265C26A89.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\1D61E62339D38CA2A129710265C26A89 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1D61E62339D38CA2A129710265C26A89.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\default_apps\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Microsoft Help\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows Media Player\\Network Sharing\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1D61E62339D38CA2A129710265C26A89 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1D61E62339D38CA2A129710265C26A89.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\Microsoft Help\\dwm.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC27F842056D0C43B09F55A97E63D8632.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\slsogk.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2812 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2812 wrote to memory of 2452 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2380 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\cmd.exe
PID 2380 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\cmd.exe
PID 2112 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe

"C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5yvbsuvv\5yvbsuvv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1803.tmp" "c:\Windows\System32\CSC27F842056D0C43B09F55A97E63D8632.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A89" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PmLoS6z5nf.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe

"C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 956330cm.n9shteam2.top udp
US 104.21.90.190:80 956330cm.n9shteam2.top tcp
US 104.21.90.190:80 956330cm.n9shteam2.top tcp

Files

memory/2380-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

memory/2380-1-0x0000000000B40000-0x0000000000D26000-memory.dmp

memory/2380-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-3-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-4-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-6-0x0000000000300000-0x000000000030E000-memory.dmp

memory/2380-9-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-8-0x0000000000330000-0x000000000034C000-memory.dmp

memory/2380-14-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-13-0x0000000000310000-0x000000000031E000-memory.dmp

memory/2380-11-0x0000000000350000-0x0000000000368000-memory.dmp

memory/2380-16-0x0000000000320000-0x000000000032C000-memory.dmp

memory/2380-17-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-18-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-24-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

memory/2380-31-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\csrss.exe

MD5 1d61e62339d38ca2a129710265c26a89
SHA1 185c34e0d555ac3fdf7fefd1732409e65b6aedaf
SHA256 d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
SHA512 0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

\??\c:\Users\Admin\AppData\Local\Temp\5yvbsuvv\5yvbsuvv.0.cs

MD5 0fa22ed2be9fcb636436387bbdb41f03
SHA1 23cb626d522cb4094e25e71ee8a9add18f99d34d
SHA256 1665b25ccb683ce4cb04a5d89c14a21bc630bcfe40d138bbcdd88bf01375e392
SHA512 88a8b7b252a369f45984bede62ce80eaf16a54bb0e2e6f0b2d21ecbbfa8c736ce043f3f4b8a51fc287d37b90367b10bf1c1e8501438973b854828cbdd8ef3768

\??\c:\Users\Admin\AppData\Local\Temp\5yvbsuvv\5yvbsuvv.cmdline

MD5 69bd0c723584540c558bc3182b0e582f
SHA1 6e0a7f08bff74b91b56fb2579887162846760888
SHA256 7ea2911fa7b4c7dcfd47421c44f147b8571454ffdb13801d97c1bc51a5031b27
SHA512 11efd0877639a5b79c4a2e27051e834a651ed27e57715b74939272b03484694b331ca224e393a6cce0880b2b46efd2d9f189315c90865b4763772571e122a9d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5fdc38f6d736e4494711df9561f1deb1
SHA1 0381e134607d47aed315413fa5ea2e8dd04a333c
SHA256 dc80e310a69ece2b29dc85931fe463eed5744428fe9d409fc80edbc52ab8d02e
SHA512 632b77b0970bf8352fd868ade88bf1a216f2a8980d2e2a7b130d6990cec82a38f763d8c81bee961040458c904ae0ab64bc7ba5fdd1cd3135683f24818a09557c

C:\Users\Admin\AppData\Local\Temp\PmLoS6z5nf.bat

MD5 f0e91c2b205c75e47a10e6ecfea84a9b
SHA1 28638296a7a781e93460254219a1ed126c035faa
SHA256 ac98f315693d85fb176e203cdfc20061363bd271cf6a62391ec104a9a10251c5
SHA512 d8e3bf169600f89b4f6e61eee3594356d42f50379ed03463e943417b20bf29991b1e0c1bf34c6c545a64084682a23e9ee429f6e0b1907d6b9f7d4767e74e6ce4

memory/2300-60-0x0000000002350000-0x0000000002358000-memory.dmp

memory/2960-59-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/2380-58-0x000007FEF5630000-0x000007FEF601C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES1803.tmp

MD5 bcdfd94f36f3bf5785370c0a7ab0d0cb
SHA1 44f05f4c1c42452fb1c9dd5394c2e75fa427d26f
SHA256 2d581c17be29905ddb333ecce4220140048f99da40491db170b0cb1e91dec4be
SHA512 fca59fc9fef75f85f4336b92bc0dc998e85df005ab77ab975e73d91e294586870fce918cc90233772d0fe4d12aa8d03f1a25fa31841ae3d7cb17917ff11e044e

\??\c:\Windows\System32\CSC27F842056D0C43B09F55A97E63D8632.TMP

MD5 3fcb2bd8a227751c0367dff5940613bb
SHA1 bcca174ab4499de5713d836fbc368966aa1f5b2c
SHA256 aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c
SHA512 c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672

memory/2476-138-0x0000000000C90000-0x0000000000E76000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 11:51

Reported

2024-05-09 11:53

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\uk-UA\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\uk-UA\\sihost.exe\", \"C:\\Users\\Default User\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\", \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\uk-UA\\sihost.exe\", \"C:\\Users\\Default User\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\1D61E62339D38CA2A129710265C26A89.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\uk-UA\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1D61E62339D38CA2A129710265C26A89 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1D61E62339D38CA2A129710265C26A89.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Windows Mail\\sysmon.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default User\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1D61E62339D38CA2A129710265C26A89 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1D61E62339D38CA2A129710265C26A89.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Mail\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\uk-UA\\sihost.exe\"" C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\pb7nq5.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\CSC244E8E2C8ED347779993E9DAD0E29C26.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Mail\121e5b5079f7c0 C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files (x86)\Windows Mail\csrss.exe C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files (x86)\Windows Mail\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
File created C:\Program Files (x86)\Windows Mail\sysmon.exe C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3192 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4560 wrote to memory of 4808 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4560 wrote to memory of 4808 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3192 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3192 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\cmd.exe
PID 3192 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe C:\Windows\System32\cmd.exe
PID 4828 wrote to memory of 6000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4828 wrote to memory of 6000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4828 wrote to memory of 5220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4828 wrote to memory of 5220 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4828 wrote to memory of 6016 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe
PID 4828 wrote to memory of 6016 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe

"C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4teyiwdn\4teyiwdn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EBE.tmp" "c:\Windows\System32\CSC244E8E2C8ED347779993E9DAD0E29C26.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A89" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rxl6rc7r3I.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe

"C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.145:443 www.bing.com tcp
BE 2.17.196.145:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 145.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 956330cm.n9shteam2.top udp
US 172.67.159.202:80 956330cm.n9shteam2.top tcp
US 172.67.159.202:80 956330cm.n9shteam2.top tcp
US 8.8.8.8:53 202.159.67.172.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3192-1-0x0000000000770000-0x0000000000956000-memory.dmp

memory/3192-0-0x00007FFB5AE73000-0x00007FFB5AE75000-memory.dmp

memory/3192-2-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-3-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-4-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-9-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-14-0x000000001B570000-0x000000001B57E000-memory.dmp

memory/3192-17-0x000000001B580000-0x000000001B58C000-memory.dmp

memory/3192-18-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-28-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

C:\Program Files (x86)\Windows Mail\sysmon.exe

MD5 1d61e62339d38ca2a129710265c26a89
SHA1 185c34e0d555ac3fdf7fefd1732409e65b6aedaf
SHA256 d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
SHA512 0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

memory/3192-31-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-32-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4teyiwdn\4teyiwdn.0.cs

MD5 834ce75afb92b61b41a55c9a78d6593d
SHA1 8a896ca8410431715180439c80c79da16565c7e9
SHA256 10a5a6bec248364bd975db43b8c7d9718e07922f9357ebd43e8cec6214c51294
SHA512 c4206b1a33d8475f7fc25e5afabd6c24c64e757597efec75aa32b5d29914b7eecd19ca401d3b999574820a63dfdd2d6a098051b0fa420b2fffcf4e5cd674d31d

\??\c:\Users\Admin\AppData\Local\Temp\4teyiwdn\4teyiwdn.cmdline

MD5 be9074070df4b2f40a7bdff3c2adc7fc
SHA1 845890f030fa71144ba22fa037c22e75a0bbfdca
SHA256 ce3b84a3a680ca3fb0f08188e588e470513563ca0020ac65e8d7dc59e1d2b12a
SHA512 e4cbb3f6409c8e4430593e1f78a15046108c4f5ca2db6f548d225807fa8624e017e0478b51c527ac69092e69d7624949d249fcfce528607094745c05f4135a9e

\??\c:\Windows\System32\CSC244E8E2C8ED347779993E9DAD0E29C26.TMP

MD5 1698af2b79b4ffd499309c965169ae30
SHA1 e54beb6e91f1272ec2989800895d6e1d8a6332b4
SHA256 98b74452ccce9477030c647d3a662619a85f9160e1a2b35e7ad9c08021035d9e
SHA512 b52057d6526f676e61ab07f7c25d2ff4fe969e7462d037fdc757a62ac6e91ed55df485cc28c135799378c90f257aec1767b43e3bf328a0340c63e678d781a8f0

memory/3192-52-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/2424-58-0x0000019E80030000-0x0000019E80052000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qmse2ayc.5ns.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\rxl6rc7r3I.bat

MD5 00f77851b39ca6f946191532cdfca479
SHA1 1bfd82378ac76e7bb79e102c63d18ca61b61aac7
SHA256 d2db49d4b726bfba693cecea24cd79cf7fb5ac6867aa14278c0b10671500ba0b
SHA512 534bd5f6203ca10c8925100ad5655567927a949dd2bff4b5c78baf5471e08fc69e8d55788ac5755af59ed1fcb1548d72490093000d440f90c1739ec22a24d895

C:\Users\Admin\AppData\Local\Temp\RES3EBE.tmp

MD5 f9ad91cad5e216a7066406f2f0184326
SHA1 9ea17f3d52943ae098e45cb88918901f000d3bce
SHA256 e7ce531dcc62d9ce391a78d9fc67a7a438132481989b668b5a9936f263d57db8
SHA512 686fa3cd107c1d14a9f7feb129cee2d422490f42bc84f52c8a751f8ae016ae6e73cf77a2dbd79485d3a4660ec63024c9b0aa50b0a2e8026c1145eebd8e0f880c

memory/3192-37-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-33-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-15-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/3192-12-0x000000001B9C0000-0x000000001B9D8000-memory.dmp

memory/3192-10-0x000000001BA10000-0x000000001BA60000-memory.dmp

memory/3192-8-0x000000001B590000-0x000000001B5AC000-memory.dmp

memory/3192-6-0x0000000001250000-0x000000000125E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28d4235aa2e6d782751f980ceb6e5021
SHA1 f5d82d56acd642b9fc4b963f684fd6b78f25a140
SHA256 8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638
SHA512 dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c