zgrat | 81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Size

1.8MB
MD5

15b75648ad8160565cfd4008ae223ce0
SHA1

2800a25191362b57c9762c74fc668960f11937bc
SHA256

81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d
SHA512

25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b
SSDEEP

24576:pRr3fEcKSoIu4cMlay9GvZsk8ynlK01Pi5LO1K4Bb/8GeAyb1L5ZXMUJcapQKS3L:TAUpQ8yU26a1KU8ZAyb15ea61pFWcig

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/2840-1-0x00000000004C0000-0x000000000069A000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000a000000023bb6-26.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\unsecapp.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\", \"C:\\Windows\\Fonts\\sppsvc.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\unsecapp.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\15b75648ad8160565cfd4008ae223ce0_NEAS.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4728	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	4728	schtasks.exe	84

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows NT\\TableTextService\\unsecapp.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\VideoLAN\\VLC\\explorer.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15b75648ad8160565cfd4008ae223ce0_NEAS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\15b75648ad8160565cfd4008ae223ce0_NEAS.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\InputMethod\\SHARED\\spoolsv.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files\\Windows NT\\TableTextService\\unsecapp.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Windows Multimedia Platform\\backgroundTaskHost.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15b75648ad8160565cfd4008ae223ce0_NEAS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\15b75648ad8160565cfd4008ae223ce0_NEAS.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Fonts\\sppsvc.exe\""	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB72BB3FA18964763848DC6D07298CB20.TMP	csc.exe
File created	\??\c:\Windows\System32\ja7kri.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\eddb19405b7ce1	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Program Files\Windows NT\TableTextService\unsecapp.exe	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Program Files\Windows NT\TableTextService\29c1c3cc0f7685	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Program Files\VideoLAN\VLC\explorer.exe	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\explorer.exe	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Program Files\VideoLAN\VLC\7a0fd90576e088	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\SHARED\spoolsv.exe	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Windows\InputMethod\SHARED\f3b6ecef712a24	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Windows\Fonts\sppsvc.exe	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
File created	C:\Windows\Fonts\0a1fd5f707cd16	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2424	schtasks.exe
4576	schtasks.exe
3372	schtasks.exe
4580	schtasks.exe
1376	schtasks.exe
5028	schtasks.exe
3628	schtasks.exe
4436	schtasks.exe
3700	schtasks.exe
3752	schtasks.exe
4060	schtasks.exe
1536	schtasks.exe
3268	schtasks.exe
1956	schtasks.exe
4424	schtasks.exe
2956	schtasks.exe
4056	schtasks.exe
1936	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
668	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe
Token: SeDebugPrivilege	3340	15b75648ad8160565cfd4008ae223ce0_NEAS.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3792	2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe	90
PID 2840 wrote to memory of 3792	2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe	90
PID 3792 wrote to memory of 1352	3792	csc.exe	92
PID 3792 wrote to memory of 1352	3792	csc.exe	92
PID 2840 wrote to memory of 748	2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe	110
PID 2840 wrote to memory of 748	2840	15b75648ad8160565cfd4008ae223ce0_NEAS.exe	110
PID 748 wrote to memory of 4716	748	cmd.exe	112
PID 748 wrote to memory of 4716	748	cmd.exe	112
PID 748 wrote to memory of 668	748	cmd.exe	113
PID 748 wrote to memory of 668	748	cmd.exe	113
PID 748 wrote to memory of 3340	748	cmd.exe	121
PID 748 wrote to memory of 3340	748	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0_NEAS.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5yfeefps\5yfeefps.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5023.tmp" "c:\Windows\System32\CSCB72BB3FA18964763848DC6D07298CB20.TMP"
    3⤵
    PID:1352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h93xI98vrm.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4716
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0_NEAS.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\SHARED\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\InputMethod\SHARED\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "15b75648ad8160565cfd4008ae223ce0_NEAS1" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0_NEAS.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "15b75648ad8160565cfd4008ae223ce0_NEAS" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0_NEAS.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "15b75648ad8160565cfd4008ae223ce0_NEAS1" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\15b75648ad8160565cfd4008ae223ce0_NEAS.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\15b75648ad8160565cfd4008ae223ce0_NEAS.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5023.tmp

Filesize
1KB

MD5
e5bd34ddb60aa347c03effdabc9817b7

SHA1
fce010ec582c37e30bc346edea61273d809bf672

SHA256
3585e88db6f7f89cedcf79feb8824a3f2e887733d9bb9da78528b96236d8ff11

SHA512
312a82a595ee211150c706eff616d96a570333109b2b219bd18cf89bc72abf74a5c7d6220a05818aae5f92229502d18023d6779baa40b92be8650a2140e9454e

Download Submit
C:\Users\Admin\AppData\Local\Temp\h93xI98vrm.bat

Filesize
203B

MD5
42c4dfd0c99e6e81237808e8f99e3230

SHA1
6cc3b6fade3a8445ae6e213b322830ac78b3ec80

SHA256
924a017bb2e65adfc7f41dbacfe4f2ed1c78c0bec79ac360fc4250abc839cb36

SHA512
2fba9ae18879549dfb589f8a2af74aae00f8565b8c1012260c6b6eae67b822219de59fb8a2cd675c7b80074009e58bec204b93b4022c30bc33bb2e2178bf4fef

Download Submit
C:\Windows\InputMethod\SHARED\spoolsv.exe

Filesize
1.8MB

MD5
15b75648ad8160565cfd4008ae223ce0

SHA1
2800a25191362b57c9762c74fc668960f11937bc

SHA256
81e18d35c83b04e7ee6288294cdfc7ef57af3c44d44788a21577e808b3a99a9d

SHA512
25eb48fd2ea9a2781b6ed82ebc00b6d4df2ddbe57dee366dd39f67f8dcf9c02cf675c9578b11057d07ae0c6d8cc65371971f51df8eac27cc36e0e27d42bc9b0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5yfeefps\5yfeefps.0.cs

Filesize
373B

MD5
106083bbed95720c4da478160a311ca8

SHA1
83bbaeaea302378de2e12fbceecd9ecea857e355

SHA256
70b98c59517f5992f518e67dafd0e48d51177f42a329354c6a90dd39fb8612e4

SHA512
68ddffeebc2ec6d9cafa87f9132cfaa9130b3358c4d1ebb52f925710d3dd59d863a354aa7bfeb3f8f1cd11265470e0e92b5d18fdff105d254e03178c5de94f36

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5yfeefps\5yfeefps.cmdline

Filesize
235B

MD5
46629d5773a24c207c538ad697bd5e85

SHA1
9a47e60c82061cb5e0b1af2c21c719b61a380ee6

SHA256
3bcea34c7586c5546f001f66eaa4540d1af6ac3a675e77e575cddca293b8363f

SHA512
16e1513d9fafac6a9b2144c4eb3b9f2a30ed9560dd30046f3654b8ac41c748b1ede1c17be0bf8a37eefdbdebb8a6aa549d02958f009b04e5b7090d1953e954b5

Download Submit
\??\c:\Windows\System32\CSCB72BB3FA18964763848DC6D07298CB20.TMP

Filesize
1KB

MD5
c39f312a5cba8a420c1a93bbab328edc

SHA1
20dabcad44082ed54949c50dd2e8a4178a046340

SHA256
2077b880e475632b0638001558cbdff81982b820fcfd7bcde8d688730f432e9e

SHA512
8818d4fe55a0ee022100fa73b6a2248c35ab775cf14292353f3d1a0c3c3f91021b00c56c7787184373aaf595b4833b1963fe9814e85b65cba6c989bbe2d29038

Download Submit
memory/2840-13-0x0000000002910000-0x0000000002928000-memory.dmp

Filesize
96KB

Download
memory/2840-28-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-11-0x000000001B6E0000-0x000000001B730000-memory.dmp

Filesize
320KB

Download
memory/2840-1-0x00000000004C0000-0x000000000069A000-memory.dmp

Filesize
1.9MB

Download
memory/2840-15-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/2840-16-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-7-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-10-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-29-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-9-0x00000000028F0000-0x000000000290C000-memory.dmp

Filesize
112KB

Download
memory/2840-6-0x0000000000FF0000-0x0000000000FFE000-memory.dmp

Filesize
56KB

Download
memory/2840-4-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-3-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-47-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-2-0x00007FFF58F10000-0x00007FFF599D1000-memory.dmp

Filesize
10.8MB

Download
memory/2840-0-0x00007FFF58F13000-0x00007FFF58F15000-memory.dmp

Filesize
8KB

Download