zgrat | ada6ff0cbe7e8921bc185b7b7248e80ff9c5873a3cf881692b88efc6c0ec9c12

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6eb3335493cd2db4bc65f97a65763de.exe
Size

2.6MB
MD5

c6eb3335493cd2db4bc65f97a65763de
SHA1

80e56b33edd1cfeb54b39efea554b7303ba9e128
SHA256

ada6ff0cbe7e8921bc185b7b7248e80ff9c5873a3cf881692b88efc6c0ec9c12
SHA512

dc39716c5c1217a5b17e7fb2631c1ab0e96191bf45508fe0c0def0673103c4d120c7540edbfb42f09a29ad73ed03ec6a79f02133683739cb84cc572d869f15c3
SSDEEP

49152:5xoFebsVpZYBAU7Ns1AbXwTKjAW9r3UCJWXrS8YaHfg:5xousVpZYv7qOsTKjn8XY8g

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/memory/4580-0-0x0000000000480000-0x0000000000720000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0006000000023212-62.dat	family_zgrat_v1
behavioral2/files/0x000600000002320e-351.dat	family_zgrat_v1
behavioral2/files/0x000600000002320e-350.dat	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4888	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4888	schtasks.exe	92

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	c6eb3335493cd2db4bc65f97a65763de.exe

Executes dropped EXE 1 IoCs

pid	Process
5444	TextInputHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\fontdrvhost.exe	c6eb3335493cd2db4bc65f97a65763de.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fontdrvhost.exe	c6eb3335493cd2db4bc65f97a65763de.exe
File created	C:\Program Files (x86)\Windows NT\dwm.exe	c6eb3335493cd2db4bc65f97a65763de.exe
File created	C:\Program Files\MSBuild\spoolsv.exe	c6eb3335493cd2db4bc65f97a65763de.exe
File created	C:\Program Files\MSBuild\f3b6ecef712a24	c6eb3335493cd2db4bc65f97a65763de.exe
File created	C:\Program Files (x86)\Windows Defender\5b884080fd4f94	c6eb3335493cd2db4bc65f97a65763de.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c6eb3335493cd2db4bc65f97a65763de.exe	c6eb3335493cd2db4bc65f97a65763de.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\3633f7a51f98b1	c6eb3335493cd2db4bc65f97a65763de.exe
File created	C:\Program Files (x86)\Windows NT\6cb0b6c459d5d3	c6eb3335493cd2db4bc65f97a65763de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3236	schtasks.exe
5072	schtasks.exe
2812	schtasks.exe
4244	schtasks.exe
3612	schtasks.exe
4916	schtasks.exe
4040	schtasks.exe
2808	schtasks.exe
1868	schtasks.exe
5028	schtasks.exe
3676	schtasks.exe
2276	schtasks.exe
2608	schtasks.exe
2392	schtasks.exe
2388	schtasks.exe
2884	schtasks.exe
2960	schtasks.exe
4192	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	c6eb3335493cd2db4bc65f97a65763de.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1376	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe
4580	c6eb3335493cd2db4bc65f97a65763de.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	c6eb3335493cd2db4bc65f97a65763de.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	5444	TextInputHost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4868	4580	c6eb3335493cd2db4bc65f97a65763de.exe	135
PID 4580 wrote to memory of 4868	4580	c6eb3335493cd2db4bc65f97a65763de.exe	135
PID 4580 wrote to memory of 3436	4580	c6eb3335493cd2db4bc65f97a65763de.exe	134
PID 4580 wrote to memory of 3436	4580	c6eb3335493cd2db4bc65f97a65763de.exe	134
PID 4580 wrote to memory of 1384	4580	c6eb3335493cd2db4bc65f97a65763de.exe	133
PID 4580 wrote to memory of 1384	4580	c6eb3335493cd2db4bc65f97a65763de.exe	133
PID 4580 wrote to memory of 2264	4580	c6eb3335493cd2db4bc65f97a65763de.exe	132
PID 4580 wrote to memory of 2264	4580	c6eb3335493cd2db4bc65f97a65763de.exe	132
PID 4580 wrote to memory of 3572	4580	c6eb3335493cd2db4bc65f97a65763de.exe	131
PID 4580 wrote to memory of 3572	4580	c6eb3335493cd2db4bc65f97a65763de.exe	131
PID 4580 wrote to memory of 3576	4580	c6eb3335493cd2db4bc65f97a65763de.exe	130
PID 4580 wrote to memory of 3576	4580	c6eb3335493cd2db4bc65f97a65763de.exe	130
PID 4580 wrote to memory of 1484	4580	c6eb3335493cd2db4bc65f97a65763de.exe	129
PID 4580 wrote to memory of 1484	4580	c6eb3335493cd2db4bc65f97a65763de.exe	129
PID 4580 wrote to memory of 2284	4580	c6eb3335493cd2db4bc65f97a65763de.exe	128
PID 4580 wrote to memory of 2284	4580	c6eb3335493cd2db4bc65f97a65763de.exe	128
PID 4580 wrote to memory of 2452	4580	c6eb3335493cd2db4bc65f97a65763de.exe	127
PID 4580 wrote to memory of 2452	4580	c6eb3335493cd2db4bc65f97a65763de.exe	127
PID 4580 wrote to memory of 856	4580	c6eb3335493cd2db4bc65f97a65763de.exe	126
PID 4580 wrote to memory of 856	4580	c6eb3335493cd2db4bc65f97a65763de.exe	126
PID 4580 wrote to memory of 3696	4580	c6eb3335493cd2db4bc65f97a65763de.exe	125
PID 4580 wrote to memory of 3696	4580	c6eb3335493cd2db4bc65f97a65763de.exe	125
PID 4580 wrote to memory of 1440	4580	c6eb3335493cd2db4bc65f97a65763de.exe	124
PID 4580 wrote to memory of 1440	4580	c6eb3335493cd2db4bc65f97a65763de.exe	124
PID 4580 wrote to memory of 2520	4580	c6eb3335493cd2db4bc65f97a65763de.exe	123
PID 4580 wrote to memory of 2520	4580	c6eb3335493cd2db4bc65f97a65763de.exe	123
PID 4580 wrote to memory of 4780	4580	c6eb3335493cd2db4bc65f97a65763de.exe	121
PID 4580 wrote to memory of 4780	4580	c6eb3335493cd2db4bc65f97a65763de.exe	121
PID 4580 wrote to memory of 4620	4580	c6eb3335493cd2db4bc65f97a65763de.exe	119
PID 4580 wrote to memory of 4620	4580	c6eb3335493cd2db4bc65f97a65763de.exe	119
PID 4580 wrote to memory of 3704	4580	c6eb3335493cd2db4bc65f97a65763de.exe	118
PID 4580 wrote to memory of 3704	4580	c6eb3335493cd2db4bc65f97a65763de.exe	118
PID 4580 wrote to memory of 3380	4580	c6eb3335493cd2db4bc65f97a65763de.exe	116
PID 4580 wrote to memory of 3380	4580	c6eb3335493cd2db4bc65f97a65763de.exe	116
PID 4580 wrote to memory of 3320	4580	c6eb3335493cd2db4bc65f97a65763de.exe	114
PID 4580 wrote to memory of 3320	4580	c6eb3335493cd2db4bc65f97a65763de.exe	114
PID 4580 wrote to memory of 2020	4580	c6eb3335493cd2db4bc65f97a65763de.exe	104
PID 4580 wrote to memory of 2020	4580	c6eb3335493cd2db4bc65f97a65763de.exe	104
PID 2020 wrote to memory of 5508	2020	cmd.exe	108
PID 2020 wrote to memory of 5508	2020	cmd.exe	108
PID 2020 wrote to memory of 1376	2020	cmd.exe	122
PID 2020 wrote to memory of 1376	2020	cmd.exe	122
PID 2020 wrote to memory of 5444	2020	cmd.exe	156
PID 2020 wrote to memory of 5444	2020	cmd.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c6eb3335493cd2db4bc65f97a65763de.exe
"C:\Users\Admin\AppData\Local\Temp\c6eb3335493cd2db4bc65f97a65763de.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CecPxE92Gb.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5508
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1376
- - C:\Recovery\WindowsRE\TextInputHost.exe
    "C:\Recovery\WindowsRE\TextInputHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c6eb3335493cd2db4bc65f97a65763de.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\c6eb3335493cd2db4bc65f97a65763de.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\dwm.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c6eb3335493cd2db4bc65f97a65763dec" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\c6eb3335493cd2db4bc65f97a65763de.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c6eb3335493cd2db4bc65f97a65763de" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\c6eb3335493cd2db4bc65f97a65763de.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c6eb3335493cd2db4bc65f97a65763dec" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\c6eb3335493cd2db4bc65f97a65763de.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c6eb3335493cd2db4bc65f97a65763dec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\c6eb3335493cd2db4bc65f97a65763de.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c6eb3335493cd2db4bc65f97a65763de" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\c6eb3335493cd2db4bc65f97a65763de.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c6eb3335493cd2db4bc65f97a65763dec" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\c6eb3335493cd2db4bc65f97a65763de.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\MSBuild\spoolsv.exe

Filesize
269KB

MD5
785eb618e1e509f993f2823f170b1d14

SHA1
0bd7eaac97bb695129bb22b8c7e879e8b01334db

SHA256
ffa2427a0f586b7d6b0e2d1acba4255f641d13c93384325d7bcbe7f1556aaadd

SHA512
79dfa9fcf68fad69db6dc95b4470b4df1d4f6ff7f4275167eca1f06b9dc7ba2ff202c62027cde9ca601d6caa1373c436a260d5f18206451df5f976be2ae7c8de

Download Submit
C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
197KB

MD5
4a90ccda0364adeb27b50c1cc5106469

SHA1
186d28d28bb37eb8032d3ce334f230a4089fab65

SHA256
a3e69cb5f2ab5696d7150cdeef6ffad2d07cbb78866e5fc2b58728b1ff289d84

SHA512
e475de690f632d4c851ade8ef1f6c46898f310f8230d0f2f476a32c8565324d1870e59ee2ae9022dd7d22c62415be30deb3ea4a89f1a2afb8c0dcdfea5cf38ba

Download Submit
C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
318KB

MD5
09e31fc860f6a26e9493bb5d2299d496

SHA1
b722b9a016137f2e02cfb6e25fa34c2ccea81946

SHA256
4e117f464ed0d18c76bef78fd90ae4fa1d26d1a3c4f4fd840786489e6e2efe06

SHA512
d86c7624aa629cfc3292b77b6a69946905b4a3759c5bc7566593a3885fd69fab95e1ecadc393bddf9990351e939d595377dd8e6a45f1a851b46353ab411d79ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
243347db405974f6277b941306d57ddb

SHA1
48a7563230d78ecfe8aaa7b749bf985c6078b4e4

SHA256
876100d0ce1aff677a0cab677787ca9858a989f4e5c13b05c8931f709232b835

SHA512
1c45eae761fb4224943debe2f2d553793146bb6d4bf2535de2bded3f9c78665607bc1fce7d4ecf905569488e42e42d0bf4b6d20dfcf8cda77a354b8faf17a951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\CecPxE92Gb.bat

Filesize
167B

MD5
14d0969b42917cf2a510d025347c8987

SHA1
a575639ae1e4365e350d8178ae2456b3a386fdbf

SHA256
a7c8f02ac60f09a0c7288f52b335dad0532c759987b7c44244c0c071a82c7bd2

SHA512
e13b5f2c4cd658b28058a3cf373adf460918ef2c1a31a088fd17a1ce0469b5bbfe979de80ba3a551f265c2a8d6e8f87b8ac9f3db7d0410e442487fdecdb434d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_veyoi3wi.jea.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/856-308-0x000001ED78CE0000-0x000001ED78E4A000-memory.dmp

Filesize
1.4MB

Download
memory/856-75-0x000001ED78A60000-0x000001ED78A70000-memory.dmp

Filesize
64KB

Download
memory/856-84-0x000001ED78B70000-0x000001ED78B92000-memory.dmp

Filesize
136KB

Download
memory/856-72-0x000001ED78A60000-0x000001ED78A70000-memory.dmp

Filesize
64KB

Download
memory/856-69-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1384-97-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1384-116-0x000001D0F0DC0000-0x000001D0F0DD0000-memory.dmp

Filesize
64KB

Download
memory/1384-190-0x000001D0F0DC0000-0x000001D0F0DD0000-memory.dmp

Filesize
64KB

Download
memory/1384-293-0x000001D0F1200000-0x000001D0F136A000-memory.dmp

Filesize
1.4MB

Download
memory/1440-284-0x000001CDD9CF0000-0x000001CDD9E5A000-memory.dmp

Filesize
1.4MB

Download
memory/1440-76-0x000001CDD98A0000-0x000001CDD98B0000-memory.dmp

Filesize
64KB

Download
memory/1484-326-0x000001FDF8F00000-0x000001FDF906A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-218-0x0000021961B60000-0x0000021961B70000-memory.dmp

Filesize
64KB

Download
memory/2264-219-0x0000021961B60000-0x0000021961B70000-memory.dmp

Filesize
64KB

Download
memory/2264-287-0x0000021961E50000-0x0000021961FBA000-memory.dmp

Filesize
1.4MB

Download
memory/2264-162-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/2284-291-0x0000021562BB0000-0x0000021562D1A000-memory.dmp

Filesize
1.4MB

Download
memory/2452-347-0x0000015E65910000-0x0000015E65A7A000-memory.dmp

Filesize
1.4MB

Download
memory/2452-254-0x0000015E655E0000-0x0000015E655F0000-memory.dmp

Filesize
64KB

Download
memory/2452-252-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/2520-319-0x00000182E0390000-0x00000182E04FA000-memory.dmp

Filesize
1.4MB

Download
memory/3320-255-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/3320-312-0x0000020B51E00000-0x0000020B51F6A000-memory.dmp

Filesize
1.4MB

Download
memory/3380-251-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/3380-253-0x0000028F63EB0000-0x0000028F63EC0000-memory.dmp

Filesize
64KB

Download
memory/3380-310-0x0000028F643A0000-0x0000028F6450A000-memory.dmp

Filesize
1.4MB

Download
memory/3436-341-0x000001F5F8940000-0x000001F5F8AAA000-memory.dmp

Filesize
1.4MB

Download
memory/3572-309-0x000001F725F30000-0x000001F72609A000-memory.dmp

Filesize
1.4MB

Download
memory/3576-250-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/3576-333-0x0000019FFBD40000-0x0000019FFBEAA000-memory.dmp

Filesize
1.4MB

Download
memory/3696-68-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/3696-74-0x00000232DB0C0000-0x00000232DB0D0000-memory.dmp

Filesize
64KB

Download
memory/3696-71-0x00000232DB0C0000-0x00000232DB0D0000-memory.dmp

Filesize
64KB

Download
memory/3696-283-0x00000232DB5C0000-0x00000232DB72A000-memory.dmp

Filesize
1.4MB

Download
memory/3704-300-0x0000016049840000-0x00000160499AA000-memory.dmp

Filesize
1.4MB

Download
memory/4580-17-0x00007FFF684C0000-0x00007FFF684C1000-memory.dmp

Filesize
4KB

Download
memory/4580-19-0x000000001B320000-0x000000001B32E000-memory.dmp

Filesize
56KB

Download
memory/4580-49-0x00007FFF682E0000-0x00007FFF682E1000-memory.dmp

Filesize
4KB

Download
memory/4580-50-0x00007FFF682D0000-0x00007FFF682D1000-memory.dmp

Filesize
4KB

Download
memory/4580-52-0x000000001C900000-0x000000001C90C000-memory.dmp

Filesize
48KB

Download
memory/4580-47-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/4580-41-0x000000001C960000-0x000000001C9BA000-memory.dmp

Filesize
360KB

Download
memory/4580-37-0x00007FFF68460000-0x00007FFF68461000-memory.dmp

Filesize
4KB

Download
memory/4580-1-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/4580-36-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/4580-30-0x000000001B3A0000-0x000000001B3AE000-memory.dmp

Filesize
56KB

Download
memory/4580-7-0x00007FFF684F0000-0x00007FFF685AE000-memory.dmp

Filesize
760KB

Download
memory/4580-13-0x00007FFF684D0000-0x00007FFF684D1000-memory.dmp

Filesize
4KB

Download
memory/4580-2-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/4580-6-0x0000000000F00000-0x0000000000F0E000-memory.dmp

Filesize
56KB

Download
memory/4580-31-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/4580-23-0x00007FFF684A0000-0x00007FFF684A1000-memory.dmp

Filesize
4KB

Download
memory/4580-28-0x000000001B390000-0x000000001B39C000-memory.dmp

Filesize
48KB

Download
memory/4580-26-0x00007FFF68490000-0x00007FFF68491000-memory.dmp

Filesize
4KB

Download
memory/4580-25-0x000000001B410000-0x000000001B422000-memory.dmp

Filesize
72KB

Download
memory/4580-32-0x00007FFF68480000-0x00007FFF68481000-memory.dmp

Filesize
4KB

Download
memory/4580-77-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/4580-22-0x000000001B330000-0x000000001B33E000-memory.dmp

Filesize
56KB

Download
memory/4580-0-0x0000000000480000-0x0000000000720000-memory.dmp

Filesize
2.6MB

Download
memory/4580-20-0x00007FFF684B0000-0x00007FFF684B1000-memory.dmp

Filesize
4KB

Download
memory/4580-14-0x000000001B3C0000-0x000000001B410000-memory.dmp

Filesize
320KB

Download
memory/4580-16-0x000000001B370000-0x000000001B388000-memory.dmp

Filesize
96KB

Download
memory/4580-73-0x00007FFF684F0000-0x00007FFF685AE000-memory.dmp

Filesize
760KB

Download
memory/4580-12-0x000000001B340000-0x000000001B35C000-memory.dmp

Filesize
112KB

Download
memory/4580-8-0x00007FFF684E0000-0x00007FFF684E1000-memory.dmp

Filesize
4KB

Download
memory/4580-10-0x00007FFF684F0000-0x00007FFF685AE000-memory.dmp

Filesize
760KB

Download
memory/4580-9-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/4580-4-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/4580-3-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4580-48-0x00007FFF682F0000-0x00007FFF682F1000-memory.dmp

Filesize
4KB

Download
memory/4580-46-0x000000001C920000-0x000000001C938000-memory.dmp

Filesize
96KB

Download
memory/4580-44-0x00007FFF684F0000-0x00007FFF685AE000-memory.dmp

Filesize
760KB

Download
memory/4580-43-0x000000001B430000-0x000000001B43E000-memory.dmp

Filesize
56KB

Download
memory/4580-39-0x00007FFF68450000-0x00007FFF68451000-memory.dmp

Filesize
4KB

Download
memory/4580-38-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/4580-34-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/4580-33-0x00007FFF68470000-0x00007FFF68471000-memory.dmp

Filesize
4KB

Download
memory/4620-325-0x00000286767C0000-0x000002867692A000-memory.dmp

Filesize
1.4MB

Download
memory/4620-238-0x00007FFF4A0A0000-0x00007FFF4AB61000-memory.dmp

Filesize
10.8MB

Download
memory/4620-248-0x00000286764D0000-0x00000286764E0000-memory.dmp

Filesize
64KB

Download
memory/4780-332-0x00000248FA450000-0x00000248FA5BA000-memory.dmp

Filesize
1.4MB

Download
memory/4868-342-0x0000017A43B80000-0x0000017A43CEA000-memory.dmp

Filesize
1.4MB

Download
memory/5444-387-0x000000001B850000-0x000000001B858000-memory.dmp

Filesize
32KB

Download