zgrat | ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

Analysis

max time kernel
158s
max time network
178s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Size

2.0MB
MD5

70d149f275ccc89790c5405849a9ad9f
SHA1

de1a99c487f1b78320142e64fa1531c65a1ad8e7
SHA256

ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4
SHA512

899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7
SSDEEP

49152:yKB0Z0w15HQDEbwbIx0QEiY/ifrR6Vuo:yKB+1NQDETjAifH

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/2828-0-0x0000000000AB0000-0x0000000000CAA000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00060000000162a6-41.dat	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2668	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2668	schtasks.exe	27

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral1/memory/2828-0-0x0000000000AB0000-0x0000000000CAA000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x00060000000162a6-41.dat	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 11 IoCs

pid	Process
2956	dwm.exe
2356	dwm.exe
1992	dwm.exe
1800	dwm.exe
1880	dwm.exe
2080	dwm.exe
1856	dwm.exe
2624	dwm.exe
2920	dwm.exe
2248	dwm.exe
1752	dwm.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\en-US\explorer.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files\Windows Mail\en-US\7a0fd90576e088	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\b75386f1303e64	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1992	schtasks.exe
2500	schtasks.exe
2168	schtasks.exe
2476	schtasks.exe
1088	schtasks.exe
108	schtasks.exe
3024	schtasks.exe
1612	schtasks.exe
2872	schtasks.exe
436	schtasks.exe
2720	schtasks.exe
3008	schtasks.exe
2980	schtasks.exe
2868	schtasks.exe
1924	schtasks.exe
584	schtasks.exe
2516	schtasks.exe
1584	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2348	PING.EXE
984	PING.EXE
2936	PING.EXE
2888	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2956	dwm.exe
Token: SeDebugPrivilege	2356	dwm.exe
Token: SeDebugPrivilege	1992	dwm.exe
Token: SeDebugPrivilege	1800	dwm.exe
Token: SeDebugPrivilege	1880	dwm.exe
Token: SeDebugPrivilege	2080	dwm.exe
Token: SeDebugPrivilege	1856	dwm.exe
Token: SeDebugPrivilege	2624	dwm.exe
Token: SeDebugPrivilege	2920	dwm.exe
Token: SeDebugPrivilege	2248	dwm.exe
Token: SeDebugPrivilege	1752	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 904	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	46
PID 2828 wrote to memory of 904	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	46
PID 2828 wrote to memory of 904	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	46
PID 2828 wrote to memory of 948	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	47
PID 2828 wrote to memory of 948	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	47
PID 2828 wrote to memory of 948	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	47
PID 2828 wrote to memory of 2200	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	48
PID 2828 wrote to memory of 2200	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	48
PID 2828 wrote to memory of 2200	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	48
PID 2828 wrote to memory of 608	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	49
PID 2828 wrote to memory of 608	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	49
PID 2828 wrote to memory of 608	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	49
PID 2828 wrote to memory of 2356	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	50
PID 2828 wrote to memory of 2356	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	50
PID 2828 wrote to memory of 2356	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	50
PID 2828 wrote to memory of 2432	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	51
PID 2828 wrote to memory of 2432	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	51
PID 2828 wrote to memory of 2432	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	51
PID 2828 wrote to memory of 3044	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	52
PID 2828 wrote to memory of 3044	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	52
PID 2828 wrote to memory of 3044	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	52
PID 2828 wrote to memory of 2108	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	53
PID 2828 wrote to memory of 2108	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	53
PID 2828 wrote to memory of 2108	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	53
PID 2828 wrote to memory of 2544	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	63
PID 2828 wrote to memory of 2544	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	63
PID 2828 wrote to memory of 2544	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	63
PID 2828 wrote to memory of 2288	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	62
PID 2828 wrote to memory of 2288	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	62
PID 2828 wrote to memory of 2288	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	62
PID 2828 wrote to memory of 792	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	59
PID 2828 wrote to memory of 792	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	59
PID 2828 wrote to memory of 792	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	59
PID 2828 wrote to memory of 1468	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	57
PID 2828 wrote to memory of 1468	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	57
PID 2828 wrote to memory of 1468	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	57
PID 2828 wrote to memory of 340	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	54
PID 2828 wrote to memory of 340	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	54
PID 2828 wrote to memory of 340	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	54
PID 2828 wrote to memory of 1664	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	60
PID 2828 wrote to memory of 1664	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	60
PID 2828 wrote to memory of 1664	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	60
PID 2828 wrote to memory of 808	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2828 wrote to memory of 808	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2828 wrote to memory of 808	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	73
PID 2828 wrote to memory of 2232	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2828 wrote to memory of 2232	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2828 wrote to memory of 2232	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	72
PID 2828 wrote to memory of 2008	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	70
PID 2828 wrote to memory of 2008	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	70
PID 2828 wrote to memory of 2008	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	70
PID 2828 wrote to memory of 2100	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2828 wrote to memory of 2100	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2828 wrote to memory of 2100	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	68
PID 2828 wrote to memory of 2952	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	83
PID 2828 wrote to memory of 2952	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	83
PID 2828 wrote to memory of 2952	2828	ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe	83
PID 2952 wrote to memory of 1584	2952	cmd.exe	85
PID 2952 wrote to memory of 1584	2952	cmd.exe	85
PID 2952 wrote to memory of 1584	2952	cmd.exe	85
PID 2952 wrote to memory of 2408	2952	cmd.exe	84
PID 2952 wrote to memory of 2408	2952	cmd.exe	84
PID 2952 wrote to memory of 2408	2952	cmd.exe	84
PID 2952 wrote to memory of 2956	2952	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe
"C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe"
1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\lsm.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y8iZeTbdct.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2408
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1584
- - C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
    "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat"
      4⤵
      PID:556
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:700
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1672
    - - C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bviytIjYVg.bat"
        6⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2832
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o1vNVowh3C.bat"
        8⤵
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2348
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NuTuzs6IaN.bat"
        10⤵
        
        PID:2844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:984
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B35ds8t0En.bat"
        12⤵
        
        PID:692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2232
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vQ67f4CFMe.bat"
        14⤵
        
        PID:1392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1988
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5kD435lcwQ.bat"
        16⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:2936
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat"
        18⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2740
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fDDEz4CMJh.bat"
        20⤵
        
        PID:1540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1304
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jvhcSLBvsS.bat"
        22⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2888
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tQXqh6EDhL.bat"
        24⤵
        
        PID:3004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4c" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\lsm.exe

Filesize
2.0MB

MD5
70d149f275ccc89790c5405849a9ad9f

SHA1
de1a99c487f1b78320142e64fa1531c65a1ad8e7

SHA256
ca800f43e6af0552e09a026eca241ddf56722bafa0af51772f9b6432d9f4caf4

SHA512
899a53dda2c656117f1e618f06a334557536dcccd28d42a0f2ef6125ff9d0457759cff2c12c96c5b19381e25385ad3e31827f729bd6c5db397a58c0b7b7817a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kD435lcwQ.bat

Filesize
184B

MD5
5be1db8bf7530fab617f0f60b4954163

SHA1
0e3882bc03c97840363dfde8bc32a2d6cc425a64

SHA256
addfff1a1234ca9ec8d05d463521a08d179447104f4dab132d09db8bd15fbe7c

SHA512
de2042204a2eb57048ed78853a7fbf6eca6e5010797a6d45e59fb054cbeae84f69a6c06b3ed035790dc893c66d088262fd2f569cd27f851ce258e34903d8f728

Download Submit
C:\Users\Admin\AppData\Local\Temp\B35ds8t0En.bat

Filesize
232B

MD5
6e1a7cc4cc4c5afff8f119cd978dc236

SHA1
ea8a1da0878fd1f78f236ec9cc56491d6ef324ed

SHA256
a3da76a9e89dea320228c73369f7f127e9b815b3e639f6bd65952ac3b12fd729

SHA512
263068d282eb29d171cae3e4166ae78d79676f55fcc185ba2e581d634f25d90545343ee17b4c7ffcbe7a5a8b7360d1e0ca206ab818f742392468ee29a070abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC4F6.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat

Filesize
232B

MD5
2b209274c621e1d65ee9824237d72be3

SHA1
2956649ce2a68f138b2e261d948c85a0b43da52a

SHA256
8a7eeab89084a6a6ac40c700248aa224b59aa00ef2eb79189200918164bab833

SHA512
f9c8e946c9a70ebb85f29ea07f6bdc8e1c62f05867c02160801e31b14c433d5227bf16a22c2a7f23f847e2f68c47c0ab32838231e997a52564026ecdefe65cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuTuzs6IaN.bat

Filesize
184B

MD5
f706027cc7c258b969c61bf3a6ea9f2d

SHA1
7dae19e6fe83e76a7f2842e1422d0199251baab4

SHA256
ddb610b72dfe4e8e8ef10c096a39f917ca3fba23650ee28242cb3b4227157616

SHA512
cb8dca06ce26dfb4137fa0387342441f6729399f59c89eedda6fc8888fe835157a2f31df6a0332fff01191ef42bc63b7a2e95cd01f5e185df97b1c24339f042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC586.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\bviytIjYVg.bat

Filesize
232B

MD5
21d2b90a0688f576eae829ee4b1b44d4

SHA1
d1938cbf9a2496bcbb78d1deb63a1d5b9b7dd748

SHA256
33476efcb5eab762fd5717841909ca75328bfb4dc627036856cbd548d55b9cbb

SHA512
4f21ea91bd33d9f5346d05eb10f7fdf46ac543f2c078d26313ce3a0af0d4ef1a25f460503ab9fa421dc8d8fe05a484b1382f6b72582b018b83f25d2df6d32ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fDDEz4CMJh.bat

Filesize
232B

MD5
68dce36892b9a78a03c596bf16c9ffc5

SHA1
cbd671fdf5e69206b54edbbb6b529b54729b9a80

SHA256
ac4a5951c4a7ef0e21f65cd0c5c2392baf40085bab67626cce90cb273916ec2b

SHA512
f67a0206da916c66e72057c784d5160f2f8616f8a38182e527b10b9aebac00ad2d580b340e0f24636fc1280b53afadf4f4343b29bf23327849e75171e383a335

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvhcSLBvsS.bat

Filesize
184B

MD5
9119a7a953ba700c9673b955007d7f68

SHA1
6ab54d3b134cbf82c645538909e60e4bb291abf4

SHA256
421c5d4dbf15f49ec323a4214adc126c1223a501b2634d261691fe7598541f46

SHA512
bd59e031f5f64c2d2cab5d3db6deab64c292edd9ac773bc7f43a9e2a907c78783d84ce2d7166636802f7f7525236e9853de291bbd2e35a6b3547ff2ef89b7ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1vNVowh3C.bat

Filesize
184B

MD5
7cdc7200dfef84527e3631c9a96d993f

SHA1
4d6f44eeb2ea2ecd54f9b2c1379f05049ca02c92

SHA256
e18bc5479cd3d96e25f166dac34f4c575c817d94819b222dce5420952ae22b25

SHA512
d0f53d0b577655623c6be2abd552ddaeccc54a36aff480fae892039bcf517fa1dbf2f6e65c70502e7201f1b2cbcdcfa2de4f0f288428c88f90d64624eafdeefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQXqh6EDhL.bat

Filesize
232B

MD5
086608c58d35228dba4330253168473a

SHA1
dacb44b2d98740e8b564948cb7c3da91ef5a8444

SHA256
31df79887c40005b91e71b5faa11b976be199324be1ec31e8ed86f81f9b53e80

SHA512
787e4df44aa55cd54a8d71c9a121f78edbd3d9c2c23992853ff3ce332a24a00afb3b3685e30fb4df4d3edd6879b13f867ca8d6c0fef06b4d04d3b4129c5f5836

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1Mk5sQ2lf.bat

Filesize
232B

MD5
f25d4e2c2f6025ce4b662471259b53fb

SHA1
66aa1295f16381351d82f0a9587e607dcadc0186

SHA256
607724ef3d6c720dc7a66d4903ad99d83245da0da3896adc32e3471e3ec6059c

SHA512
e5d3ba5bb9c3185ba989b2171c7d966ce3c84f1585b595f313c9a36493f508ca3c846a02864ecfbbe6a6188093e7fdfc0279d90f559caad336bd77f4b792d07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQ67f4CFMe.bat

Filesize
232B

MD5
bc1b08ed040c75df37a954b8acbdd6e5

SHA1
2f1a5d29458e25d3c0511d4c702c2ccc37f62ca9

SHA256
c508d0f4adf3ed46abcc6795e28289c00b357849f687371b9ef764143038a56b

SHA512
1a720c2443cada4a354108510a570607439798b39e6fcee688b8afd7df8bcd0dc7bdc81e69f1e85be0806800773f706010d5f43c9f56a2f09d2df9c989df4a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8iZeTbdct.bat

Filesize
232B

MD5
872501c22db7a832d324bdc296fe39b3

SHA1
12edfd7cd3cb0b5d91dbbccae05d1ebea807f2b7

SHA256
65855633e1ced9f8fb2b423b2e2b78d6a5830d3f38d9246d24a0fa9fecedb75a

SHA512
309a5930c0fba333f48b14b41c6e87d434ff23b89bc3bd078b841c28d2b380c8b7e5e07f2f1465745c4e16b9f9b3382e7f8dee5d61c8fc38b1ff72c246ab2f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d20b0b570769b86f63b4f3ab1a0ef019

SHA1
e9c2106dcabe52d0a7ee41e89f7709fde10d9052

SHA256
244f71a746e80bd210f41793e810c28ac08586452a142b22383fd19b6f2bf512

SHA512
4c19f3dd62743fedd7b2e477b91ead95a3863f9ae6a346c82d1e889068297f2273ef626319f8c91112901ea17db83382a41d7bfcab61e97bbd20ea6f38b7747c

Download Submit
memory/608-234-0x00000000023BB000-0x0000000002422000-memory.dmp

Filesize
412KB

Download
memory/608-231-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/608-226-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/808-255-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/808-253-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/808-252-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/808-254-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/808-256-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/904-243-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/904-244-0x000000000256B000-0x00000000025D2000-memory.dmp

Filesize
412KB

Download
memory/904-242-0x0000000002564000-0x0000000002567000-memory.dmp

Filesize
12KB

Download
memory/904-240-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/948-257-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1468-246-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1468-245-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/1468-249-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1468-251-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2200-248-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2200-247-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2200-241-0x0000000002780000-0x0000000002800000-memory.dmp

Filesize
512KB

Download
memory/2200-239-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-228-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/2356-232-0x000000000277B000-0x00000000027E2000-memory.dmp

Filesize
412KB

Download
memory/2356-230-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-225-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-193-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2356-235-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2356-233-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/2544-227-0x00000000022A4000-0x00000000022A7000-memory.dmp

Filesize
12KB

Download
memory/2544-224-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download
memory/2544-229-0x00000000022AB000-0x0000000002312000-memory.dmp

Filesize
412KB

Download
memory/2828-17-0x0000000076FB0000-0x0000000076FB1000-memory.dmp

Filesize
4KB

Download
memory/2828-22-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2828-1-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-223-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-2-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2828-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2828-126-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2828-125-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2828-61-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2828-31-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2828-27-0x0000000076F80000-0x0000000076F81000-memory.dmp

Filesize
4KB

Download
memory/2828-29-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/2828-4-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2828-30-0x0000000076F70000-0x0000000076F71000-memory.dmp

Filesize
4KB

Download
memory/2828-26-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-25-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/2828-23-0x0000000076F90000-0x0000000076F91000-memory.dmp

Filesize
4KB

Download
memory/2828-5-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

Filesize
4KB

Download
memory/2828-19-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2828-20-0x0000000076FA0000-0x0000000076FA1000-memory.dmp

Filesize
4KB

Download
memory/2828-16-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2828-0-0x0000000000AB0000-0x0000000000CAA000-memory.dmp

Filesize
2.0MB

Download
memory/2828-14-0x0000000076FC0000-0x0000000076FC1000-memory.dmp

Filesize
4KB

Download
memory/2828-13-0x0000000000A00000-0x0000000000A18000-memory.dmp

Filesize
96KB

Download
memory/2828-11-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2828-9-0x0000000076FD0000-0x0000000076FD1000-memory.dmp

Filesize
4KB

Download
memory/2828-7-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2828-8-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/3044-238-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/3044-250-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/3044-236-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/3044-197-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/3044-237-0x000007FEED560000-0x000007FEEDEFD000-memory.dmp

Filesize
9.6MB

Download