zgrat | 747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Size

1.6MB
MD5

0d6496f71fd24be93348c354faf7dfa6
SHA1

47f195a3996d4e3bd051d54e879d1ae68d2ed9a0
SHA256

747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9
SHA512

0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c
SSDEEP

49152:TGJ95iN4KodXZCQRBHt268KDDljKrTrv:iJ9Z3dXLrHt2nYDKX

Score

10^/10

zgrat execution persistence rat

Malware Config

Signatures

Detect ZGRat V1 8 IoCs

resource	yara_rule
behavioral1/memory/1724-1-0x0000000000CF0000-0x0000000000E9C000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00060000000173e5-21.dat	family_zgrat_v1
behavioral1/memory/2440-74-0x0000000000380000-0x000000000052C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2448-83-0x00000000008E0000-0x0000000000A8C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2712-101-0x0000000001340000-0x00000000014EC000-memory.dmp	family_zgrat_v1
behavioral1/memory/700-119-0x00000000002F0000-0x000000000049C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2228-128-0x0000000000AB0000-0x0000000000C5C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2580-156-0x0000000001360000-0x000000000150C000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\All Users\\Microsoft\\winlogon.exe\", \"C:\\Users\\All Users\\Templates\\audiodg.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\All Users\\Microsoft\\winlogon.exe\", \"C:\\Users\\All Users\\Templates\\audiodg.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\", \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\All Users\\Microsoft\\winlogon.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2480	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2480	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe
1696	powershell.exe
2392	powershell.exe
1188	powershell.exe
1260	powershell.exe
1336	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2440	audiodg.exe
2448	audiodg.exe
2276	audiodg.exe
2712	audiodg.exe
2284	audiodg.exe
700	audiodg.exe
2228	audiodg.exe
2012	audiodg.exe
2044	audiodg.exe
2024	audiodg.exe
2580	audiodg.exe
2496	audiodg.exe
540	audiodg.exe
2932	audiodg.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Mozilla Firefox\\fonts\\smss.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\lsass.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Microsoft\\winlogon.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\Microsoft\\winlogon.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Templates\\audiodg.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Templates\\audiodg.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe\""	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC366E04A847164EF9BD9654E932EDC1FD.TMP	csc.exe
File created	\??\c:\Windows\System32\oin92z.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\69ddcba757bf72	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
File created	C:\Program Files\Mozilla Firefox\fonts\smss.exe	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2656	schtasks.exe
2412	schtasks.exe
2616	schtasks.exe
1848	schtasks.exe
1956	schtasks.exe
2092	schtasks.exe
1944	schtasks.exe
1192	schtasks.exe
808	schtasks.exe
2760	schtasks.exe
2132	schtasks.exe
2424	schtasks.exe
352	schtasks.exe
1756	schtasks.exe
628	schtasks.exe
2328	schtasks.exe
1476	schtasks.exe
856	schtasks.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1536	PING.EXE
2220	PING.EXE
2940	PING.EXE
2848	PING.EXE
2740	PING.EXE
1712	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
1696	powershell.exe
1260	powershell.exe
1188	powershell.exe
2532	powershell.exe
1336	powershell.exe
2392	powershell.exe
2440	audiodg.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2440	audiodg.exe
Token: SeDebugPrivilege	2448	audiodg.exe
Token: SeDebugPrivilege	2276	audiodg.exe
Token: SeDebugPrivilege	2712	audiodg.exe
Token: SeDebugPrivilege	2284	audiodg.exe
Token: SeDebugPrivilege	700	audiodg.exe
Token: SeDebugPrivilege	2228	audiodg.exe
Token: SeDebugPrivilege	2012	audiodg.exe
Token: SeDebugPrivilege	2044	audiodg.exe
Token: SeDebugPrivilege	2580	audiodg.exe
Token: SeDebugPrivilege	2496	audiodg.exe
Token: SeDebugPrivilege	540	audiodg.exe
Token: SeDebugPrivilege	2932	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2276	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	32
PID 1724 wrote to memory of 2276	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	32
PID 1724 wrote to memory of 2276	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	32
PID 2276 wrote to memory of 2384	2276	csc.exe	34
PID 2276 wrote to memory of 2384	2276	csc.exe	34
PID 2276 wrote to memory of 2384	2276	csc.exe	34
PID 1724 wrote to memory of 2532	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	50
PID 1724 wrote to memory of 2532	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	50
PID 1724 wrote to memory of 2532	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	50
PID 1724 wrote to memory of 1336	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	51
PID 1724 wrote to memory of 1336	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	51
PID 1724 wrote to memory of 1336	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	51
PID 1724 wrote to memory of 1260	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	52
PID 1724 wrote to memory of 1260	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	52
PID 1724 wrote to memory of 1260	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	52
PID 1724 wrote to memory of 1188	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	53
PID 1724 wrote to memory of 1188	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	53
PID 1724 wrote to memory of 1188	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	53
PID 1724 wrote to memory of 1696	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	54
PID 1724 wrote to memory of 1696	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	54
PID 1724 wrote to memory of 1696	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	54
PID 1724 wrote to memory of 2392	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	55
PID 1724 wrote to memory of 2392	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	55
PID 1724 wrote to memory of 2392	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	55
PID 1724 wrote to memory of 324	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	62
PID 1724 wrote to memory of 324	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	62
PID 1724 wrote to memory of 324	1724	747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe	62
PID 324 wrote to memory of 1324	324	cmd.exe	64
PID 324 wrote to memory of 1324	324	cmd.exe	64
PID 324 wrote to memory of 1324	324	cmd.exe	64
PID 324 wrote to memory of 1712	324	cmd.exe	65
PID 324 wrote to memory of 1712	324	cmd.exe	65
PID 324 wrote to memory of 1712	324	cmd.exe	65
PID 324 wrote to memory of 2440	324	cmd.exe	66
PID 324 wrote to memory of 2440	324	cmd.exe	66
PID 324 wrote to memory of 2440	324	cmd.exe	66
PID 2440 wrote to memory of 1448	2440	audiodg.exe	67
PID 2440 wrote to memory of 1448	2440	audiodg.exe	67
PID 2440 wrote to memory of 1448	2440	audiodg.exe	67
PID 1448 wrote to memory of 2236	1448	cmd.exe	69
PID 1448 wrote to memory of 2236	1448	cmd.exe	69
PID 1448 wrote to memory of 2236	1448	cmd.exe	69
PID 1448 wrote to memory of 1536	1448	cmd.exe	70
PID 1448 wrote to memory of 1536	1448	cmd.exe	70
PID 1448 wrote to memory of 1536	1448	cmd.exe	70
PID 1448 wrote to memory of 2448	1448	cmd.exe	71
PID 1448 wrote to memory of 2448	1448	cmd.exe	71
PID 1448 wrote to memory of 2448	1448	cmd.exe	71
PID 2448 wrote to memory of 2572	2448	audiodg.exe	72
PID 2448 wrote to memory of 2572	2448	audiodg.exe	72
PID 2448 wrote to memory of 2572	2448	audiodg.exe	72
PID 2572 wrote to memory of 2468	2572	cmd.exe	74
PID 2572 wrote to memory of 2468	2572	cmd.exe	74
PID 2572 wrote to memory of 2468	2572	cmd.exe	74
PID 2572 wrote to memory of 2132	2572	cmd.exe	75
PID 2572 wrote to memory of 2132	2572	cmd.exe	75
PID 2572 wrote to memory of 2132	2572	cmd.exe	75
PID 2572 wrote to memory of 2276	2572	cmd.exe	76
PID 2572 wrote to memory of 2276	2572	cmd.exe	76
PID 2572 wrote to memory of 2276	2572	cmd.exe	76
PID 2276 wrote to memory of 2412	2276	audiodg.exe	77
PID 2276 wrote to memory of 2412	2276	audiodg.exe	77
PID 2276 wrote to memory of 2412	2276	audiodg.exe	77
PID 2412 wrote to memory of 1380	2412	cmd.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe
"C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zwlss32t\zwlss32t.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FEF.tmp" "c:\Windows\System32\CSC366E04A847164EF9BD9654E932EDC1FD.TMP"
    3⤵
    PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XUoBD0n51x.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1324
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1712
- - C:\Users\All Users\Templates\audiodg.exe
    "C:\Users\All Users\Templates\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9k9dlLOE64.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2236
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:1536
    - - C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dl1lNRuX9F.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2132
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBqx2BHh5U.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2328
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat"
        10⤵
        
        PID:1464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:872
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y182dPLPTa.bat"
        12⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2956
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat"
        14⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2928
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat"
        16⤵
        
        PID:2240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2676
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat"
        18⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2220
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat"
        20⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2940
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        21⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2kiGAGutNb.bat"
        22⤵
        
        PID:1452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2640
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lSuT6vhWYn.bat"
        24⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2848
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yY8shRuf5J.bat"
        26⤵
        
        PID:1276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1764
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TnBNCiQVx4.bat"
        28⤵
        
        PID:2976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:2740
        
        C:\Users\All Users\Templates\audiodg.exe
        
        "C:\Users\All Users\Templates\audiodg.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a97" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\fonts\smss.exe

Filesize
1.6MB

MD5
0d6496f71fd24be93348c354faf7dfa6

SHA1
47f195a3996d4e3bd051d54e879d1ae68d2ed9a0

SHA256
747abbc9dd92fa2162a0eee074374963938357f40e1b2de464e613fe3c03e5a9

SHA512
0d755fb0bea2edf4a92a013a06ce3274f05f1d8fc01a25de320a2f566ec8055922e8fa0f34196c1263292ab45455e4b612f467757a0e211ba2edc066090b6a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9k9dlLOE64.bat

Filesize
168B

MD5
fb55ee64257468e802092f1eacf4a9d0

SHA1
72a1fd29138e0f0e100d53a7c0f84d1c472c8e50

SHA256
12b22412e4c8b605212d57cc016f05d1265181a62b3a5837209b4ef20e9e2286

SHA512
38a36640ebbddec5f89987c9e2d9b64094a7a25f420bc52bd5bcbba841d62539f7b817a3c60e932034df47cad7dfe9b70cf7bcc78691972fa3b5d4b92618191a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dl1lNRuX9F.bat

Filesize
216B

MD5
132b86dde19c515b75b8fac41eb96c1b

SHA1
546d5e798baf126ecc9c0a150e8e01020926ad0f

SHA256
95103eaac0ce3cd3fe536ca860d830207401e12b73164906d2a4de4c1fe9ee3d

SHA512
e0a1471fdeb48395c364f6fba2aaff088573cc4110f25dfd82f66f0b7681cd889f31b43a9d1bc8f9ed151852918d3b21db0b10baaac96f8a2bce1626119af67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1FEF.tmp

Filesize
1KB

MD5
1037db23697499f4cd6cae82ca94848c

SHA1
91166a1b80a0e0faacfdedcc6c43d67d0f746322

SHA256
c01263eafabd9cf3d43a87f34b8ab9f1cc3f81fc13fee0000e021ff2101e89f3

SHA512
db3356b763c4166aadb151ace19a096fea86922cb1dfaf655e96b2b6e35dbc75be34149366e2f9ee037d8db441a47149a096c7c4acc6a16d66259ea98dcf405a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TnBNCiQVx4.bat

Filesize
168B

MD5
e2d2e18b8ad017590ae3973c438be20e

SHA1
e463201c2986c8999be8cff9a6cd3866da660338

SHA256
b800845383aef25426328b304d422a5008750fb2bd799ea68e7c5c1e8755d820

SHA512
9900b74f2a546b57abd47d43b75bba5b6b5be8621af77b57a6c39bb4217b9f623d5ebe9b4c75256c0553a7b3ef4daaedada34aa5f93b89fb8f625c32d91ba0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUoBD0n51x.bat

Filesize
168B

MD5
400250a618a23a2797a48debf4255886

SHA1
1b2abdb7496a506da9ce61cb91ccb8b8efca75ff

SHA256
e9ad663d82232581dc2a8ec85085ec6765de485884473e5425761a0aa6e648d7

SHA512
04e1033036683e8cd00d9a463e338c0409d949745eec6265009d2e12942e31606cade15352d9e357efbfe584aaa29c2e5d62a1285eb2f085cae202f46e33e48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y182dPLPTa.bat

Filesize
216B

MD5
42bc47204fead4c59aac958c488f82e5

SHA1
7767aece0db41bf6d126596b0109952147232017

SHA256
011d033de67f7bfb14da95b000710742395bebb9f5ef93afba522b67306b19ec

SHA512
1bd8045e3aa0d34f827ecd04559c799e1aa34c03967e914df9e07bb75ae15c73958f5ef713940691d91466e51038fea3c040b2601156bbe31fb82846afc68f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBqx2BHh5U.bat

Filesize
216B

MD5
8e6cab894c24cf1d19b65cb823d05423

SHA1
809fec7cc9ee5fdc3ba9cf1d9a591dd674c2591d

SHA256
29d0b88208d8b96969afb9cdf5ad2fd3167c57c6ff6dd2903a9b6bc91fdfd368

SHA512
c55a32c4ed67e68ed884e4c22b41b6d85ca842e87833f0027e445193e826136743341005aee086c0c541d587711efd1e954a1a1f8f87d347ea8112e699e36293

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat

Filesize
216B

MD5
6e4814a642f890ecdfac0f71f9f15afa

SHA1
1e0b75e9781e59496c78d8a373e0fd87fd4d4192

SHA256
0825c8d7c38002f89653baae308ec46d1bf9e8306ccc8dd828fa3d289b3c9f13

SHA512
77d1ac75ee8bfac22189c02436988d348fecece84fa76e377c480f5f67a98e7124142d71898ace98fcc61d1f881b44f066107513922d770e6316afd813d5b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat

Filesize
168B

MD5
03dc68e0f22a76e9658326149de3ffb7

SHA1
6b2aaf8f33d64934465f3503cf50187eeb8c9baa

SHA256
df6610ec2b3499a4921d79537a6c0c349322432c6dd412ee54b008810e2919e7

SHA512
4d1435843e47c4ecd23290486632abcc35d9e59d27d31b42ef0e4eebd8134e5c240e329bba165b3729e7feed667e0c93849454ede6da3fa68e20c83736318173

Download Submit
C:\Users\Admin\AppData\Local\Temp\igsUyaB4hX.bat

Filesize
216B

MD5
b9e134ddfd02b6d435099b29f05dfbfa

SHA1
74f3fa5f689590499850960fe3fd9c22ac43c447

SHA256
b8d8ed13c66102808b3a9d6be650cc63840488598906a22fcf8588985a54a684

SHA512
7ff849a5bd220227423ad84d5439542b6e61032ee01c25bfdd3dbcd36ed28deac0f10c1b53cc397083ef2b70860ec25ef346448fb1a2d5d01933ac74fadbcddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lSuT6vhWYn.bat

Filesize
168B

MD5
6f810c398d32771646246d1ff85b09bc

SHA1
fc173ee14cb8c286eff8bbfdf4a2a2df73f3abdc

SHA256
f0617d8422dbb710d747b9c54447d9669dac0a08c35b99664cf4cc51fdb4e50e

SHA512
88a153f2ee51db7bca8b171c7297b4e657c10fcd392038dea1826d7d12e7cc01ce9c7db4256ea5d61412a60943edeaa815e3ba4cd345deef59d59c37063c635e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQfj5ziueB.bat

Filesize
168B

MD5
df514760ebe5f9fd811997309a833ffd

SHA1
b9ede2eb072b90bbf61f51959fa6ee4eb26cd7db

SHA256
62150e349bcec2f79cd7a469b5d0eb1babc1d8883747e6680cf9c4bbe4037893

SHA512
2f7c13aaa6dd309345ad3b16e3294c514b78a541ffe807ca4fcf2920c2801a3a6ae48b4376a18b88b84f70c08b365c2eda1bd3a2e36e4172cfa5db134ed61722

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat

Filesize
216B

MD5
54c64d808c674636e03640f1f5bfdbc0

SHA1
72855e0d68c8f9fb65c8ff5e345323ce0bf9b358

SHA256
280dbc9cc3264a3b007fcd0edf791fdc0789499d9e8d91d1bf8bb9160fca29a7

SHA512
17c1868d15bfbe07098ea6718a8148e420058681fd184588191c6783ef917e471a1ea57939395c24d965c45f612018a6390b01e5d6dfdcc695863ee4a53de565

Download Submit
C:\Users\Admin\AppData\Local\Temp\yY8shRuf5J.bat

Filesize
216B

MD5
6e3855d5671dce041f4a70323dceaa46

SHA1
a16462692aa75883a6f270419a8ef2e2a7eac678

SHA256
71b65ca880cfe71280cf7bd9280c5ef20a5ae9706d4e379590ba9b59e5a4b2d2

SHA512
72807e8676b92f4a00b9e70065081c0b369787a572138c84f7674222938a93c1c13a4530bde830a7f7ad600aae27e7958495c90599623a6625803f3ecd3b90c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
67a798a559545f5f404f079e14d216ad

SHA1
1cbb75dc70a5111fdc331c6a3ed6ea8fa8f85fb3

SHA256
a8ac2d242405c465ef90870438808abb8a7c4368e1c6133e06476f4569540e82

SHA512
dce9dbf00f5474bfb082ea956387895759af86d0cc618e3dc5eb432669266d8dc57adafee0615152b55c440d241e1d2aa88da911ae377eabc8507ea687f78155

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zwlss32t\zwlss32t.0.cs

Filesize
379B

MD5
9a1161186b941b10205ea732c48f0ad1

SHA1
f94c6e68367709b98288af2164eb5f7c60ba4ee0

SHA256
d7b0cb46563502746c1fcd6be468ecbdc8118a37d166711abeebd78e0974920e

SHA512
8f149cbff91a65589bed5de0456ab27593966315cc39d6f8cc07d6176941e1b9b9a6827c45312b39ad76d48d2bc7788d2516ceefdcda48ce4c1d31ff60a4bfd2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zwlss32t\zwlss32t.cmdline

Filesize
235B

MD5
d2ec0d6be6e89fdc769bb7efa69de8d8

SHA1
169819edba96ec0a6eebed99905aff4c2fa7e370

SHA256
41aad1b75dcb8855db15e8e8ebae575a41d976a8cc8263c80aecf392fcefa703

SHA512
9a044310a275ce65918278f14be87fc1fb905005c9f8f7f65c71feabed867f422dc0ff3bb35314764a0d638716e61238f586a7d5d7aedcb1282a4d4337cb7856

Download Submit
\??\c:\Windows\System32\CSC366E04A847164EF9BD9654E932EDC1FD.TMP

Filesize
1KB

MD5
1c0f7844f7e250162f11df610012cc1f

SHA1
2ee0b2ac51be783b0d196868edc6a1fe7a0af068

SHA256
988d255e5988f6b4de58f1eb852279c5974974d18d47af4dccb89cacff4cc020

SHA512
3b323f3a51f44e5dc73f7f54cecb39de91fdb6ea64965fb2e84764297e2856e86c9751c71bb5d549f322547c9b383a13f16775d32e8c9333a66a11739d5e3f6d

Download Submit
memory/700-119-0x00000000002F0000-0x000000000049C000-memory.dmp

Filesize
1.7MB

Download
memory/1260-53-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1696-59-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1724-10-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-1-0x0000000000CF0000-0x0000000000E9C000-memory.dmp

Filesize
1.7MB

Download
memory/1724-6-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/1724-12-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-4-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-3-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-9-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1724-0-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

Filesize
4KB

Download
memory/1724-61-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-7-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-2-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-154-0x000007FEF2E60000-0x000007FEF2ED4000-memory.dmp

Filesize
464KB

Download
memory/2228-128-0x0000000000AB0000-0x0000000000C5C000-memory.dmp

Filesize
1.7MB

Download
memory/2440-74-0x0000000000380000-0x000000000052C000-memory.dmp

Filesize
1.7MB

Download
memory/2448-83-0x00000000008E0000-0x0000000000A8C000-memory.dmp

Filesize
1.7MB

Download
memory/2580-156-0x0000000001360000-0x000000000150C000-memory.dmp

Filesize
1.7MB

Download
memory/2712-101-0x0000000001340000-0x00000000014EC000-memory.dmp

Filesize
1.7MB

Download