zgrat | 7a6763c97462aba6bba48de4794b82ffd5b6fadbc258cb7b6a9d05c8edcf9d55

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

767C6B9C9A369732FDA7C939B289EB98.exe
Size

1.6MB
MD5

767c6b9c9a369732fda7c939b289eb98
SHA1

f0093b140b55c7a176e4f72d30865012e925bca0
SHA256

7a6763c97462aba6bba48de4794b82ffd5b6fadbc258cb7b6a9d05c8edcf9d55
SHA512

b79a84433756333c5588093dc1fffcb3ab774770fefdd61fdd3e61397c261b0190ac5dac2bf0d9c5ef3fcbab2f7eab57d3c3ce3f208cb2a3308704d73f252e95
SSDEEP

24576:ne6CLuJ0SCjKdwR0J36UWlLeLZXYwG83vmwT5o38xK9I5fwuz:nfCoZ4OXYJyLo37C5

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2288-0-0x0000000000080000-0x0000000000226000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000016cfb-17.dat	family_zgrat_v1
behavioral1/files/0x0031000000015d50-38.dat	family_zgrat_v1
behavioral1/files/0x0031000000015d50-37.dat	family_zgrat_v1
behavioral1/memory/900-39-0x00000000012D0000-0x0000000001476000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\smss.exe\", \"C:\\Users\\Default\\Cookies\\services.exe\", \"C:\\Windows\\Fonts\\Idle.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\smss.exe\", \"C:\\Users\\Default\\Cookies\\services.exe\", \"C:\\Windows\\Fonts\\Idle.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\taskhost.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\smss.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\", \"C:\\Program Files\\Uninstall Information\\smss.exe\", \"C:\\Users\\Default\\Cookies\\services.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2904	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2904	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
900	smss.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Fonts\\Idle.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\taskhost.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Cookies\\services.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\taskhost.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Uninstall Information\\smss.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default\\Cookies\\services.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Fonts\\Idle.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\taskhost.exe\""	767C6B9C9A369732FDA7C939B289EB98.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC6FF144012F9A49F999D8981C6C026A4.TMP	csc.exe
File created	\??\c:\Windows\System32\p1m0al.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64	767C6B9C9A369732FDA7C939B289EB98.exe
File created	C:\Program Files\Uninstall Information\smss.exe	767C6B9C9A369732FDA7C939B289EB98.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	767C6B9C9A369732FDA7C939B289EB98.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe	767C6B9C9A369732FDA7C939B289EB98.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\Idle.exe	767C6B9C9A369732FDA7C939B289EB98.exe
File created	C:\Windows\Fonts\6ccacd8608530f	767C6B9C9A369732FDA7C939B289EB98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2672	schtasks.exe
2684	schtasks.exe
1596	schtasks.exe
1984	schtasks.exe
1376	schtasks.exe
1756	schtasks.exe
1792	schtasks.exe
2812	schtasks.exe
3024	schtasks.exe
2596	schtasks.exe
2740	schtasks.exe
276	schtasks.exe
2800	schtasks.exe
1240	schtasks.exe
2616	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2188	PING.EXE

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
2288	767C6B9C9A369732FDA7C939B289EB98.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe
900	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	767C6B9C9A369732FDA7C939B289EB98.exe
Token: SeDebugPrivilege	900	smss.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2576	2288	767C6B9C9A369732FDA7C939B289EB98.exe	32
PID 2288 wrote to memory of 2576	2288	767C6B9C9A369732FDA7C939B289EB98.exe	32
PID 2288 wrote to memory of 2576	2288	767C6B9C9A369732FDA7C939B289EB98.exe	32
PID 2576 wrote to memory of 2500	2576	csc.exe	34
PID 2576 wrote to memory of 2500	2576	csc.exe	34
PID 2576 wrote to memory of 2500	2576	csc.exe	34
PID 2288 wrote to memory of 2020	2288	767C6B9C9A369732FDA7C939B289EB98.exe	39
PID 2288 wrote to memory of 2020	2288	767C6B9C9A369732FDA7C939B289EB98.exe	39
PID 2288 wrote to memory of 2020	2288	767C6B9C9A369732FDA7C939B289EB98.exe	39
PID 2020 wrote to memory of 2508	2020	cmd.exe	41
PID 2020 wrote to memory of 2508	2020	cmd.exe	41
PID 2020 wrote to memory of 2508	2020	cmd.exe	41
PID 2020 wrote to memory of 2188	2020	cmd.exe	40
PID 2020 wrote to memory of 2188	2020	cmd.exe	40
PID 2020 wrote to memory of 2188	2020	cmd.exe	40
PID 2020 wrote to memory of 900	2020	cmd.exe	51
PID 2020 wrote to memory of 900	2020	cmd.exe	51
PID 2020 wrote to memory of 900	2020	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\767C6B9C9A369732FDA7C939B289EB98.exe
"C:\Users\Admin\AppData\Local\Temp\767C6B9C9A369732FDA7C939B289EB98.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fimlliwe\fimlliwe.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B0F.tmp" "c:\Windows\System32\CSC6FF144012F9A49F999D8981C6C026A4.TMP"
    3⤵
    PID:2500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QuNSBtNsSI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2188
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2508
- - C:\Program Files\Uninstall Information\smss.exe
    "C:\Program Files\Uninstall Information\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Cookies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe

Filesize
544KB

MD5
993bf211341c5990c45e73402fec173a

SHA1
02f1721d0351e3f6e38228c656ee6a2075572ba4

SHA256
9119db92b8f81e3dd811208a71a9025b472c0421dd833a77c94be3deb7c5768f

SHA512
84260e8e0c9cca2e92de0d714fea676f93274ae0a810da033039f50cb1d32ffc51aa5d457a4a52da80be1a79790349f3dcac7ab78d6ca34a3aea62694027d78c

Download Submit
C:\Program Files\Uninstall Information\smss.exe

Filesize
343KB

MD5
7c925a6ba9c295ce13851b813001adea

SHA1
c9e3c9d186a9dd555a60a75ab38712da72a99378

SHA256
b87866d6cfcfe2a495c11fc4b0a43a26dcfc199aeae60a83fada6c3c89b7aecc

SHA512
d8464ded25f9e14bc9585e314a202ed78b55b2d4168c5f0e6e735531244d526c1e20b12de561c4040265808118b1af954aa78bd9f8f5ab0f1b4ab93d409f69d8

Download Submit
C:\Program Files\Uninstall Information\smss.exe

Filesize
340KB

MD5
e5875f8af463d9b5179e7c22e574b3b2

SHA1
dd13b3b344ffea43eacd281a0ba62b2dd8fa95f4

SHA256
f61e8288bf682b7f4c329f1039e4543cef31256adafff18c4ee93e038fbb9042

SHA512
94da4c44512849a7da3000aa0ee56b101896df1e520cb3ec067fcbd588404e7ccbbadc961936ce849310710b65dad2f6f256112ebe046c75b260630692424b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuNSBtNsSI.bat

Filesize
175B

MD5
a7b56233e7b64caf6e5d7609ddd2537e

SHA1
046ed20ca07c2f1305fae8cc65dd67a683cffa3b

SHA256
290f007eee76a85f6d37cf76d9ecac5e4576fb1735abb2bb8982692a0165942b

SHA512
bc513859a75c271338fe399148a766d2d6e5cbe5ffc16dab5a73e557be260046d51a5ae590e26b9b03adb831fdd3bafc4e165d3b80febd8cb7226ec76adcec3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1B0F.tmp

Filesize
1KB

MD5
0226d0da6510f15d796099bae2a1377b

SHA1
9cef26d1d783319634a292f6b773f00a4e305b18

SHA256
3ecabb9c9521ccc07699634e44ce796e87d8b0f4af99e38557f69cbbcae0656a

SHA512
b43acc8d7d481eeec98ae7150bc0ec505f8a0ea0e7892fbbf0287471bf428027c6309837fd64efa2514081ad232058f1df9040d787510abfaf5cdfed5a4e6945

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fimlliwe\fimlliwe.0.cs

Filesize
407B

MD5
3652dda915ed8dc18463c75ef0578f98

SHA1
5d353be5acbe9ce7c06425ae650ba3b3db31c8cd

SHA256
4adc3aa568b41af5fd61eea55f467fbdfac28dd69eccadc9be7bb8f7d689bdd9

SHA512
02c11734e4621b7b5f46c92ffa239eab2a579f25a7fcc699e542056140b199a16bf9003d3f945f081108d744bec50d44de928515be2ae800981b905030c35646

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fimlliwe\fimlliwe.cmdline

Filesize
235B

MD5
bdea656314aceef9972319fd0abc02da

SHA1
9ed562e0fb8a2bd99d865ec54865905f719c867d

SHA256
7fc850237722e460e7db253489eac8054513d4ef2696c398181b899987c4438f

SHA512
e26f1aa4c967ce0f28353731c45a695673c9705ae997525b2b508fac8a22c6469db8cdc70fbd14db29da2f434c391f39d679487f6dcc20097ad4277aaa2bf4eb

Download Submit
\??\c:\Windows\System32\CSC6FF144012F9A49F999D8981C6C026A4.TMP

Filesize
1KB

MD5
284fece0fbb93d7d26df6495a6e30b04

SHA1
4887f768065cfa25879738fd42ad7f5fb5775981

SHA256
a0674bac88de031ff6050921c43e20e51db3c9abb30ac9d1b7f1877d4c0fad77

SHA512
fb89310c5123b52913b9dfb3dd2c5a6fd8fb304ff561b5361c3c89804d8f551f5c2084b29dae80daaa7d45d0c5a708fe2f8f5df628e13fa4c8f47909d0fe1e08

Download Submit
memory/900-43-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/900-42-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/900-50-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/900-49-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/900-48-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/900-47-0x000007FEF4AC0000-0x000007FEF54AC000-memory.dmp

Filesize
9.9MB

Download
memory/900-46-0x000000001B0B0000-0x000000001B130000-memory.dmp

Filesize
512KB

Download
memory/900-45-0x0000000076D80000-0x0000000076D81000-memory.dmp

Filesize
4KB

Download
memory/900-41-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/900-39-0x00000000012D0000-0x0000000001476000-memory.dmp

Filesize
1.6MB

Download
memory/900-40-0x000007FEF4AC0000-0x000007FEF54AC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-4-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/2288-1-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-0-0x0000000000080000-0x0000000000226000-memory.dmp

Filesize
1.6MB

Download
memory/2288-2-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/2288-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2288-6-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2288-8-0x000000001A950000-0x000000001A9D0000-memory.dmp

Filesize
512KB

Download
memory/2288-36-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-7-0x0000000076D80000-0x0000000076D81000-memory.dmp

Filesize
4KB

Download