zgrat | d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

Analysis

max time kernel
117s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Size

1.9MB
MD5

1d61e62339d38ca2a129710265c26a89
SHA1

185c34e0d555ac3fdf7fefd1732409e65b6aedaf
SHA256

d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
SHA512

0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b
SSDEEP

49152:RSRQ8nF3T6S2cvvSiHWxuvF3VPL5/zKAG:RS+AlTK/G9VPBe

Score

10^/10

zgrat execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/2304-1-0x0000000000BB0000-0x0000000000D96000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000014826-30.dat	family_zgrat_v1
behavioral1/memory/2872-140-0x0000000000960000-0x0000000000B46000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\", \"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2688	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2688	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1888	powershell.exe
2016	powershell.exe
2068	powershell.exe
1884	powershell.exe
392	powershell.exe
2392	powershell.exe
268	powershell.exe
604	powershell.exe
1568	powershell.exe
1992	powershell.exe
1668	powershell.exe
1412	powershell.exe
648	powershell.exe
592	powershell.exe
1140	powershell.exe
2268	powershell.exe
2080	powershell.exe
1956	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2872	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\dllhost.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\services.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\audiodg.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\images\\lsass.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCC7342BD0AB83449798BDF4D7E673BB8.TMP	csc.exe
File created	\??\c:\Windows\System32\ickr0a.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\images\lsass.exe	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Program Files\Internet Explorer\images\6203df4a6bafc7	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Program Files\Internet Explorer\images\lsass.exe	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2824	schtasks.exe
1328	schtasks.exe
1488	schtasks.exe
1512	schtasks.exe
2580	schtasks.exe
1540	schtasks.exe
3008	schtasks.exe
2940	schtasks.exe
2672	schtasks.exe
1868	schtasks.exe
2412	schtasks.exe
2664	schtasks.exe
2796	schtasks.exe
2768	schtasks.exe
2436	schtasks.exe
1904	schtasks.exe
1224	schtasks.exe
1364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2872	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2432	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	32
PID 2304 wrote to memory of 2432	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	32
PID 2304 wrote to memory of 2432	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	32
PID 2432 wrote to memory of 2964	2432	csc.exe	34
PID 2432 wrote to memory of 2964	2432	csc.exe	34
PID 2432 wrote to memory of 2964	2432	csc.exe	34
PID 2304 wrote to memory of 2068	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	50
PID 2304 wrote to memory of 2068	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	50
PID 2304 wrote to memory of 2068	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	50
PID 2304 wrote to memory of 1956	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	51
PID 2304 wrote to memory of 1956	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	51
PID 2304 wrote to memory of 1956	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	51
PID 2304 wrote to memory of 1992	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	53
PID 2304 wrote to memory of 1992	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	53
PID 2304 wrote to memory of 1992	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	53
PID 2304 wrote to memory of 2080	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	54
PID 2304 wrote to memory of 2080	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	54
PID 2304 wrote to memory of 2080	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	54
PID 2304 wrote to memory of 2268	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	55
PID 2304 wrote to memory of 2268	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	55
PID 2304 wrote to memory of 2268	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	55
PID 2304 wrote to memory of 1668	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	56
PID 2304 wrote to memory of 1668	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	56
PID 2304 wrote to memory of 1668	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	56
PID 2304 wrote to memory of 2016	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	57
PID 2304 wrote to memory of 2016	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	57
PID 2304 wrote to memory of 2016	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	57
PID 2304 wrote to memory of 1884	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	60
PID 2304 wrote to memory of 1884	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	60
PID 2304 wrote to memory of 1884	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	60
PID 2304 wrote to memory of 1888	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	61
PID 2304 wrote to memory of 1888	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	61
PID 2304 wrote to memory of 1888	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	61
PID 2304 wrote to memory of 1568	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	62
PID 2304 wrote to memory of 1568	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	62
PID 2304 wrote to memory of 1568	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	62
PID 2304 wrote to memory of 392	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	65
PID 2304 wrote to memory of 392	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	65
PID 2304 wrote to memory of 392	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	65
PID 2304 wrote to memory of 604	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	66
PID 2304 wrote to memory of 604	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	66
PID 2304 wrote to memory of 604	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	66
PID 2304 wrote to memory of 268	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	67
PID 2304 wrote to memory of 268	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	67
PID 2304 wrote to memory of 268	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	67
PID 2304 wrote to memory of 1140	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	69
PID 2304 wrote to memory of 1140	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	69
PID 2304 wrote to memory of 1140	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	69
PID 2304 wrote to memory of 592	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	70
PID 2304 wrote to memory of 592	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	70
PID 2304 wrote to memory of 592	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	70
PID 2304 wrote to memory of 648	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	71
PID 2304 wrote to memory of 648	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	71
PID 2304 wrote to memory of 648	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	71
PID 2304 wrote to memory of 1412	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	72
PID 2304 wrote to memory of 1412	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	72
PID 2304 wrote to memory of 1412	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	72
PID 2304 wrote to memory of 2392	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	73
PID 2304 wrote to memory of 2392	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	73
PID 2304 wrote to memory of 2392	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	73
PID 2304 wrote to memory of 2888	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	86
PID 2304 wrote to memory of 2888	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	86
PID 2304 wrote to memory of 2888	2304	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	86
PID 2888 wrote to memory of 2488	2888	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
"C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tctylovi\tctylovi.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1767.tmp" "c:\Windows\System32\CSCC7342BD0AB83449798BDF4D7E673BB8.TMP"
    3⤵
    PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1O6MylLMzZ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2488
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1464
- - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe
    "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe

Filesize
1.9MB

MD5
1d61e62339d38ca2a129710265c26a89

SHA1
185c34e0d555ac3fdf7fefd1732409e65b6aedaf

SHA256
d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

SHA512
0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1O6MylLMzZ.bat

Filesize
251B

MD5
61407c5babd2742b2cd0b33f36ea3377

SHA1
54ab354b8d5562c0f9416e95fc6dd2678e76e51d

SHA256
d3020412577b3bd3a94cfadd62a741590a11c09bc2bd0bdc63b0c3b7849e2dd0

SHA512
1b3d27ab69b38e21b97c9a1cbcfced141cbd807e147d3b090d9c0f7bf244a02e7f279aa10d1edce7c728f64ece8365d24530d4ee2c5ab5d15e6d6ccb9ba356ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1767.tmp

Filesize
1KB

MD5
134d2929e5653c4dbe3d324d5afddf5b

SHA1
031492bafd5ce3987577548a75eaa223d2498641

SHA256
1fcb0f4805c33dd9fd87b80e0de9edb5a7a90b428692061a04b2266cb4814fae

SHA512
433cdc242f0acbf4bdbc2d05fd005a269d3eaf69c93fc78e30162d4abc974c64c3b2237b5a85bd8659a8c8b9fdd5017edbd46ffd8bb807feb424b217c4f9ce6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A6UWJY0TVQXFKUFNOTNF.temp

Filesize
7KB

MD5
fbbcf1d6a8ee55636f119571bdfea06a

SHA1
f13590fd03ad6558eace642d481cb7c800ffac80

SHA256
84d0e63e65ceab0b00a98a4cd35e86ab4b851f5224cee44acc99488888e3b9b3

SHA512
835e994c4997e30382150ea17ebca18ff6e44129113ca03e42763f99859bb313b6aa206141d30a1bb0c87970e8d75dc9a550df6105264803ffb11052c2b42fa4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tctylovi\tctylovi.0.cs

Filesize
399B

MD5
d433f57cb16fad1de3e65a1a3d19a02a

SHA1
a386469d2b4bbcbbdc2b41bbe8a152dc106f5766

SHA256
785659ebfc0aad23778467b5cdd0b91b657231cb89f5ce9403cc424c577cd36f

SHA512
aae8e4efc86da92c264bf55bbf47c70bfe19051f85342e7ca049a4daed545dedb8bb7a581cb86a7f159498dfe94352d9fbf16ff20b5d0136e26a63082e426f98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tctylovi\tctylovi.cmdline

Filesize
235B

MD5
884f38b3a0cd76b4dbbf1d3db3395d0e

SHA1
94d70a14e3168d693fe2451c4f402779d95eeda0

SHA256
a6ea1498937116cebfedf78310a40535d3f3d20e462d4c308c69fbf04b26d505

SHA512
49c5fb3d8d3f095e31dd3671a523fa2d7bd93fd4719b6b01de8a6d9018d87f03949c3230c37bec539141848aeeccd84bbe6e1dc4a46a3811aa5b5d7ff033aa05

Download Submit
\??\c:\Windows\System32\CSCC7342BD0AB83449798BDF4D7E673BB8.TMP

Filesize
1KB

MD5
3ffa0b85adc175bc535d5b61b093b6a5

SHA1
7fa7715f9f18aa1d9edc45935ca867602fa37894

SHA256
f05ea17245f2e54aa3b2a0a8ede3f86af5fb4e4f0cf0a6aa69c4e95103304d46

SHA512
d1034200ad1232d7e36d3d867e701357c9eb8e8ad063743deceb563b24eb099e6ea660e38099cf161c12c97fe11cf6b044a31846949d63d4a121f1692c9e6fde

Download Submit
memory/392-56-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/392-60-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/2304-9-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-8-0x0000000000B60000-0x0000000000B7C000-memory.dmp

Filesize
112KB

Download
memory/2304-16-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2304-14-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-21-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-13-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/2304-11-0x0000000000B80000-0x0000000000B98000-memory.dmp

Filesize
96KB

Download
memory/2304-19-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-18-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-17-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2304-6-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/2304-4-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-3-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-48-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2304-1-0x0000000000BB0000-0x0000000000D96000-memory.dmp

Filesize
1.9MB

Download
memory/2872-140-0x0000000000960000-0x0000000000B46000-memory.dmp

Filesize
1.9MB

Download