zgrat | 3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Size

1.9MB
MD5

a8feeee4d7550b6d235a58fcc27a7c27
SHA1

cca74652e0efb730d7109d825102f6d163cbcf91
SHA256

3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9
SHA512

2a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3
SSDEEP

24576:hgXogJObMWfLOAT6gih1R12T3W07YbkKKcZUhhKpHqS/iZ0g0W2kg+mnS5aUVDe2:hFo6EN0W08kKKQUD8abIVS5xDL

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4532-0-0x0000000000190000-0x0000000000380000-memory.dmp	family_zgrat_v1
C:\ProgramData\ssh\fontdrvhost.exe	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	3864	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3864	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Executes dropped EXE 2 IoCs

Processes:

dllhost.exemsedge.exe

pid process

3836 dllhost.exe
4604 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3836	dllhost.exe
4604	msedge.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\""	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\zj5byy.exe	csc.exe
File created	\??\c:\Windows\System32\CSC4B98A437FA0E4543A96772EFB5DE25EF.TMP	csc.exe

Drops file in Program Files directory 6 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.execsc.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cc11b995f2a76d	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCEFF565DEE6644A06AA6E61FE4B5C1A82.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2436	schtasks.exe
1184	schtasks.exe
1756	schtasks.exe
228	schtasks.exe
4284	schtasks.exe
1360	schtasks.exe
1568	schtasks.exe
2016	schtasks.exe
3708	schtasks.exe
2152	schtasks.exe
1720	schtasks.exe
568	schtasks.exe
1488	schtasks.exe
1676	schtasks.exe
4184	schtasks.exe

Modifies registry class 1 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exe

pid	process
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

3836 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.exedllhost.exe

description pid process

Token: SeDebugPrivilege 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Token: SeDebugPrivilege 3836 dllhost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dllhost.exe

pid process

3836 dllhost.exe

pid	process
3836	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Token: SeDebugPrivilege	3836	dllhost.exe

pid	process
3836	dllhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

A8FEEEE4D7550B6D235A58FCC27A7C27.execsc.execsc.execmd.exe

description	pid	process	target process
PID 4532 wrote to memory of 2888	4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 4532 wrote to memory of 2888	4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 2888 wrote to memory of 2924	2888	csc.exe	cvtres.exe
PID 2888 wrote to memory of 2924	2888	csc.exe	cvtres.exe
PID 4532 wrote to memory of 3576	4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 4532 wrote to memory of 3576	4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	csc.exe
PID 3576 wrote to memory of 5024	3576	csc.exe	cvtres.exe
PID 3576 wrote to memory of 5024	3576	csc.exe	cvtres.exe
PID 4532 wrote to memory of 2648	4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 4532 wrote to memory of 2648	4532	A8FEEEE4D7550B6D235A58FCC27A7C27.exe	cmd.exe
PID 2648 wrote to memory of 5052	2648	cmd.exe	chcp.com
PID 2648 wrote to memory of 5052	2648	cmd.exe	chcp.com
PID 2648 wrote to memory of 1840	2648	cmd.exe	w32tm.exe
PID 2648 wrote to memory of 1840	2648	cmd.exe	w32tm.exe
PID 2648 wrote to memory of 3836	2648	cmd.exe	dllhost.exe
PID 2648 wrote to memory of 3836	2648	cmd.exe	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe
"C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\db5fd0xj\db5fd0xj.cmdline"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74C2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCEFF565DEE6644A06AA6E61FE4B5C1A82.TMP"
3⤵
PID:2924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jlgdlpm\5jlgdlpm.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp" "c:\Windows\System32\CSC4B98A437FA0E4543A96772EFB5DE25EF.TMP"
3⤵
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o2HWeUWPRt.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:5052

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1840

C:\Recovery\WindowsRE\dllhost.exe
"C:\Recovery\WindowsRE\dllhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8
1⤵
- Executes dropped EXE
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
561c7a2b247389ec9187fa1322e4c426

SHA1
bf794c79833414eee2b61ea2be60a4514b3a3d31

SHA256
362ebc9cc05bde868e74d922c36972c6e7f90b07a46680909aafef66692c5c5c

SHA512
549a4433d3d8cbc96a3dbb6f6d9de49570340a2fb18509f949ce830b3efc05c7eedbb2e6fd0fee4041739b022a44dc6edd5a33b669f65fe00da5b8bfea7befb9

Download Submit
C:\ProgramData\ssh\fontdrvhost.exe

Filesize
1.9MB

MD5
a8feeee4d7550b6d235a58fcc27a7c27

SHA1
cca74652e0efb730d7109d825102f6d163cbcf91

SHA256
3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9

SHA512
2a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES74C2.tmp

Filesize
1KB

MD5
73fd11d74ab2547a86ee83c28dcd376a

SHA1
ed5e952398d7d52f963ca6490054303d696c3bba

SHA256
4ac1f5a60c3dbe9e0a128ac0ffefde917688e0810608b337d81ec59563f6025d

SHA512
0caf7c8e6e6df7d6f07759f5466335db14eb3fea99b80f4d802444a3d6f0c6777bab32e8562f7fa5e5c8b71379f655fa4ea38556dfbebfcccf2be891a7c48c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp

Filesize
1KB

MD5
f01fe7359221bf73872655a7dede1850

SHA1
e2d4ab43229b804d27a675795bc5523561e24587

SHA256
7891f2d3e10a86b6f6582769c450c02a57f42fb76521c64d71d3bd2e82fb49da

SHA512
267d066f813d1dab01738e9bd8b8e7f0306f9d9aeb39e56706d0e3792928fa7f43b42a7a00aa04010801fab6e2d6220d8683ae1b6377253bc2d25877aff0791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\o2HWeUWPRt.bat

Filesize
209B

MD5
7503bbd509a61aa8fb9657384aadf76a

SHA1
13736b653a1a8e1504ce476700a6a4db9c8fb0f1

SHA256
d38ce3c563207a3da87d8120eeda523f39af2457070f2d5d5f32512ba6d45799

SHA512
cf0dced6694a904dc26cf3873330f4d536427c321b455d5a04691908d572a29051cc262e980d26f6c71cd36ab138ef915bf7d9df5ac586b449dc71f87773c240

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCEFF565DEE6644A06AA6E61FE4B5C1A82.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jlgdlpm\5jlgdlpm.0.cs

Filesize
363B

MD5
ad55556b31951c6a0ba6181c1fa17927

SHA1
70d5b80497fcc0bdebe35526f3ccf7008cec9c1e

SHA256
c3619cac3179e8e09a07f4cf353c10d9e57fcd8216d1585bea4ff29c17040939

SHA512
ddb8605adbb20f418f2a494798d20a1d8db27820e79c0fe5263d26ece4f7ff8bb6752e0730e290ab3ece7237a820d66c01b0d23940c89d28b42877b41b65290c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jlgdlpm\5jlgdlpm.cmdline

Filesize
235B

MD5
ea36dea8d4421a3751f7e2c4f3443a8b

SHA1
b26e517c9d33a5f154e35cc550fa0576a74153c6

SHA256
27aa8b21164f703607697094db61334be2fd45020788769b0926b739e843e113

SHA512
5ea0f85cc1f6ae5f485e274159536b8e786240f75e925067527a9396f26944776378014bc85fde9a81ba73626b6999b8a221b006d52d690c64812b3c00ae1d3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\db5fd0xj\db5fd0xj.0.cs

Filesize
393B

MD5
c2d857787aa2b73168eb420ba5f0558e

SHA1
31b20f18ae8e067a402a7b49da610721696abbaa

SHA256
e2af289f73751d10b35c062c664a897f14902d835eb554ae7816b23b21dfb365

SHA512
829a81e247cc7afde566dc77b51e3e38131081a7fad0c7c8dcd7b9ce2e2708940721d62c9fd5be0e03329162303518123eb02c4cd4e868f7bfbc0c39e2dc3e1e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\db5fd0xj\db5fd0xj.cmdline

Filesize
265B

MD5
1b174fcba809e1477a7cc941a79e1d53

SHA1
676e15c4e1a9b78985e24a5ef5cef224404228d2

SHA256
13c01376cfbba6ea778bb3fc54e6f4c856f24a29a27956c8a2144040485f0e41

SHA512
1327594f16fac5b6af98eed4ee573045658fc2f90177b6d8010f23f507575d35799e27bec8807d0dda8cc833134524f06bbebdf4f241e32582eeb86dbddd3504

Download Submit
\??\c:\Windows\System32\CSC4B98A437FA0E4543A96772EFB5DE25EF.TMP

Filesize
1KB

MD5
a626787e73f3ee32309f3b28aa677d21

SHA1
4972cc1ac1f39d0831ae386c45c8bed54f247d50

SHA256
0e7364af5c323ea023f30fd840b602b6bd6d2a494505d861ad8c069fefe391c3

SHA512
03d19f487428f4b9fa6ad718a7c379ac2cc2300a1b6e685cfd7b8ae280b267866e63a420e11420f2a199204ca419162aae7c1eb278134c1babd654cc1f8358f0

Download Submit
memory/3836-78-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/3836-72-0x00007FFF70600000-0x00007FFF710C1000-memory.dmp

Filesize
10.8MB

Download
memory/3836-138-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3836-100-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3836-94-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3836-93-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/3836-92-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3836-91-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3836-90-0x00007FFF70600000-0x00007FFF710C1000-memory.dmp

Filesize
10.8MB

Download
memory/3836-89-0x00007FFF8F6B0000-0x00007FFF8F6B1000-memory.dmp

Filesize
4KB

Download
memory/3836-87-0x00007FFF8F6C0000-0x00007FFF8F6C1000-memory.dmp

Filesize
4KB

Download
memory/3836-85-0x00007FFF8F6D0000-0x00007FFF8F6D1000-memory.dmp

Filesize
4KB

Download
memory/3836-83-0x00007FFF8F6E0000-0x00007FFF8F6E1000-memory.dmp

Filesize
4KB

Download
memory/3836-82-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/3836-79-0x00007FFF8F6F0000-0x00007FFF8F6F1000-memory.dmp

Filesize
4KB

Download
memory/3836-80-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3836-77-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/3836-75-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/3836-74-0x0000000001760000-0x0000000001761000-memory.dmp

Filesize
4KB

Download
memory/3836-73-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/4532-14-0x00007FFF8F6E0000-0x00007FFF8F6E1000-memory.dmp

Filesize
4KB

Download
memory/4532-10-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/4532-68-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/4532-67-0x00007FFF71290000-0x00007FFF71D51000-memory.dmp

Filesize
10.8MB

Download
memory/4532-3-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4532-4-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/4532-8-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/4532-7-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/4532-0-0x0000000000190000-0x0000000000380000-memory.dmp

Filesize
1.9MB

Download
memory/4532-9-0x00007FFF8F6F0000-0x00007FFF8F6F1000-memory.dmp

Filesize
4KB

Download
memory/4532-6-0x0000000002550000-0x000000000255E000-memory.dmp

Filesize
56KB

Download
memory/4532-2-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/4532-11-0x00007FFF8F710000-0x00007FFF8F7CE000-memory.dmp

Filesize
760KB

Download
memory/4532-13-0x000000001B210000-0x000000001B22C000-memory.dmp

Filesize
112KB

Download
memory/4532-26-0x00007FFF8F6B0000-0x00007FFF8F6B1000-memory.dmp

Filesize
4KB

Download
memory/4532-25-0x00007FFF71290000-0x00007FFF71D51000-memory.dmp

Filesize
10.8MB

Download
memory/4532-24-0x0000000002560000-0x000000000256E000-memory.dmp

Filesize
56KB

Download
memory/4532-22-0x000000001B800000-0x000000001BD28000-memory.dmp

Filesize
5.2MB

Download
memory/4532-20-0x000000001B250000-0x000000001B262000-memory.dmp

Filesize
72KB

Download
memory/4532-21-0x00007FFF8F6C0000-0x00007FFF8F6C1000-memory.dmp

Filesize
4KB

Download
memory/4532-18-0x00007FFF8F6D0000-0x00007FFF8F6D1000-memory.dmp

Filesize
4KB

Download
memory/4532-17-0x000000001B230000-0x000000001B248000-memory.dmp

Filesize
96KB

Download
memory/4532-1-0x00007FFF71290000-0x00007FFF71D51000-memory.dmp

Filesize
10.8MB

Download
memory/4532-15-0x000000001B280000-0x000000001B2D0000-memory.dmp

Filesize
320KB

Download