zgrat | 747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Size

1.6MB
MD5

0d6496f71fd24be93348c354faf7dfa6
SHA1

47f195a3996d4e3bd051d54e879d1ae68d2ed9a0
SHA256

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9
SHA512

0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c
SSDEEP

49152:TGJ95iN4KodXZCQRBHt268KDDljKrTrv:iJ9Z3dXLrHt2nYDKX

Score

10^/10

zgrat execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 10 IoCs

resource	yara_rule
behavioral1/memory/2492-1-0x00000000000D0000-0x000000000027C000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016c23-20.dat	family_zgrat_v1
behavioral1/memory/1292-74-0x00000000003B0000-0x000000000055C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1708-83-0x0000000000360000-0x000000000050C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1040-92-0x0000000000FD0000-0x000000000117C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2836-118-0x0000000001010000-0x00000000011BC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1944-128-0x0000000000140000-0x00000000002EC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1336-137-0x00000000011A0000-0x000000000134C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2276-147-0x00000000011D0000-0x000000000137C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2384-164-0x0000000001290000-0x000000000143C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\smss.exe\", \"C:\\Windows\\Fonts\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\smss.exe\", \"C:\\Windows\\Fonts\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\smss.exe\", \"C:\\Windows\\Fonts\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\smss.exe\", \"C:\\Windows\\Fonts\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\csrss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\system\\smss.exe\", \"C:\\Windows\\Fonts\\lsass.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\csrss.exe\", \"C:\\Program Files\\Windows Portable Devices\\System.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2612	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2612	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 10 IoCs

resource	yara_rule
behavioral1/memory/2492-1-0x00000000000D0000-0x000000000027C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000016c23-20.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1292-74-0x00000000003B0000-0x000000000055C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1708-83-0x0000000000360000-0x000000000050C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1040-92-0x0000000000FD0000-0x000000000117C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2836-118-0x0000000001010000-0x00000000011BC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1944-128-0x0000000000140000-0x00000000002EC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1336-137-0x00000000011A0000-0x000000000134C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2276-147-0x00000000011D0000-0x000000000137C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2384-164-0x0000000001290000-0x000000000143C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
1596	powershell.exe
784	powershell.exe
1392	powershell.exe
1972	powershell.exe
844	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1292	smss.exe
1708	smss.exe
1040	smss.exe
1712	smss.exe
1144	smss.exe
2836	smss.exe
1944	smss.exe
1336	smss.exe
2276	smss.exe
2528	smss.exe
2384	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\system\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\system\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Fonts\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\Fonts\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Portable Devices\\System.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Internet Explorer\\csrss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Internet Explorer\\csrss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Portable Devices\\System.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC1BC708E8D9344DFAAD488C717E662F16.TMP	csc.exe
File created	\??\c:\Windows\System32\fixmxn.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\System.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files (x86)\Internet Explorer\csrss.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files (x86)\Internet Explorer\886983d96e3d3e	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system\69ddcba757bf72	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Windows\Fonts\lsass.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Windows\Fonts\6203df4a6bafc7	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Windows\system\smss.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1548	schtasks.exe
2356	schtasks.exe
2680	schtasks.exe
328	schtasks.exe
568	schtasks.exe
1828	schtasks.exe
1552	schtasks.exe
2004	schtasks.exe
916	schtasks.exe
2604	schtasks.exe
1940	schtasks.exe
1868	schtasks.exe
2232	schtasks.exe
2920	schtasks.exe
2580	schtasks.exe
1360	schtasks.exe
1728	schtasks.exe
2240	schtasks.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1760	PING.EXE
2256	PING.EXE
3012	PING.EXE
2248	PING.EXE
2488	PING.EXE
440	PING.EXE
1704	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1596	powershell.exe
844	powershell.exe
784	powershell.exe
2236	powershell.exe
1392	powershell.exe
1972	powershell.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe
1292	smss.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1292	smss.exe
Token: SeDebugPrivilege	1708	smss.exe
Token: SeDebugPrivilege	1040	smss.exe
Token: SeDebugPrivilege	1712	smss.exe
Token: SeDebugPrivilege	1144	smss.exe
Token: SeDebugPrivilege	2836	smss.exe
Token: SeDebugPrivilege	1944	smss.exe
Token: SeDebugPrivilege	1336	smss.exe
Token: SeDebugPrivilege	2276	smss.exe
Token: SeDebugPrivilege	2528	smss.exe
Token: SeDebugPrivilege	2384	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2196	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	32
PID 2492 wrote to memory of 2196	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	32
PID 2492 wrote to memory of 2196	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	32
PID 2196 wrote to memory of 1988	2196	csc.exe	34
PID 2196 wrote to memory of 1988	2196	csc.exe	34
PID 2196 wrote to memory of 1988	2196	csc.exe	34
PID 2492 wrote to memory of 2236	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	50
PID 2492 wrote to memory of 2236	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	50
PID 2492 wrote to memory of 2236	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	50
PID 2492 wrote to memory of 844	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	51
PID 2492 wrote to memory of 844	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	51
PID 2492 wrote to memory of 844	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	51
PID 2492 wrote to memory of 1972	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	52
PID 2492 wrote to memory of 1972	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	52
PID 2492 wrote to memory of 1972	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	52
PID 2492 wrote to memory of 1392	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	53
PID 2492 wrote to memory of 1392	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	53
PID 2492 wrote to memory of 1392	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	53
PID 2492 wrote to memory of 784	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	54
PID 2492 wrote to memory of 784	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	54
PID 2492 wrote to memory of 784	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	54
PID 2492 wrote to memory of 1596	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	55
PID 2492 wrote to memory of 1596	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	55
PID 2492 wrote to memory of 1596	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	55
PID 2492 wrote to memory of 1820	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	62
PID 2492 wrote to memory of 1820	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	62
PID 2492 wrote to memory of 1820	2492	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	62
PID 1820 wrote to memory of 2184	1820	cmd.exe	64
PID 1820 wrote to memory of 2184	1820	cmd.exe	64
PID 1820 wrote to memory of 2184	1820	cmd.exe	64
PID 1820 wrote to memory of 2228	1820	cmd.exe	65
PID 1820 wrote to memory of 2228	1820	cmd.exe	65
PID 1820 wrote to memory of 2228	1820	cmd.exe	65
PID 1820 wrote to memory of 1292	1820	cmd.exe	66
PID 1820 wrote to memory of 1292	1820	cmd.exe	66
PID 1820 wrote to memory of 1292	1820	cmd.exe	66
PID 1292 wrote to memory of 2332	1292	smss.exe	67
PID 1292 wrote to memory of 2332	1292	smss.exe	67
PID 1292 wrote to memory of 2332	1292	smss.exe	67
PID 2332 wrote to memory of 2032	2332	cmd.exe	69
PID 2332 wrote to memory of 2032	2332	cmd.exe	69
PID 2332 wrote to memory of 2032	2332	cmd.exe	69
PID 2332 wrote to memory of 2488	2332	cmd.exe	70
PID 2332 wrote to memory of 2488	2332	cmd.exe	70
PID 2332 wrote to memory of 2488	2332	cmd.exe	70
PID 2332 wrote to memory of 1708	2332	cmd.exe	73
PID 2332 wrote to memory of 1708	2332	cmd.exe	73
PID 2332 wrote to memory of 1708	2332	cmd.exe	73
PID 1708 wrote to memory of 2368	1708	smss.exe	74
PID 1708 wrote to memory of 2368	1708	smss.exe	74
PID 1708 wrote to memory of 2368	1708	smss.exe	74
PID 2368 wrote to memory of 2196	2368	cmd.exe	76
PID 2368 wrote to memory of 2196	2368	cmd.exe	76
PID 2368 wrote to memory of 2196	2368	cmd.exe	76
PID 2368 wrote to memory of 2620	2368	cmd.exe	77
PID 2368 wrote to memory of 2620	2368	cmd.exe	77
PID 2368 wrote to memory of 2620	2368	cmd.exe	77
PID 2368 wrote to memory of 1040	2368	cmd.exe	78
PID 2368 wrote to memory of 1040	2368	cmd.exe	78
PID 2368 wrote to memory of 1040	2368	cmd.exe	78
PID 1040 wrote to memory of 984	1040	smss.exe	79
PID 1040 wrote to memory of 984	1040	smss.exe	79
PID 1040 wrote to memory of 984	1040	smss.exe	79
PID 984 wrote to memory of 2220	984	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
"C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nc1124xx\nc1124xx.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92DD.tmp" "c:\Windows\System32\CSC1BC708E8D9344DFAAD488C717E662F16.TMP"
    3⤵
    PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ma9SXApHU0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2184
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2228
- - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
    "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtbRvp1Luy.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2032
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2488
    - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZMh4UPVO0I.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2620
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lOMsQrAcGI.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2344
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xqZ3vPYigC.bat"
        10⤵
        
        PID:2300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:440
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1pharLUl0n.bat"
        12⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2652
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XA2Giq7lse.bat"
        14⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:1704
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EMqflE6MDZ.bat"
        16⤵
        
        PID:2764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2136
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        18⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:1760
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HY3kVmQ00V.bat"
        20⤵
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2256
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EZvDZpVxgu.bat"
        22⤵
        
        PID:2908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:3012
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lr5Zi8WiUT.bat"
        24⤵
        
        PID:2344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\system\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\system\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\system\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1pharLUl0n.bat

Filesize
252B

MD5
70508ff74d2df830dc6b02b040d3e396

SHA1
4da01d65fa46a3951c4c42f5aeb7059bdeef5a77

SHA256
effc4f04ef1bb49f7e8a0408737c68cfdfe59760020e6674323f4e80236dd753

SHA512
7297899f5e29709dd95c20dff6bccd42725a4d9c89fbb141ffbfd463e7942909a4cbca8ed22107a310cfe82b2f4b3df9f8bb7ba8068c8719587c5d61bfb0c662

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMqflE6MDZ.bat

Filesize
252B

MD5
e005a5707077215a6ae046eb8c5640dc

SHA1
7a8acd4743936c7bed33d0c3151366ae6b3e95c4

SHA256
be3e5bef914aee467b277e3450a7e1dc6b581d279dfc4ec73a7cb429da276477

SHA512
cef550656e458eba9b37e2ba3761611b0249eb599a02b25f27cae857fe28ef20fb01dc3133717b748fd25e2daeee6c08980aca147fcc34b7f504dc2c93d1dacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EZvDZpVxgu.bat

Filesize
204B

MD5
ab3027aaadc2e3ed0841e1c84f91455c

SHA1
9ef1766f3c49a5df09c8028232bb42cd02e35d7b

SHA256
ac0dcb2141103e36d90ce29e4e0273cdf6c5d371b3b020223794c606c9c98763

SHA512
01ec8315c8d79ae98e9a15ffd5f6c5693f4eefa4d286a75bb0f4755b36c8ffe9525abc4a47f3f3602a24db882010f86455b87050d51aa5fca158362c8823d27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HY3kVmQ00V.bat

Filesize
204B

MD5
e3d289c1eafae9dfbad23a9409534a9e

SHA1
bd1deec83018e3efc126f490ffca3e8c869e2b36

SHA256
ea716537fe23a4fbc4ae0a7503d37f702961a758b14aa6239c8a80128174a94a

SHA512
00447c12938cba910b63dba11e99a96c71e29b4395cb4ca612327173b9aa8f508aa9b547c84a3f16236348c142b2e15db43628349af96b59181a551e2cab534b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ma9SXApHU0.bat

Filesize
252B

MD5
a7b99b806924ef4743e527b4422e3790

SHA1
d5ef9dac72bdf391034dacbb0f359774eb03b9e6

SHA256
d696d4d3cc8271485ee30ce1d46f7fd126fdce8eeb435b99e94f869443b6f982

SHA512
c0dda0116527aeb37a7b5eeb85fbf3fd2e37b156cfcda5121afc9d82b49c25c5eab30f90844998421923ec5b9f0b870db0c3dc13c7b9b1528926d9c54291da9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtbRvp1Luy.bat

Filesize
204B

MD5
72729396fab116e936afe7f747bf5a2e

SHA1
0e7fb52cf780f7b9785c1c8de748e0badc68b769

SHA256
74d0c78214575cd38c57793532fb20d0dc12fd1eb7f693bade94cc27e29bf610

SHA512
1151433b9a275bb78816cce28fddb2f01ca2b10948505dad6294e4b8738330643847f9350bf5acb6c68a72ba373628adff240e44af4a4be8b29b82dced762a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES92DD.tmp

Filesize
1KB

MD5
2bb36bc462982a650628dd181d202785

SHA1
85418990be0bb2b0f78b5061b0c159cc5827b4e9

SHA256
6204f5df1bcabfb04ac9a30385d4408b65c8bc1cf9c3169a6b31c4c3d5408f78

SHA512
4ce0f424144c264188eb4a3bef21b864023339d11700ae769a015c563665bfadd089f6778ff8ec00d5a4058ee9f67d864ffc06021459a1f4f4df99193dcd4278

Download Submit
C:\Users\Admin\AppData\Local\Temp\XA2Giq7lse.bat

Filesize
204B

MD5
ff3f1b5955def5a38ab405e3e591760f

SHA1
af7e9139f5209acf3dc735f9b9556bbdd236c051

SHA256
46edcf2ca65caccb737087d80b11ce50f8b89414e0c0d888549bc1fbd49b761b

SHA512
8f871c055d673f899147ca67aff7dc030d5117de80b16b76b75df9e7f085f2af4e80dd277d2eef3a8acc412897974459e9085f0ec79a57c3105ff5c4189145c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMh4UPVO0I.bat

Filesize
252B

MD5
9d670077959a70cca8f2a0a7b86fa01d

SHA1
82804edc234318da9743fb661edf95813b42a97b

SHA256
7b24832eac392ecf05455193593d23d5f1892014ff6948bce8718d4021482284

SHA512
2b8e6df8eb6caf601f5ee00c57a87dafcf7fec7463665f8847be0cb1e61964f9e42427d36a3ff5dd8e5ccbecaf9b5246a6eb9cc8a10860b59c60f8dba2bee654

Download Submit
C:\Users\Admin\AppData\Local\Temp\lOMsQrAcGI.bat

Filesize
252B

MD5
16f89ba8527e1f14ba287190ea82c07d

SHA1
7e541bf1ba546ee3e30de22f7b7379bdaa55788a

SHA256
7f18770b517c582a61a44e959d9188d92e4390ef4ebf40577d3f7677e9f27d88

SHA512
48170d1f4798d117f70d75a5b58366d9e17953dabe957633b612f19d0fb0f61c15a067fa8de8020ea9966d13cfd1e4a6c56b6d93c238890490cab57e24345d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\lr5Zi8WiUT.bat

Filesize
204B

MD5
069c619b28033504f65f17fc91d94e4e

SHA1
6e36b60b1cb2439b3fe8b29978fb40e03a50ee35

SHA256
b60a6e7d2ddab647afc09d76f58d598bbd067bb84d91a56d919286766b834a5e

SHA512
8f8df72a18d3e05ee2a264ccc7bc9db7edcb83751c0ca01270fa533a7a684b7c29ad7df23fae955c5ef7459cf20f9d6afbe5d4a8448bb294b5bb20e5f653a906

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
204B

MD5
871930819de09ee7584f0ebdb4318417

SHA1
87a343974cba10ceccbde7af80e4efe9aa47e24c

SHA256
057e07a3ff73e8cb7f4135d546c769065fe3f43a3651552a934e59f722a9c7f5

SHA512
a68c750f988f73861a2a7670b53b9a596f59c885593b7f7affc1bd69a685ea2dd3aecc83f8f247a1df0e4c0df5e6db1bc900e22a59271d821414ab10318fc8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqZ3vPYigC.bat

Filesize
204B

MD5
863e36c3838ff3cb87f2016d5d647cc5

SHA1
424074e0da3c506a6b15d044cb47923591485f2e

SHA256
1b0632f278f34913f91669518b5152b5e393d5a405e1b397386fb6200b2b7c0f

SHA512
0fd508147fb6faf9a847418974b0827e2c874066f2dd2d18f801bae4320415722b11388ef7038793095c0929918955ec9014b12e2b51eb03236073ce9ea26d46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3cc5b639313b61b7f6e6bffabbde636d

SHA1
fc1408f09956fee643bd0956b928b503eadea666

SHA256
c913a3be7d7597f222779a30962fed0c719bff3d8af4bd34d2da2554750c214b

SHA512
eb19cadafb9fcaab2db8e72097fcd190fe4bf83760a1a2c957943f3ac7934f0c9877d3413e49131404943cdc22b1ba5e26ec5c4c01218f3d6a6aa18aca0477b5

Download Submit
C:\Windows\system\smss.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc1124xx\nc1124xx.0.cs

Filesize
358B

MD5
3e27859d7ab73b780619804861209b59

SHA1
2d0022aee76684c64d3785a96bf249c56825f11b

SHA256
238f1bd47e9dc4917f2b924d130ac7244b011c3fc86bdb5862e1e86dcbb064e9

SHA512
c156053bebb5f421498d41114bd8924ebcf2428b1a21f0ed454d179c317d20ae1330bd6dbe41b495f8c3de4a7acf0c8e10dff29b04184e0f5044e8ffdcbe81d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nc1124xx\nc1124xx.cmdline

Filesize
235B

MD5
c365cfadffdb4834c36fa1b11896106b

SHA1
b1d2e881abe82433fa5c360cfb17aef42b355b5e

SHA256
f80a0b743f535a152fbb38b79fc85fa1d2e1ddee2e09017d204bb80eb9f05dcd

SHA512
2bca7cac86b03281834fc8bb8cb2d0a1ff552e956b8aef90ef3b9cf708190042dc6842cd2acfadb8d903425bcdfaa241665be061b9958cfbb6557dff00c444b3

Download Submit
\??\c:\Windows\System32\CSC1BC708E8D9344DFAAD488C717E662F16.TMP

Filesize
1KB

MD5
8520d952d96303e0f8a259972c09583d

SHA1
c6425e72597d55ad2a3cee1e3d321d8b3712c3b9

SHA256
f9849247b878573d5341c81a0a0e86d847df757f114504854ec9a55a63b790a0

SHA512
cdf94448c3a5e94fbc260d2cdd813f30976fe55165e30447cc0e2ae3ab2d6254619494b482b62f4875c419ecb21efefeadefb7d369560cb2e64a83c16735149e

Download Submit
memory/844-70-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/1040-92-0x0000000000FD0000-0x000000000117C000-memory.dmp

Filesize
1.7MB

Download
memory/1292-74-0x00000000003B0000-0x000000000055C000-memory.dmp

Filesize
1.7MB

Download
memory/1336-137-0x00000000011A0000-0x000000000134C000-memory.dmp

Filesize
1.7MB

Download
memory/1596-71-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1708-83-0x0000000000360000-0x000000000050C000-memory.dmp

Filesize
1.7MB

Download
memory/1944-128-0x0000000000140000-0x00000000002EC000-memory.dmp

Filesize
1.7MB

Download
memory/2276-147-0x00000000011D0000-0x000000000137C000-memory.dmp

Filesize
1.7MB

Download
memory/2384-164-0x0000000001290000-0x000000000143C000-memory.dmp

Filesize
1.7MB

Download
memory/2492-8-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2492-9-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-13-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-6-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2492-22-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-4-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-48-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-3-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x00000000000D0000-0x000000000027C000-memory.dmp

Filesize
1.7MB

Download
memory/2836-118-0x0000000001010000-0x00000000011BC000-memory.dmp

Filesize
1.7MB

Download