zgrat | 7828b918927842de36e6b7b4155325e08b1b8f8a50c3a6feaee2bac4883c86d7

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
Size

7.2MB
MD5

5446af14bfb2bf63ec1b409a0752f2bb
SHA1

2d0ed53f2bab261a09e50e35b95f896ddf6dd688
SHA256

61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434
SHA512

3f96ff6656d7937fe3be66688c5559a238be9e0277373dd8a325f2e36fbd50095285ae8da8db0b59f0706b9514bdf54f2f66da81caf4d2818b9c9d20d5cff436
SSDEEP

49152:OSa5+lvH/3ehlWOU9Hl73KkPjOMVMC21gt9dmFF9KINW1FQr7qrzW+x30rY6yTK4:A0X3IWbXPjObC9CFAArmGm3U0KFK/j

Score

10^/10

zgrat execution rat

Malware Config

Signatures

Detect ZGRat V1 32 IoCs

resource	yara_rule
behavioral2/memory/3848-36-0x000000001BE90000-0x000000001C21E000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-37-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-64-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-70-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-86-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-96-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-94-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-92-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-90-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-88-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-84-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-82-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-78-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-74-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-72-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-68-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-66-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-80-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-76-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-62-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-58-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-56-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-54-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-52-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-50-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-48-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-46-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-44-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-42-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-60-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-40-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1
behavioral2/memory/3848-38-0x000000001BE90000-0x000000001C217000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2616	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2616	schtasks.exe	94

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4972	powershell.exe
1792	powershell.exe
2220	powershell.exe
2004	powershell.exe
3232	powershell.exe
1120	powershell.exe
5068	powershell.exe
3444	powershell.exe
4484	powershell.exe
3388	powershell.exe
2604	powershell.exe
3976	powershell.exe
428	powershell.exe
4828	powershell.exe
1368	powershell.exe
1328	powershell.exe
3616	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	Province Hacks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	Logger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 4 IoCs

pid	Process
1360	Province Hacks.exe
1560	Logger.exe
3848	1.exe
5932	dwm.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe	1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\29c1c3cc0f7685	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
664	schtasks.exe
4764	schtasks.exe
3120	schtasks.exe
3644	schtasks.exe
3484	schtasks.exe
4404	schtasks.exe
3352	schtasks.exe
4452	schtasks.exe
4004	schtasks.exe
5088	schtasks.exe
4824	schtasks.exe
5048	schtasks.exe
1808	schtasks.exe
2140	schtasks.exe
1892	schtasks.exe
2680	schtasks.exe
3776	schtasks.exe
2148	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe
3848	1.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3848	1.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	5932	dwm.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1360	1716	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	84
PID 1716 wrote to memory of 1360	1716	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	84
PID 1716 wrote to memory of 1360	1716	61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe	84
PID 1360 wrote to memory of 1560	1360	Province Hacks.exe	85
PID 1360 wrote to memory of 1560	1360	Province Hacks.exe	85
PID 1360 wrote to memory of 1560	1360	Province Hacks.exe	85
PID 1560 wrote to memory of 3848	1560	Logger.exe	89
PID 1560 wrote to memory of 3848	1560	Logger.exe	89
PID 3848 wrote to memory of 1792	3848	1.exe	115
PID 3848 wrote to memory of 1792	3848	1.exe	115
PID 3848 wrote to memory of 4828	3848	1.exe	116
PID 3848 wrote to memory of 4828	3848	1.exe	116
PID 3848 wrote to memory of 3444	3848	1.exe	117
PID 3848 wrote to memory of 3444	3848	1.exe	117
PID 3848 wrote to memory of 2220	3848	1.exe	118
PID 3848 wrote to memory of 2220	3848	1.exe	118
PID 3848 wrote to memory of 4484	3848	1.exe	119
PID 3848 wrote to memory of 4484	3848	1.exe	119
PID 3848 wrote to memory of 3388	3848	1.exe	120
PID 3848 wrote to memory of 3388	3848	1.exe	120
PID 3848 wrote to memory of 2004	3848	1.exe	121
PID 3848 wrote to memory of 2004	3848	1.exe	121
PID 3848 wrote to memory of 2604	3848	1.exe	122
PID 3848 wrote to memory of 2604	3848	1.exe	122
PID 3848 wrote to memory of 1368	3848	1.exe	123
PID 3848 wrote to memory of 1368	3848	1.exe	123
PID 3848 wrote to memory of 1328	3848	1.exe	124
PID 3848 wrote to memory of 1328	3848	1.exe	124
PID 3848 wrote to memory of 3232	3848	1.exe	125
PID 3848 wrote to memory of 3232	3848	1.exe	125
PID 3848 wrote to memory of 1120	3848	1.exe	126
PID 3848 wrote to memory of 1120	3848	1.exe	126
PID 3848 wrote to memory of 3616	3848	1.exe	127
PID 3848 wrote to memory of 3616	3848	1.exe	127
PID 3848 wrote to memory of 5068	3848	1.exe	128
PID 3848 wrote to memory of 5068	3848	1.exe	128
PID 3848 wrote to memory of 3976	3848	1.exe	129
PID 3848 wrote to memory of 3976	3848	1.exe	129
PID 3848 wrote to memory of 428	3848	1.exe	136
PID 3848 wrote to memory of 428	3848	1.exe	136
PID 3848 wrote to memory of 4972	3848	1.exe	137
PID 3848 wrote to memory of 4972	3848	1.exe	137
PID 3848 wrote to memory of 1724	3848	1.exe	148
PID 3848 wrote to memory of 1724	3848	1.exe	148
PID 1724 wrote to memory of 5984	1724	cmd.exe	151
PID 1724 wrote to memory of 5984	1724	cmd.exe	151
PID 1724 wrote to memory of 5396	1724	cmd.exe	153
PID 1724 wrote to memory of 5396	1724	cmd.exe	153
PID 1724 wrote to memory of 5932	1724	cmd.exe	157
PID 1724 wrote to memory of 5932	1724	cmd.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe
"C:\Users\Admin\AppData\Local\Temp\61c51c7ab209978d127693a8837c3fb65f16a8315d511aa84e0b8c9129afc434.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe
  "C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\Logger.exe
    "C:\Users\Admin\AppData\Local\Temp\Logger.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SIHClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vqQwsWxx7D.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5396
      - C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ssh\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\ssh\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SIHClient.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
6.3MB

MD5
4e2c3489ec26807d69f9171479886188

SHA1
40f8c57e6918d1626177810c6f1b5a65d9bf93d1

SHA256
33466d0c92e0fb64d98b89ca503976b86cfd5400c387aeb9dd66f096b4c14ca9

SHA512
0ed949039d77b4777f8da9ede1e245b22759fa2bd86ec90692c216263a27693264f926ad256336a8b4e2e688c05deb4790ba0a2799479213a9cb9960787f0d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logger.exe

Filesize
6.6MB

MD5
48bfaeb0285f1b090cbf09e2feb6ad10

SHA1
67d25ecce37f5a70ec950758351e81593b99ed05

SHA256
d8c19254251b41d6f815582ba4c018994cae3bdf3677e198a88138a43aaaf15e

SHA512
f8f19c480a72dcb1a88585a94c95767dfdaab0320aafd46f61309385fd9f7e68a8b392801ab243e7c545f43cd9e23366aa94814a05d9f9a0b604c22ab81ad08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Province Hacks.exe

Filesize
6.9MB

MD5
d22490055518bbf8d44579a00453da46

SHA1
d738768635f9646c71b98befc3bf2a4c9f5c29e3

SHA256
ee2c37126091fa67a5b5abbf7ac2a4271514ec7620aef87b34d42e80c576cd0a

SHA512
ecdd5baf602b3e9e59f15b47ad3925026568be9fdf1d384cc3dbae2b292abbf1878cbd1f919cf680442c65a9299c3496d9f03fed8b8504ba34f805e5ef984f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xt2qylo0.ckk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqQwsWxx7D.bat

Filesize
255B

MD5
637ce06034b0f139335db9af199e3078

SHA1
8b7848b64cc93baffd429970d3beb45744ae05cc

SHA256
b22c8eb0a243d351c38ef49ac2236fe47501323040113085e984358f45b83a91

SHA512
c6406241013f80824cf07c9b5cb272e9172e50b8dbf6aecff3bff57a0583e28040d39b5bcd4d2c07d93fa848251533df0ee3ad200f99bb2dc46ab364ee7c40bf

Download Submit
memory/1360-23-0x0000000000400000-0x0000000000AF3000-memory.dmp

Filesize
6.9MB

Download
memory/1560-34-0x0000000000400000-0x0000000000A98000-memory.dmp

Filesize
6.6MB

Download
memory/1716-10-0x0000000000400000-0x0000000000B37000-memory.dmp

Filesize
7.2MB

Download
memory/3848-44-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-3603-0x000000001C340000-0x000000001C358000-memory.dmp

Filesize
96KB

Download
memory/3848-84-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-82-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-78-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-74-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-72-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-68-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-66-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-80-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-76-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-62-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-58-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-56-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-54-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-52-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-50-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-48-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-46-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-90-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-42-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-60-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-40-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-38-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-3594-0x0000000003170000-0x0000000003196000-memory.dmp

Filesize
152KB

Download
memory/3848-3596-0x0000000001880000-0x000000000188E000-memory.dmp

Filesize
56KB

Download
memory/3848-3598-0x000000001C320000-0x000000001C33C000-memory.dmp

Filesize
112KB

Download
memory/3848-3599-0x000000001C390000-0x000000001C3E0000-memory.dmp

Filesize
320KB

Download
memory/3848-3601-0x0000000001890000-0x00000000018A0000-memory.dmp

Filesize
64KB

Download
memory/3848-88-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-3605-0x00000000018A0000-0x00000000018B0000-memory.dmp

Filesize
64KB

Download
memory/3848-3607-0x00000000018B0000-0x00000000018C0000-memory.dmp

Filesize
64KB

Download
memory/3848-3609-0x00000000031A0000-0x00000000031AE000-memory.dmp

Filesize
56KB

Download
memory/3848-3611-0x000000001C3E0000-0x000000001C3F2000-memory.dmp

Filesize
72KB

Download
memory/3848-3613-0x000000001C360000-0x000000001C370000-memory.dmp

Filesize
64KB

Download
memory/3848-3615-0x000000001C420000-0x000000001C436000-memory.dmp

Filesize
88KB

Download
memory/3848-3617-0x000000001C440000-0x000000001C452000-memory.dmp

Filesize
72KB

Download
memory/3848-3618-0x000000001C990000-0x000000001CEB8000-memory.dmp

Filesize
5.2MB

Download
memory/3848-3620-0x000000001C370000-0x000000001C37E000-memory.dmp

Filesize
56KB

Download
memory/3848-3622-0x000000001C380000-0x000000001C390000-memory.dmp

Filesize
64KB

Download
memory/3848-3624-0x000000001C400000-0x000000001C410000-memory.dmp

Filesize
64KB

Download
memory/3848-3626-0x000000001C4C0000-0x000000001C51A000-memory.dmp

Filesize
360KB

Download
memory/3848-3628-0x000000001C460000-0x000000001C46E000-memory.dmp

Filesize
56KB

Download
memory/3848-3630-0x000000001C470000-0x000000001C480000-memory.dmp

Filesize
64KB

Download
memory/3848-3632-0x000000001C480000-0x000000001C48E000-memory.dmp

Filesize
56KB

Download
memory/3848-3634-0x000000001C520000-0x000000001C538000-memory.dmp

Filesize
96KB

Download
memory/3848-3636-0x000000001C490000-0x000000001C49C000-memory.dmp

Filesize
48KB

Download
memory/3848-92-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-94-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-96-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-86-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-70-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-64-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-37-0x000000001BE90000-0x000000001C217000-memory.dmp

Filesize
3.5MB

Download
memory/3848-36-0x000000001BE90000-0x000000001C21E000-memory.dmp

Filesize
3.6MB

Download
memory/3848-35-0x00000000008D0000-0x0000000000F20000-memory.dmp

Filesize
6.3MB

Download
memory/3848-3638-0x000000001C590000-0x000000001C5DE000-memory.dmp

Filesize
312KB

Download
memory/4828-3660-0x000001E2102C0000-0x000001E2102E2000-memory.dmp

Filesize
136KB

Download