Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 06:37
Behavioral task
behavioral1
Sample
A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
A8FEEEE4D7550B6D235A58FCC27A7C27.exe
Resource
win10v2004-20240226-en
General
-
Target
A8FEEEE4D7550B6D235A58FCC27A7C27.exe
-
Size
1.9MB
-
MD5
a8feeee4d7550b6d235a58fcc27a7c27
-
SHA1
cca74652e0efb730d7109d825102f6d163cbcf91
-
SHA256
3ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9
-
SHA512
2a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3
-
SSDEEP
24576:hgXogJObMWfLOAT6gih1R12T3W07YbkKKcZUhhKpHqS/iZ0g0W2kg+mnS5aUVDe2:hFo6EN0W08kKKQUD8abIVS5xDL
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4532-0-0x0000000000190000-0x0000000000380000-memory.dmp family_zgrat_v1 C:\ProgramData\ssh\fontdrvhost.exe family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 5 IoCs
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\", \"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4184 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1184 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1360 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1756 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 568 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 228 3864 schtasks.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation A8FEEEE4D7550B6D235A58FCC27A7C27.exe -
Executes dropped EXE 2 IoCs
Processes:
dllhost.exemsedge.exepid process 3836 dllhost.exe 4604 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\services.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\winlogon.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\ssh\\fontdrvhost.exe\"" A8FEEEE4D7550B6D235A58FCC27A7C27.exe -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc process File created \??\c:\Windows\System32\zj5byy.exe csc.exe File created \??\c:\Windows\System32\CSC4B98A437FA0E4543A96772EFB5DE25EF.TMP csc.exe -
Drops file in Program Files directory 6 IoCs
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.execsc.exedescription ioc process File created C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc A8FEEEE4D7550B6D235A58FCC27A7C27.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe A8FEEEE4D7550B6D235A58FCC27A7C27.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cc11b995f2a76d A8FEEEE4D7550B6D235A58FCC27A7C27.exe File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCEFF565DEE6644A06AA6E61FE4B5C1A82.TMP csc.exe File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe csc.exe File created C:\Program Files (x86)\Windows Multimedia Platform\services.exe A8FEEEE4D7550B6D235A58FCC27A7C27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2436 schtasks.exe 1184 schtasks.exe 1756 schtasks.exe 228 schtasks.exe 4284 schtasks.exe 1360 schtasks.exe 1568 schtasks.exe 2016 schtasks.exe 3708 schtasks.exe 2152 schtasks.exe 1720 schtasks.exe 568 schtasks.exe 1488 schtasks.exe 1676 schtasks.exe 4184 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings A8FEEEE4D7550B6D235A58FCC27A7C27.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.exepid process 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 3836 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.exedllhost.exedescription pid process Token: SeDebugPrivilege 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe Token: SeDebugPrivilege 3836 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dllhost.exepid process 3836 dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
A8FEEEE4D7550B6D235A58FCC27A7C27.execsc.execsc.execmd.exedescription pid process target process PID 4532 wrote to memory of 2888 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe csc.exe PID 4532 wrote to memory of 2888 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe csc.exe PID 2888 wrote to memory of 2924 2888 csc.exe cvtres.exe PID 2888 wrote to memory of 2924 2888 csc.exe cvtres.exe PID 4532 wrote to memory of 3576 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe csc.exe PID 4532 wrote to memory of 3576 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe csc.exe PID 3576 wrote to memory of 5024 3576 csc.exe cvtres.exe PID 3576 wrote to memory of 5024 3576 csc.exe cvtres.exe PID 4532 wrote to memory of 2648 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe cmd.exe PID 4532 wrote to memory of 2648 4532 A8FEEEE4D7550B6D235A58FCC27A7C27.exe cmd.exe PID 2648 wrote to memory of 5052 2648 cmd.exe chcp.com PID 2648 wrote to memory of 5052 2648 cmd.exe chcp.com PID 2648 wrote to memory of 1840 2648 cmd.exe w32tm.exe PID 2648 wrote to memory of 1840 2648 cmd.exe w32tm.exe PID 2648 wrote to memory of 3836 2648 cmd.exe dllhost.exe PID 2648 wrote to memory of 3836 2648 cmd.exe dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe"C:\Users\Admin\AppData\Local\Temp\A8FEEEE4D7550B6D235A58FCC27A7C27.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\db5fd0xj\db5fd0xj.cmdline"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74C2.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCEFF565DEE6644A06AA6E61FE4B5C1A82.TMP"3⤵PID:2924
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jlgdlpm\5jlgdlpm.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75CC.tmp" "c:\Windows\System32\CSC4B98A437FA0E4543A96772EFB5DE25EF.TMP"3⤵PID:5024
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o2HWeUWPRt.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:5052
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1840
-
C:\Recovery\WindowsRE\dllhost.exe"C:\Recovery\WindowsRE\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:81⤵
- Executes dropped EXE
PID:4604
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5561c7a2b247389ec9187fa1322e4c426
SHA1bf794c79833414eee2b61ea2be60a4514b3a3d31
SHA256362ebc9cc05bde868e74d922c36972c6e7f90b07a46680909aafef66692c5c5c
SHA512549a4433d3d8cbc96a3dbb6f6d9de49570340a2fb18509f949ce830b3efc05c7eedbb2e6fd0fee4041739b022a44dc6edd5a33b669f65fe00da5b8bfea7befb9
-
Filesize
1.9MB
MD5a8feeee4d7550b6d235a58fcc27a7c27
SHA1cca74652e0efb730d7109d825102f6d163cbcf91
SHA2563ee12db2ab7af77010f1734d5e13766842c50b258c5fe228fe26164fe98ba4a9
SHA5122a016f1dbd2d2466bf61a422775453432e16df42014370b8c862b03af0f176eef9058542aff89cf61825d3565045e943680c2386e09ca30327a9900190d155f3
-
Filesize
1KB
MD573fd11d74ab2547a86ee83c28dcd376a
SHA1ed5e952398d7d52f963ca6490054303d696c3bba
SHA2564ac1f5a60c3dbe9e0a128ac0ffefde917688e0810608b337d81ec59563f6025d
SHA5120caf7c8e6e6df7d6f07759f5466335db14eb3fea99b80f4d802444a3d6f0c6777bab32e8562f7fa5e5c8b71379f655fa4ea38556dfbebfcccf2be891a7c48c27
-
Filesize
1KB
MD5f01fe7359221bf73872655a7dede1850
SHA1e2d4ab43229b804d27a675795bc5523561e24587
SHA2567891f2d3e10a86b6f6582769c450c02a57f42fb76521c64d71d3bd2e82fb49da
SHA512267d066f813d1dab01738e9bd8b8e7f0306f9d9aeb39e56706d0e3792928fa7f43b42a7a00aa04010801fab6e2d6220d8683ae1b6377253bc2d25877aff0791d
-
Filesize
209B
MD57503bbd509a61aa8fb9657384aadf76a
SHA113736b653a1a8e1504ce476700a6a4db9c8fb0f1
SHA256d38ce3c563207a3da87d8120eeda523f39af2457070f2d5d5f32512ba6d45799
SHA512cf0dced6694a904dc26cf3873330f4d536427c321b455d5a04691908d572a29051cc262e980d26f6c71cd36ab138ef915bf7d9df5ac586b449dc71f87773c240
-
Filesize
1KB
MD5b5189fb271be514bec128e0d0809c04e
SHA15dd625d27ed30fca234ec097ad66f6c13a7edcbe
SHA256e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f
SHA512f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e
-
Filesize
363B
MD5ad55556b31951c6a0ba6181c1fa17927
SHA170d5b80497fcc0bdebe35526f3ccf7008cec9c1e
SHA256c3619cac3179e8e09a07f4cf353c10d9e57fcd8216d1585bea4ff29c17040939
SHA512ddb8605adbb20f418f2a494798d20a1d8db27820e79c0fe5263d26ece4f7ff8bb6752e0730e290ab3ece7237a820d66c01b0d23940c89d28b42877b41b65290c
-
Filesize
235B
MD5ea36dea8d4421a3751f7e2c4f3443a8b
SHA1b26e517c9d33a5f154e35cc550fa0576a74153c6
SHA25627aa8b21164f703607697094db61334be2fd45020788769b0926b739e843e113
SHA5125ea0f85cc1f6ae5f485e274159536b8e786240f75e925067527a9396f26944776378014bc85fde9a81ba73626b6999b8a221b006d52d690c64812b3c00ae1d3a
-
Filesize
393B
MD5c2d857787aa2b73168eb420ba5f0558e
SHA131b20f18ae8e067a402a7b49da610721696abbaa
SHA256e2af289f73751d10b35c062c664a897f14902d835eb554ae7816b23b21dfb365
SHA512829a81e247cc7afde566dc77b51e3e38131081a7fad0c7c8dcd7b9ce2e2708940721d62c9fd5be0e03329162303518123eb02c4cd4e868f7bfbc0c39e2dc3e1e
-
Filesize
265B
MD51b174fcba809e1477a7cc941a79e1d53
SHA1676e15c4e1a9b78985e24a5ef5cef224404228d2
SHA25613c01376cfbba6ea778bb3fc54e6f4c856f24a29a27956c8a2144040485f0e41
SHA5121327594f16fac5b6af98eed4ee573045658fc2f90177b6d8010f23f507575d35799e27bec8807d0dda8cc833134524f06bbebdf4f241e32582eeb86dbddd3504
-
Filesize
1KB
MD5a626787e73f3ee32309f3b28aa677d21
SHA14972cc1ac1f39d0831ae386c45c8bed54f247d50
SHA2560e7364af5c323ea023f30fd840b602b6bd6d2a494505d861ad8c069fefe391c3
SHA51203d19f487428f4b9fa6ad718a7c379ac2cc2300a1b6e685cfd7b8ae280b267866e63a420e11420f2a199204ca419162aae7c1eb278134c1babd654cc1f8358f0