zgrat | 3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668

Analysis

max time kernel
1s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 18:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
Size

3.8MB
MD5

abca987c031d8a9227e1a8150e4c14b1
SHA1

fb163c5fb4fb9197e96976dd3ec5fdc01226e790
SHA256

3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668
SHA512

55d502e0452a94a870338d744e94773a483b1309087e4a730d75fb9724f044ac43d3d02085d4e1abcc861ca89af68a8d4e5aa81add800b6f4e1a3b46abf7565f
SSDEEP

24576:hjczIGMPXrXke+ZiN2d88EmWw2V3muDNiEwTcFu7sb55fTCL75ly1Ro/9/:tc3MPXrXUDddEmUXiT4b5FTE5I1Ro/

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/1268-0-0x00000000011D0000-0x00000000013B8000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0015000000018644-29.dat	family_zgrat_v1
behavioral1/files/0x0037000000016c67-100.dat	family_zgrat_v1
behavioral1/memory/932-101-0x0000000000290000-0x0000000000478000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0037000000016c67-99.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\\System.exe\""	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\\System.exe\", \"C:\\Program Files\\Windows Mail\\en-US\\explorer.exe\""	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2796	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2796	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\\System.exe\""	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Mail\\en-US\\explorer.exe\""	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Mail\\en-US\\explorer.exe\""	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\\System.exe\""	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC47D50328DB3F48479614D363CA82C4D3.TMP	csc.exe
File created	\??\c:\Windows\System32\kkcny3.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
File created	C:\Program Files\Windows Mail\en-US\explorer.exe	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
File created	C:\Program Files\Windows Mail\en-US\7a0fd90576e088	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
File created	C:\Program Files (x86)\Uninstall Information\dwm.exe	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2960	schtasks.exe
2592	schtasks.exe
2680	schtasks.exe
1632	schtasks.exe
2092	schtasks.exe
2808	schtasks.exe
2120	schtasks.exe
2096	schtasks.exe
2908	schtasks.exe
2804	schtasks.exe
1696	schtasks.exe
2544	schtasks.exe
1628	schtasks.exe
2288	schtasks.exe
2624	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
588	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2780	1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe	29
PID 1268 wrote to memory of 2780	1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe	29
PID 1268 wrote to memory of 2780	1268	3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe	29
PID 2780 wrote to memory of 2712	2780	csc.exe	58
PID 2780 wrote to memory of 2712	2780	csc.exe	58
PID 2780 wrote to memory of 2712	2780	csc.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe
"C:\Users\Admin\AppData\Local\Temp\3e919e8f2497d8d0e45c1034090e736f3f4b70252ecf769f221e46525925e668.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0t4v1sjc\0t4v1sjc.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES228E.tmp" "c:\Windows\System32\CSC47D50328DB3F48479614D363CA82C4D3.TMP"
    3⤵
    PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qEIJQJY9pR.bat"
  2⤵
  PID:1928
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:588
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:336
- - C:\Program Files\Windows Mail\en-US\explorer.exe
    "C:\Program Files\Windows Mail\en-US\explorer.exe"
    3⤵
    PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\dwm.exe'
  2⤵
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dwm.exe'
  2⤵
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\wininit.exe'
  2⤵
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\explorer.exe'
  2⤵
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\System.exe'
  2⤵
  PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\7cc3d2c2-9b96-11ee-ab98-e6b52eba4e86\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\dwm.exe

Filesize
43KB

MD5
b47eebffb96d6309b569fdc8f18e7bc3

SHA1
d6e0042e1480968a3f0dc9c7b1f3e7324db7f475

SHA256
a5ef4bf0aafc685691e78c9a532077debaa34a524e0d647da656d1cd886a9d66

SHA512
7113ed9ece704b8002054eb44422c0f1fc89e01c2b8da9bc0d96adb87b4c4bbfb0865a37ae9871e3556b7c9f362805ce48f907b3c9354ff5847e5885a8759fbf

Download Submit
C:\Program Files\Windows Mail\en-US\explorer.exe

Filesize
48KB

MD5
a213d5c7bda84e6a8345a5b06c6d5f4e

SHA1
60f4b0b85d182a46c17da990978b21067645caa2

SHA256
90361533722eedf441f36cc52d2bc64602a5f30620ce0eeab9608d0b75803531

SHA512
b8ed556b9f4bfbbc1951b025a30aeaa52ddef89d3aa496b09c20ada7254a418668f4a808be06bb17d2a963a0711e4dfcbc5b21b60b14054cfb0b62692347d65f

Download Submit
C:\Program Files\Windows Mail\en-US\explorer.exe

Filesize
50KB

MD5
b8180c7c4cc62205b8b635f32051c9df

SHA1
33d2809507ea936a45abaf423218900f7a2675d6

SHA256
7a7a7c158e78ee07474d7ffbb8b6a62c43d41981222157d93c78a26cf4ad9967

SHA512
e78ddbcd624bbd9caf5d926d26d1c0c106f16e147a2b4d623d6fd9025f9212ee84223f65e7e4855499dd758d0212a75b9ee2d38fe8c417df10d67ca30232ea61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES228E.tmp

Filesize
1KB

MD5
48d89d6fd472d160bc3e1cb4566f9b04

SHA1
efaaed6e9c06cff78b6098a152853f2006b36f6b

SHA256
015f11d749146e4957f28caad9ca74030712fe2c0a3c857cd0976f7b770d11a7

SHA512
6d65f7caeb00bd1201c8e0bf4e6776c846ff5a8b4797473f7909259ab045fb6c0d0f26ff2fd5286a355464b2cb0a26cf4a1513983f34c2f199ae205755e459c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEIJQJY9pR.bat

Filesize
176B

MD5
105756f39693ecdd876be123adb0f619

SHA1
9025d02cb201d7d3c2598e9eb4010bf18d2cec12

SHA256
e41f953ff40985a094eb9dcc9b2262f469d81bc57cd0c2577acf0cc2ed3bc0dc

SHA512
138894d7b843680ff5b74668402fd2264d55032a002e7173fb987ed378c41374962633f8b4a3425d5218e54162a87f191015af5bb70177a56fa3a3c0123412a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1ddb94393d388d875c6747503696a87b

SHA1
41f387048cd5adf845c6f89e647c726ad406f812

SHA256
7ee41a593b44fa0c26301f7a7a1365914db214823cb0ca74f8cdafad7bd6cc4d

SHA512
0dab304d33c58e64193eaf5a8687fcfc589aa848935e10dad48d78cfed10b16eab4e10df732ed9eb20fabc271e9e8cffad51eb10bbeac5dc8af4f8ad86029c21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0t4v1sjc\0t4v1sjc.0.cs

Filesize
391B

MD5
c35dc3fb5a357c942ca63256a959bff2

SHA1
5d7075c110ae8f909eef0328788392242b2badcf

SHA256
a2857b9dd20e39b61d7e8da1514b7fafc14fc878391bc54cec4b47644b8a9012

SHA512
540fe68445589b1e0e1b0b63f136f8707c3689e0972d25d55faa6aef8d6262007db550f6165c97215440b9e0b4cf4b96e230bd7aae2836289dd823f0f657eb8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0t4v1sjc\0t4v1sjc.cmdline

Filesize
235B

MD5
b8025f15a50325d7ef0d49ffb1e53bb6

SHA1
f82f40681527bf84995b02efda0d39772b1484fe

SHA256
640d28254472271c8adf87c48836d83423aa1acb2beca73a64c4044bebc8fdcb

SHA512
97ba636a0e51ab9ab0b8c486c5d0ae70afcba0651f5b652c182b08ac1647a6654ebc9dbda9a73a08d7f5440a54facdc240ddb3303f1ec4d07ad5b13afd926995

Download Submit
\??\c:\Windows\System32\CSC47D50328DB3F48479614D363CA82C4D3.TMP

Filesize
1KB

MD5
b363a70dadc9c5b90594176ee7cc9619

SHA1
5663938cce35e5f57253b503141fc2373705b358

SHA256
1b2f2a541a84221d741f233cd3e84ee924275454bb693139ab5e1f724a54d5cb

SHA512
bdeaf1cfe1892f353445ea400a61728cdcd29c25ad0750e8f5b67551b088b76d509d59bc24045eacaf9aff8654e3ae56908a9b996fffcb145fb4a4edf2743921

Download Submit
memory/932-119-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/932-103-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-102-0x000007FEF4910000-0x000007FEF52FC000-memory.dmp

Filesize
9.9MB

Download
memory/932-104-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/932-140-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-101-0x0000000000290000-0x0000000000478000-memory.dmp

Filesize
1.9MB

Download
memory/932-105-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-139-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-117-0x0000000076A50000-0x0000000076A51000-memory.dmp

Filesize
4KB

Download
memory/932-116-0x0000000076A60000-0x0000000076A61000-memory.dmp

Filesize
4KB

Download
memory/932-121-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-122-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-120-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-115-0x0000000076A70000-0x0000000076A71000-memory.dmp

Filesize
4KB

Download
memory/932-107-0x0000000076A90000-0x0000000076A91000-memory.dmp

Filesize
4KB

Download
memory/932-109-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/932-114-0x0000000076A80000-0x0000000076A81000-memory.dmp

Filesize
4KB

Download
memory/1268-6-0x000000001A960000-0x000000001A9E0000-memory.dmp

Filesize
512KB

Download
memory/1268-14-0x0000000076A70000-0x0000000076A71000-memory.dmp

Filesize
4KB

Download
memory/1268-11-0x0000000076A80000-0x0000000076A81000-memory.dmp

Filesize
4KB

Download
memory/1268-13-0x0000000000470000-0x0000000000488000-memory.dmp

Filesize
96KB

Download
memory/1268-1-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1268-2-0x000000001A960000-0x000000001A9E0000-memory.dmp

Filesize
512KB

Download
memory/1268-10-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/1268-20-0x0000000076A50000-0x0000000076A51000-memory.dmp

Filesize
4KB

Download
memory/1268-19-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1268-17-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/1268-0-0x00000000011D0000-0x00000000013B8000-memory.dmp

Filesize
1.9MB

Download
memory/1268-15-0x0000000076A60000-0x0000000076A61000-memory.dmp

Filesize
4KB

Download
memory/1268-78-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1268-4-0x000000001A960000-0x000000001A9E0000-memory.dmp

Filesize
512KB

Download
memory/1268-5-0x0000000076A90000-0x0000000076A91000-memory.dmp

Filesize
4KB

Download
memory/1268-8-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1268-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1512-86-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1512-112-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1512-82-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-89-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1544-85-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1544-80-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1544-66-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1544-93-0x00000000027CB000-0x0000000002832000-memory.dmp

Filesize
412KB

Download
memory/1544-91-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/1544-77-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1544-79-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/1616-88-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1616-84-0x00000000028BB000-0x0000000002922000-memory.dmp

Filesize
412KB

Download
memory/1616-65-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1616-76-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/1616-70-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1616-68-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/1616-81-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-90-0x0000000002C7B000-0x0000000002CE2000-memory.dmp

Filesize
412KB

Download
memory/2616-87-0x0000000002C74000-0x0000000002C77000-memory.dmp

Filesize
12KB

Download
memory/2616-83-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-96-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2648-97-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-95-0x000000000220B000-0x0000000002272000-memory.dmp

Filesize
412KB

Download
memory/2648-92-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2648-98-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2648-111-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download
memory/2648-94-0x000007FEEDCF0000-0x000007FEEE68D000-memory.dmp

Filesize
9.6MB

Download