zgrat | 61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
Size

7.2MB
MD5

5446af14bfb2bf63ec1b409a0752f2bb
SHA1

2d0ed53f2bab261a09e50e35b95f896ddf6dd688
SHA256

61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434
SHA512

3f96ff6656d7937fe3be66688c5559a238be9e0277373dd8a325f2e36fbd50095285ae8da8db0b59f0706b9514bdf54f2f66da81caf4d2818b9c9d20d5cff436
SSDEEP

49152:OSa5+lvH/3ehlWOU9Hl73KkPjOMVMC21gt9dmFF9KINW1FQr7qrzW+x30rY6yTK4:A0X3IWbXPjObC9CFAArmGm3U0KFK/j

Score

10^/10

zgrat execution rat

Malware Config

Signatures

Detect ZGRat V1 32 IoCs

resource	yara_rule
behavioral1/memory/2528-30-0x000000001BBC0000-0x000000001BF4E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-34-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-32-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-58-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-60-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-72-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-90-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-88-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-86-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-84-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-82-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-80-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-78-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-76-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-74-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-70-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-68-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-66-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-64-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-62-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-50-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-48-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-46-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-44-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-42-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-40-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-38-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-56-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-54-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-52-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-36-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1
behavioral1/memory/2528-31-0x000000001BBC0000-0x000000001BF47000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	956	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	956	schtasks.exe	31

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
1268	powershell.exe
988	powershell.exe
2236	powershell.exe
2900	powershell.exe
2908	powershell.exe
2452	powershell.exe
356	powershell.exe
2016	powershell.exe
2164	powershell.exe
1004	powershell.exe
1772	powershell.exe
1984	powershell.exe
2432	powershell.exe
2008	powershell.exe
1096	powershell.exe
1532	powershell.exe
1736	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1632	Province Hacks.exe
2524	Logger.exe
2528	1.exe
2448	System.exe

Loads dropped DLL 5 IoCs

pid	Process
1728	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
1728	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
1632	Province Hacks.exe
1632	Province Hacks.exe
2524	Logger.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe	1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\7a0fd90576e088	1.exe
File created	C:\Program Files (x86)\Google\sppsvc.exe	1.exe
File created	C:\Program Files (x86)\Google\0a1fd5f707cd16	1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe	1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteDesktops\27d1bcfc3c54e0	1.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\System.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
884	schtasks.exe
2572	schtasks.exe
1636	schtasks.exe
2852	schtasks.exe
1352	schtasks.exe
2716	schtasks.exe
2232	schtasks.exe
1988	schtasks.exe
240	schtasks.exe
2276	schtasks.exe
1408	schtasks.exe
1648	schtasks.exe
2984	schtasks.exe
3040	schtasks.exe
1600	schtasks.exe
560	schtasks.exe
2648	schtasks.exe
2348	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2332	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe
2528	1.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	1.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2448	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1632	1728	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 1728 wrote to memory of 1632	1728	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 1728 wrote to memory of 1632	1728	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 1728 wrote to memory of 1632	1728	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	28
PID 1632 wrote to memory of 2524	1632	Province Hacks.exe	29
PID 1632 wrote to memory of 2524	1632	Province Hacks.exe	29
PID 1632 wrote to memory of 2524	1632	Province Hacks.exe	29
PID 1632 wrote to memory of 2524	1632	Province Hacks.exe	29
PID 2524 wrote to memory of 2528	2524	Logger.exe	30
PID 2524 wrote to memory of 2528	2524	Logger.exe	30
PID 2524 wrote to memory of 2528	2524	Logger.exe	30
PID 2524 wrote to memory of 2528	2524	Logger.exe	30
PID 2528 wrote to memory of 1736	2528	1.exe	50
PID 2528 wrote to memory of 1736	2528	1.exe	50
PID 2528 wrote to memory of 1736	2528	1.exe	50
PID 2528 wrote to memory of 988	2528	1.exe	51
PID 2528 wrote to memory of 988	2528	1.exe	51
PID 2528 wrote to memory of 988	2528	1.exe	51
PID 2528 wrote to memory of 1532	2528	1.exe	52
PID 2528 wrote to memory of 1532	2528	1.exe	52
PID 2528 wrote to memory of 1532	2528	1.exe	52
PID 2528 wrote to memory of 1268	2528	1.exe	53
PID 2528 wrote to memory of 1268	2528	1.exe	53
PID 2528 wrote to memory of 1268	2528	1.exe	53
PID 2528 wrote to memory of 356	2528	1.exe	55
PID 2528 wrote to memory of 356	2528	1.exe	55
PID 2528 wrote to memory of 356	2528	1.exe	55
PID 2528 wrote to memory of 1004	2528	1.exe	56
PID 2528 wrote to memory of 1004	2528	1.exe	56
PID 2528 wrote to memory of 1004	2528	1.exe	56
PID 2528 wrote to memory of 2452	2528	1.exe	59
PID 2528 wrote to memory of 2452	2528	1.exe	59
PID 2528 wrote to memory of 2452	2528	1.exe	59
PID 2528 wrote to memory of 2160	2528	1.exe	60
PID 2528 wrote to memory of 2160	2528	1.exe	60
PID 2528 wrote to memory of 2160	2528	1.exe	60
PID 2528 wrote to memory of 2164	2528	1.exe	61
PID 2528 wrote to memory of 2164	2528	1.exe	61
PID 2528 wrote to memory of 2164	2528	1.exe	61
PID 2528 wrote to memory of 2016	2528	1.exe	62
PID 2528 wrote to memory of 2016	2528	1.exe	62
PID 2528 wrote to memory of 2016	2528	1.exe	62
PID 2528 wrote to memory of 1096	2528	1.exe	63
PID 2528 wrote to memory of 1096	2528	1.exe	63
PID 2528 wrote to memory of 1096	2528	1.exe	63
PID 2528 wrote to memory of 2008	2528	1.exe	64
PID 2528 wrote to memory of 2008	2528	1.exe	64
PID 2528 wrote to memory of 2008	2528	1.exe	64
PID 2528 wrote to memory of 2432	2528	1.exe	65
PID 2528 wrote to memory of 2432	2528	1.exe	65
PID 2528 wrote to memory of 2432	2528	1.exe	65
PID 2528 wrote to memory of 2908	2528	1.exe	67
PID 2528 wrote to memory of 2908	2528	1.exe	67
PID 2528 wrote to memory of 2908	2528	1.exe	67
PID 2528 wrote to memory of 2900	2528	1.exe	68
PID 2528 wrote to memory of 2900	2528	1.exe	68
PID 2528 wrote to memory of 2900	2528	1.exe	68
PID 2528 wrote to memory of 2236	2528	1.exe	69
PID 2528 wrote to memory of 2236	2528	1.exe	69
PID 2528 wrote to memory of 2236	2528	1.exe	69
PID 2528 wrote to memory of 1984	2528	1.exe	70
PID 2528 wrote to memory of 1984	2528	1.exe	70
PID 2528 wrote to memory of 1984	2528	1.exe	70
PID 2528 wrote to memory of 1772	2528	1.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
"C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe
  "C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\Logger.exe
    "C:\Users\Admin\AppData\Local\Temp\Logger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iDgefZRDNx.bat"
        5⤵
        
        PID:1504
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1020
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2332
      - C:\Windows\RemotePackages\RemoteDesktops\System.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteDesktops\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iDgefZRDNx.bat

Filesize
179B

MD5
3445c4e80575e50a9c1711bbb9ac17a4

SHA1
a06a43a639c766c8ba496e8f34054de60b183587

SHA256
d7a9a36f0885357bc6d3cf03d30934519e6079dabf8c3709fd725f6900021ca4

SHA512
bbd872940d0b93075bf0be62cbd78708b1bd26bd614a6fd0da2669de6f9200ed9ce8002bb11e014990f268dedb205902e3d7d078e7497204358a458b63ba37e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3fc27081da6347d495d4cd5ce3cf253c

SHA1
277898117bca2bbc2303efeaf8f0c84270bb6b32

SHA256
72f85fb2d8a0bbddbcd05be0b8a6136d69040a1df265cb6edf4f63ba8b71d34d

SHA512
b5fef28b38c077aacf5c1a48ddae4f366f17ae006994c674192e8b6d5c985c3d224c9beb41823eb5d1214490834d25d3de07913e31333a61af2f2a84c72e630e

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe

Filesize
6.3MB

MD5
4e2c3489ec26807d69f9171479886188

SHA1
40f8c57e6918d1626177810c6f1b5a65d9bf93d1

SHA256
33466d0c92e0fb64d98b89ca503976b86cfd5400c387aeb9dd66f096b4c14ca9

SHA512
0ed949039d77b4777f8da9ede1e245b22759fa2bd86ec90692c216263a27693264f926ad256336a8b4e2e688c05deb4790ba0a2799479213a9cb9960787f0d3e

Download Submit
\Users\Admin\AppData\Local\Temp\Logger.exe

Filesize
6.6MB

MD5
48bfaeb0285f1b090cbf09e2feb6ad10

SHA1
67d25ecce37f5a70ec950758351e81593b99ed05

SHA256
d8c19254251b41d6f815582ba4c018994cae3bdf3677e198a88138a43aaaf15e

SHA512
f8f19c480a72dcb1a88585a94c95767dfdaab0320aafd46f61309385fd9f7e68a8b392801ab243e7c545f43cd9e23366aa94814a05d9f9a0b604c22ab81ad08d

Download Submit
\Users\Admin\AppData\Local\Temp\Province Hacks.exe

Filesize
6.9MB

MD5
d22490055518bbf8d44579a00453da46

SHA1
d738768635f9646c71b98befc3bf2a4c9f5c29e3

SHA256
ee2c37126091fa67a5b5abbf7ac2a4271514ec7620aef87b34d42e80c576cd0a

SHA512
ecdd5baf602b3e9e59f15b47ad3925026568be9fdf1d384cc3dbae2b292abbf1878cbd1f919cf680442c65a9299c3496d9f03fed8b8504ba34f805e5ef984f08

Download Submit
memory/1004-3734-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1632-21-0x0000000000400000-0x0000000000AF3000-memory.dmp

Filesize
6.9MB

Download
memory/1728-9-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/2448-3738-0x00000000001D0000-0x0000000000820000-memory.dmp

Filesize
6.3MB

Download
memory/2452-3733-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2524-27-0x0000000000400000-0x0000000000A98000-memory.dmp

Filesize
6.6MB

Download
memory/2528-46-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-54-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-58-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-60-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-72-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-90-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-88-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-86-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-84-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-82-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-80-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-78-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-76-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-74-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-70-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-68-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-66-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-64-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-62-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-50-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-48-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-34-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-44-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-42-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-40-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-38-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-56-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-32-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-52-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-36-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-31-0x000000001BBC0000-0x000000001BF47000-memory.dmp

Filesize
3.5MB

Download
memory/2528-3588-0x0000000000C20000-0x0000000000C46000-memory.dmp

Filesize
152KB

Download
memory/2528-3592-0x0000000002620000-0x000000000263C000-memory.dmp

Filesize
112KB

Download
memory/2528-3590-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/2528-3594-0x0000000000C00000-0x0000000000C10000-memory.dmp

Filesize
64KB

Download
memory/2528-3600-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/2528-3598-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/2528-3602-0x0000000002660000-0x000000000266E000-memory.dmp

Filesize
56KB

Download
memory/2528-3604-0x0000000002690000-0x00000000026A2000-memory.dmp

Filesize
72KB

Download
memory/2528-3606-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/2528-3610-0x0000000002780000-0x0000000002792000-memory.dmp

Filesize
72KB

Download
memory/2528-3608-0x0000000002760000-0x0000000002776000-memory.dmp

Filesize
88KB

Download
memory/2528-3612-0x0000000002680000-0x000000000268E000-memory.dmp

Filesize
56KB

Download
memory/2528-3596-0x0000000002640000-0x0000000002658000-memory.dmp

Filesize
96KB

Download
memory/2528-3614-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/2528-3616-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/2528-3618-0x000000001B740000-0x000000001B79A000-memory.dmp

Filesize
360KB

Download
memory/2528-3620-0x00000000026D0000-0x00000000026DE000-memory.dmp

Filesize
56KB

Download
memory/2528-3622-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/2528-3624-0x00000000027B0000-0x00000000027BE000-memory.dmp

Filesize
56KB

Download
memory/2528-30-0x000000001BBC0000-0x000000001BF4E000-memory.dmp

Filesize
3.6MB

Download
memory/2528-29-0x0000000000220000-0x0000000000870000-memory.dmp

Filesize
6.3MB

Download
memory/2528-3628-0x00000000027C0000-0x00000000027CC000-memory.dmp

Filesize
48KB

Download
memory/2528-3630-0x000000001C0A0000-0x000000001C0EE000-memory.dmp

Filesize
312KB

Download
memory/2528-3626-0x00000000027E0000-0x00000000027F8000-memory.dmp

Filesize
96KB

Download