zgrat | 10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
Size

1.7MB
MD5

a6eb2d0e9381ff6eb2aca7bf1d797774
SHA1

64becc3595f0467f12e2b20bd3a34603fb7e472e
SHA256

10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e
SHA512

46f60e6d26e1cd6c3a78d842fe5258588623e7fc0dbded7ed1e3bf1baa020fb71dd75f3e77678bb71298cb59171a1150e1847daa20f10b7091724706ad567878
SSDEEP

24576:8s6fQKBl6XngXq9rvXdXwApsgDhhqMWUO9lmRmY7gBgT7muTYpC0M3/biezlI/s:8KRXwATqMW9y5OUJjTzl

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000240000-0x0000000000406000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000015e24-26.dat	family_zgrat_v1
behavioral1/files/0x0007000000015606-214.dat	family_zgrat_v1
behavioral1/files/0x0007000000015606-213.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
524	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\27d1bcfc3c54e0	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\6cb0b6c459d5d3	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\csrss.exe	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\886983d96e3d3e	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1356	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
1876	powershell.exe
2404	powershell.exe
2348	powershell.exe
2904	powershell.exe
2268	powershell.exe
1924	powershell.exe
2040	powershell.exe
1916	powershell.exe
2528	powershell.exe
2576	powershell.exe
2572	powershell.exe
2620	powershell.exe
1624	powershell.exe
2992	powershell.exe
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	524	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2404	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	67
PID 2384 wrote to memory of 2404	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	67
PID 2384 wrote to memory of 2404	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	67
PID 2384 wrote to memory of 1876	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	65
PID 2384 wrote to memory of 1876	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	65
PID 2384 wrote to memory of 1876	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	65
PID 2384 wrote to memory of 2904	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	64
PID 2384 wrote to memory of 2904	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	64
PID 2384 wrote to memory of 2904	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	64
PID 2384 wrote to memory of 2864	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	63
PID 2384 wrote to memory of 2864	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	63
PID 2384 wrote to memory of 2864	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	63
PID 2384 wrote to memory of 2580	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	61
PID 2384 wrote to memory of 2580	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	61
PID 2384 wrote to memory of 2580	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	61
PID 2384 wrote to memory of 2992	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	60
PID 2384 wrote to memory of 2992	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	60
PID 2384 wrote to memory of 2992	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	60
PID 2384 wrote to memory of 2572	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	59
PID 2384 wrote to memory of 2572	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	59
PID 2384 wrote to memory of 2572	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	59
PID 2384 wrote to memory of 2380	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	29
PID 2384 wrote to memory of 2380	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	29
PID 2384 wrote to memory of 2380	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	29
PID 2384 wrote to memory of 2576	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	52
PID 2384 wrote to memory of 2576	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	52
PID 2384 wrote to memory of 2576	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	52
PID 2384 wrote to memory of 2620	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	49
PID 2384 wrote to memory of 2620	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	49
PID 2384 wrote to memory of 2620	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	49
PID 2384 wrote to memory of 1924	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	48
PID 2384 wrote to memory of 1924	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	48
PID 2384 wrote to memory of 1924	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	48
PID 2384 wrote to memory of 2348	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	30
PID 2384 wrote to memory of 2348	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	30
PID 2384 wrote to memory of 2348	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	30
PID 2384 wrote to memory of 2336	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	47
PID 2384 wrote to memory of 2336	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	47
PID 2384 wrote to memory of 2336	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	47
PID 2384 wrote to memory of 2040	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	46
PID 2384 wrote to memory of 2040	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	46
PID 2384 wrote to memory of 2040	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	46
PID 2384 wrote to memory of 2268	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	44
PID 2384 wrote to memory of 2268	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	44
PID 2384 wrote to memory of 2268	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	44
PID 2384 wrote to memory of 1916	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	39
PID 2384 wrote to memory of 1916	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	39
PID 2384 wrote to memory of 1916	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	39
PID 2384 wrote to memory of 2528	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	32
PID 2384 wrote to memory of 2528	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	32
PID 2384 wrote to memory of 2528	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	32
PID 2384 wrote to memory of 1624	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	31
PID 2384 wrote to memory of 1624	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	31
PID 2384 wrote to memory of 1624	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	31
PID 2384 wrote to memory of 2828	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	45
PID 2384 wrote to memory of 2828	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	45
PID 2384 wrote to memory of 2828	2384	10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe	45
PID 2828 wrote to memory of 1512	2828	cmd.exe	58
PID 2828 wrote to memory of 1512	2828	cmd.exe	58
PID 2828 wrote to memory of 1512	2828	cmd.exe	58
PID 2828 wrote to memory of 1356	2828	cmd.exe	66
PID 2828 wrote to memory of 1356	2828	cmd.exe	66
PID 2828 wrote to memory of 1356	2828	cmd.exe	66
PID 2828 wrote to memory of 524	2828	cmd.exe	68

C:\Users\Admin\AppData\Local\Temp\10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe
"C:\Users\Admin\AppData\Local\Temp\10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ul3xmXAEww.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1512
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1356
- - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\csrss.exe
    "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\csrss.exe

Filesize
66KB

MD5
9d85f784e880e90c7461c020889b2c08

SHA1
d3040e14fbf12580f14a390c0fb810d995893f18

SHA256
3b972d9fe485e4cf160518ee9a487cc9c4d2e77f8bd2ac143484c110d447c3ee

SHA512
1f219ed94b8b6fcb0bde59a968411034c45df0660fead1f2c0ab119bf5893df684da4e3eb78113630e4ecdb3b677ddb0f5b37dd913eb3ff63b99443d1ca29af3

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\csrss.exe

Filesize
59KB

MD5
91e2b94d8dd0fcd54f2262b4ce10d864

SHA1
ed2bd6c139b056336842ff75426100824c359d66

SHA256
dc7b3589d18955403eaade7bc6e2bebe72b05235384c532a651b522c29af9923

SHA512
a11f72e0f2d9818255862b9be5da36432929aad9703bcdfc0f7ce976a73519ac6315ad1720f0a53e3a999d16e65ab73b97c34158aca3601de0ec9f291e7d636d

Download Submit
C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\winlogon.exe

Filesize
1.7MB

MD5
a6eb2d0e9381ff6eb2aca7bf1d797774

SHA1
64becc3595f0467f12e2b20bd3a34603fb7e472e

SHA256
10fa07a25654e8027da79c6ce9b04e2d41b68d6c7624f510e8251b4b95fd103e

SHA512
46f60e6d26e1cd6c3a78d842fe5258588623e7fc0dbded7ed1e3bf1baa020fb71dd75f3e77678bb71298cb59171a1150e1847daa20f10b7091724706ad567878

Download Submit
C:\Users\Admin\AppData\Local\Temp\ul3xmXAEww.bat

Filesize
195B

MD5
badb68c8c5aa35371bcaf78ae9a8468e

SHA1
ba90332b5a36c9e7fe1024264fc1be0ee0e22f55

SHA256
7e81428925eef3570dc99d16616b3a961e30d9fc1ba52271dc0f957a80ddab3a

SHA512
316710614af5651b795bcf18b4a9864c1fff59c920e320a2f0d12054b84651ebb9da103020d0451afd757edab602d470135c663857914f85cad37ba0c612f56b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W1HCZXMH3Q93M4B59F28.temp

Filesize
7KB

MD5
5326cc75357f6b035c2ba4cf67fba551

SHA1
4d3d697b2fb1487a753739e630a4adde31301df9

SHA256
746b4b24b0a5a81d45192faa4980020d78630930d7f615827eccac0258d94424

SHA512
47bbf3787de51973de5f8db679cfa9910a368d16a2a359b80b6b1b219358dba4ca92f67621351c4f9b4e28833d232eb7b2cfc60a7396997914a78fc793b27c1d

Download Submit
memory/1876-51-0x000000000275B000-0x00000000027C2000-memory.dmp

Filesize
412KB

Download
memory/1876-46-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-48-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/1876-52-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-43-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/1876-50-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1876-56-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-149-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-147-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-148-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1916-151-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1916-152-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1916-150-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1924-82-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/1924-81-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-86-0x000000000232B000-0x0000000002392000-memory.dmp

Filesize
412KB

Download
memory/1924-88-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/1924-87-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-93-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/1924-72-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/2040-142-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2040-141-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2040-157-0x0000000002914000-0x0000000002917000-memory.dmp

Filesize
12KB

Download
memory/2040-145-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-146-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2040-144-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2040-143-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-64-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-67-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/2268-71-0x00000000029FB000-0x0000000002A62000-memory.dmp

Filesize
412KB

Download
memory/2348-57-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2348-65-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2348-62-0x000000000244B000-0x00000000024B2000-memory.dmp

Filesize
412KB

Download
memory/2348-54-0x0000000002440000-0x00000000024C0000-memory.dmp

Filesize
512KB

Download
memory/2384-15-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2384-3-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-2-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2384-41-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-16-0x0000000076D60000-0x0000000076D61000-memory.dmp

Filesize
4KB

Download
memory/2384-14-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/2384-4-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2384-10-0x0000000076D70000-0x0000000076D71000-memory.dmp

Filesize
4KB

Download
memory/2384-12-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2384-5-0x0000000076D80000-0x0000000076D81000-memory.dmp

Filesize
4KB

Download
memory/2384-0-0x0000000000240000-0x0000000000406000-memory.dmp

Filesize
1.8MB

Download
memory/2384-6-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2384-7-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-9-0x00000000006C0000-0x00000000006DC000-memory.dmp

Filesize
112KB

Download
memory/2404-42-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2404-53-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-49-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/2404-55-0x00000000023CB000-0x0000000002432000-memory.dmp

Filesize
412KB

Download
memory/2528-153-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-156-0x0000000002AC0000-0x0000000002B40000-memory.dmp

Filesize
512KB

Download
memory/2576-155-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/2576-154-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-158-0x000007FEF5470000-0x000007FEF5E0D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-63-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2904-68-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-69-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/2904-66-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-60-0x000007FEEE280000-0x000007FEEEC1D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-73-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download