zgrat | c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

max time kernel
1665s
max time network
1798s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

347KB
MD5

1cb742cb95699d994e1cc6810c6f7642
SHA1

103ea603322859742a3e51c5e517a927b9dcd40c
SHA256

c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
SHA512

79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795
SSDEEP

6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 15 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015605-8.dat	family_zgrat_v1
behavioral1/files/0x000a000000015c9f-23.dat	family_zgrat_v1
behavioral1/memory/2712-24-0x0000000000300000-0x00000000006A2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2364-128-0x00000000009A0000-0x0000000000D42000-memory.dmp	family_zgrat_v1
behavioral1/memory/1896-173-0x0000000000320000-0x00000000006C2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2344-176-0x0000000000E80000-0x0000000001222000-memory.dmp	family_zgrat_v1
behavioral1/memory/2476-179-0x0000000000A40000-0x0000000000DE2000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000015d98-180.dat	family_zgrat_v1
behavioral1/memory/1876-182-0x00000000010C0000-0x0000000001462000-memory.dmp	family_zgrat_v1
behavioral1/memory/1936-185-0x0000000000F20000-0x00000000012C2000-memory.dmp	family_zgrat_v1
behavioral1/memory/1624-189-0x00000000002E0000-0x0000000000682000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0009000000015d07-190.dat	family_zgrat_v1
behavioral1/memory/1200-191-0x0000000001390000-0x0000000001732000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000015d27-193.dat	family_zgrat_v1
behavioral1/memory/1680-196-0x0000000000220000-0x00000000005C2000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\smss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\System.exe\", \"C:\\Windows\\TAPI\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\smss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\System.exe\", \"C:\\Windows\\TAPI\\conhost.exe\", \"C:\\Windows\\Downloaded Program Files\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\spoolsv.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\spoolsv.exe\", \"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\smss.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\System.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1892	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1216	powershell.exe
656	powershell.exe
1516	powershell.exe
576	powershell.exe
2448	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
2080	Checker.exe
2712	Sessionperf.exe
2364	spoolsv.exe
1544	spoolsv.exe
1896	System.exe
2344	services.exe
2476	smss.exe
1876	conhost.exe
1936	System.exe
2428	spoolsv.exe
1624	services.exe
1200	smss.exe
2984	System.exe
1832	spoolsv.exe
1680	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2624	cmd.exe
2624	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\TAPI\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Downloaded Program Files\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\Downloaded Program Files\\services.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\System.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default User\\spoolsv.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\System.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\TAPI\\conhost.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCD6257470FA474771AC6052A6987C92C5.TMP	csc.exe
File created	\??\c:\Windows\System32\slsogk.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\27d1bcfc3c54e0	Sessionperf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\System.exe	Sessionperf.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\services.exe	Sessionperf.exe
File created	C:\Windows\Downloaded Program Files\c5b4cb5e9653cc	Sessionperf.exe
File created	C:\Windows\TAPI\conhost.exe	Sessionperf.exe
File created	C:\Windows\TAPI\088424020bedd6	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1680	schtasks.exe
320	schtasks.exe
1792	schtasks.exe
3064	schtasks.exe
1960	schtasks.exe
1132	schtasks.exe
2064	schtasks.exe
2560	schtasks.exe
1868	schtasks.exe
796	schtasks.exe
608	schtasks.exe
648	schtasks.exe
1200	schtasks.exe
2264	schtasks.exe
2344	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2800	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe
2712	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2364	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	Loader.exe
Token: SeDebugPrivilege	2712	Sessionperf.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	2364	spoolsv.exe
Token: SeDebugPrivilege	1896	System.exe
Token: SeDebugPrivilege	1544	spoolsv.exe
Token: SeDebugPrivilege	2344	services.exe
Token: SeDebugPrivilege	2476	smss.exe
Token: SeDebugPrivilege	1876	conhost.exe
Token: SeDebugPrivilege	1936	System.exe
Token: SeDebugPrivilege	2428	spoolsv.exe
Token: SeDebugPrivilege	1624	services.exe
Token: SeDebugPrivilege	1200	smss.exe
Token: SeDebugPrivilege	2984	System.exe
Token: SeDebugPrivilege	1832	spoolsv.exe
Token: SeDebugPrivilege	1680	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2364	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2080	2240	Loader.exe	28
PID 2240 wrote to memory of 2080	2240	Loader.exe	28
PID 2240 wrote to memory of 2080	2240	Loader.exe	28
PID 2240 wrote to memory of 2080	2240	Loader.exe	28
PID 2080 wrote to memory of 2668	2080	Checker.exe	29
PID 2080 wrote to memory of 2668	2080	Checker.exe	29
PID 2080 wrote to memory of 2668	2080	Checker.exe	29
PID 2080 wrote to memory of 2668	2080	Checker.exe	29
PID 2668 wrote to memory of 2624	2668	WScript.exe	30
PID 2668 wrote to memory of 2624	2668	WScript.exe	30
PID 2668 wrote to memory of 2624	2668	WScript.exe	30
PID 2668 wrote to memory of 2624	2668	WScript.exe	30
PID 2624 wrote to memory of 2800	2624	cmd.exe	32
PID 2624 wrote to memory of 2800	2624	cmd.exe	32
PID 2624 wrote to memory of 2800	2624	cmd.exe	32
PID 2624 wrote to memory of 2800	2624	cmd.exe	32
PID 2624 wrote to memory of 2712	2624	cmd.exe	33
PID 2624 wrote to memory of 2712	2624	cmd.exe	33
PID 2624 wrote to memory of 2712	2624	cmd.exe	33
PID 2624 wrote to memory of 2712	2624	cmd.exe	33
PID 2712 wrote to memory of 2640	2712	Sessionperf.exe	38
PID 2712 wrote to memory of 2640	2712	Sessionperf.exe	38
PID 2712 wrote to memory of 2640	2712	Sessionperf.exe	38
PID 2640 wrote to memory of 1144	2640	csc.exe	40
PID 2640 wrote to memory of 1144	2640	csc.exe	40
PID 2640 wrote to memory of 1144	2640	csc.exe	40
PID 2712 wrote to memory of 1516	2712	Sessionperf.exe	53
PID 2712 wrote to memory of 1516	2712	Sessionperf.exe	53
PID 2712 wrote to memory of 1516	2712	Sessionperf.exe	53
PID 2712 wrote to memory of 656	2712	Sessionperf.exe	54
PID 2712 wrote to memory of 656	2712	Sessionperf.exe	54
PID 2712 wrote to memory of 656	2712	Sessionperf.exe	54
PID 2712 wrote to memory of 1216	2712	Sessionperf.exe	55
PID 2712 wrote to memory of 1216	2712	Sessionperf.exe	55
PID 2712 wrote to memory of 1216	2712	Sessionperf.exe	55
PID 2712 wrote to memory of 2448	2712	Sessionperf.exe	56
PID 2712 wrote to memory of 2448	2712	Sessionperf.exe	56
PID 2712 wrote to memory of 2448	2712	Sessionperf.exe	56
PID 2712 wrote to memory of 576	2712	Sessionperf.exe	57
PID 2712 wrote to memory of 576	2712	Sessionperf.exe	57
PID 2712 wrote to memory of 576	2712	Sessionperf.exe	57
PID 2712 wrote to memory of 1560	2712	Sessionperf.exe	63
PID 2712 wrote to memory of 1560	2712	Sessionperf.exe	63
PID 2712 wrote to memory of 1560	2712	Sessionperf.exe	63
PID 1560 wrote to memory of 1464	1560	cmd.exe	65
PID 1560 wrote to memory of 1464	1560	cmd.exe	65
PID 1560 wrote to memory of 1464	1560	cmd.exe	65
PID 1560 wrote to memory of 3004	1560	cmd.exe	66
PID 1560 wrote to memory of 3004	1560	cmd.exe	66
PID 1560 wrote to memory of 3004	1560	cmd.exe	66
PID 1560 wrote to memory of 2364	1560	cmd.exe	67
PID 1560 wrote to memory of 2364	1560	cmd.exe	67
PID 1560 wrote to memory of 2364	1560	cmd.exe	67
PID 1084 wrote to memory of 1896	1084	taskeng.exe	71
PID 1084 wrote to memory of 1896	1084	taskeng.exe	71
PID 1084 wrote to memory of 1896	1084	taskeng.exe	71
PID 1084 wrote to memory of 1544	1084	taskeng.exe	72
PID 1084 wrote to memory of 1544	1084	taskeng.exe	72
PID 1084 wrote to memory of 1544	1084	taskeng.exe	72
PID 1084 wrote to memory of 2344	1084	taskeng.exe	73
PID 1084 wrote to memory of 2344	1084	taskeng.exe	73
PID 1084 wrote to memory of 2344	1084	taskeng.exe	73
PID 1084 wrote to memory of 2476	1084	taskeng.exe	74
PID 1084 wrote to memory of 2476	1084	taskeng.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2800
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zbm25kv\5zbm25kv.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E80.tmp" "c:\Windows\System32\CSCD6257470FA474771AC6052A6987C92C5.TMP"
        7⤵
        
        PID:1144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\30OAoLo4pw.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3004
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\locale\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\taskeng.exe
taskeng.exe {6C669EAE-F91C-4126-89BC-04CBFC2F39C8} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Program Files\VideoLAN\VLC\locale\System.exe
  "C:\Program Files\VideoLAN\VLC\locale\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Users\Default User\spoolsv.exe
  "C:\Users\Default User\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\Downloaded Program Files\services.exe
  "C:\Windows\Downloaded Program Files\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe
  C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\TAPI\conhost.exe
  C:\Windows\TAPI\conhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Program Files\VideoLAN\VLC\locale\System.exe
  "C:\Program Files\VideoLAN\VLC\locale\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Users\Default User\spoolsv.exe
  "C:\Users\Default User\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\Downloaded Program Files\services.exe
  "C:\Windows\Downloaded Program Files\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe
  C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Program Files\VideoLAN\VLC\locale\System.exe
  "C:\Program Files\VideoLAN\VLC\locale\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Users\Default User\spoolsv.exe
  "C:\Users\Default User\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\TAPI\conhost.exe
  C:\Windows\TAPI\conhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\locale\System.exe

Filesize
2.4MB

MD5
635656e7a630e77d9b7754c7109fbd04

SHA1
98ce9b4eca1ecd04fdc573f406d893da3056a51b

SHA256
011fd0798ed866e8e85622cc002c7197e48b360fd940a45e363902cc09ffb77e

SHA512
2cf98240d84232985fc196d3376851bb237149455d46d08056a3b05447b346a895a51bee3adc5f54ddb8067adaa5ca8902cdd563f25ec5f4a00d25a829451e7b

Download Submit
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\smss.exe

Filesize
2.8MB

MD5
db13860e8d2f098ec15f000e02344c15

SHA1
ba428d7a67cdef4bdb8f233e394b04117f177054

SHA256
c1dc256cd20fa2539a13fdc1a331393b8c47c43d77e4485e77e88c8a8190cb7b

SHA512
ab03a3be17629e7b40362c15b15a69e2b114f37420d0f82227bb110dbbc6c1ce050045c409c2ed2e782056bd4cd04ad193603cf3769d094cae86ce4a10cea3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\30OAoLo4pw.bat

Filesize
209B

MD5
9d67f416fe003598613d12edc20d569f

SHA1
4e725a818cc4084191e6e57fcb6806b59f476c1d

SHA256
d8412e76b1fe82d02b817a86e98569d1a64d148966495129a4fbba6d7d266e44

SHA512
9f333dc24793645db56c789f306ab5fe9825485bd37d5e944455b7a21ee76932a8b8fd9bdbdb34a87fdc509c5e393e945d1f1e77c476d73d0d822ba9c3141077

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2E80.tmp

Filesize
1KB

MD5
154d869182ed6370f32dba6c33267dfb

SHA1
c9e6706cf9134ac58207f524983f228e94c9e89d

SHA256
77fc59b95d73cc888d6898c847280266089c35ff9d65dc22977b784059a92952

SHA512
de81ce331ebf4f10f67c2262d8d644c2b7e2a4485fa9db85118727a52b08b7b1f58a3dfdb9a52ac1fd7d1e42106e9e4dc30bea2fc86ff5e8b90e496a953afc9d

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
36eae67a6d4d42b09bdc939b334a2a85

SHA1
ca6df3c9d5c3a48caaed51239fb016fa994ccdb2

SHA256
f3ff750bfd2af9d92b4f2c22c2227f73cdf8416daa9193139916e494ba1275d6

SHA512
0db20a8bc2b4624d470d0201abbcfb062255fdb40cba1a3d014259ac6a3e6e1c34acdb7e503844a027a5a42a8f69a6fefbcfb3e7b405e957b43bc3e00c2990b6

Download Submit
C:\Windows\TAPI\conhost.exe

Filesize
2.1MB

MD5
6d070a13e2363c0257da357c535a58a6

SHA1
cfd062f2f4a224a6997c24aedf4408049dfdd87e

SHA256
8fef5bcda1bddf549c11f3e643b97c7950a650743c429137bb4da7790fb98161

SHA512
9d3de2b69e4d4c5cac9099bcbbc935837ceaf41d013552a0d936b895b66dea66337319f567a660617ebd938304cb5f4bb4ab06a8db61f083dd82baeb0dbe657f

Download Submit
C:\Windows\TAPI\conhost.exe

Filesize
448KB

MD5
adc1a214488382713ab1a98667e1a783

SHA1
4ed61fb67822b03f86d175708ce613d6e5b47582

SHA256
175c930980dc18fef671695162c51b5b8c55a8c58373be434e41f001f3614354

SHA512
8f15c7eb998573ef8cb0d6874a3b2377205afb4a8af6f15941838459100829e0f29fa85609504e55ef1da5dfeff571f50a4f2aed7ff61e576d589d74c50ebcbb

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5zbm25kv\5zbm25kv.0.cs

Filesize
365B

MD5
e14fe38821f8bee3b4451a177a44348d

SHA1
86abf8746c0422a1af86286c923484e9917329c2

SHA256
1eaa57c64063a3bfdb3ad0f0c0104a62c7191cff427e62cdb43db1d97764f3bd

SHA512
30c9ce9a4b0e4ad2c07c7f085d800d50a5260638230bd2d66bbe49d545bd64e925c96754a5e72a5766aa193692fd7c423aaa1bb3adea2dce80910bad0596d1af

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5zbm25kv\5zbm25kv.cmdline

Filesize
235B

MD5
ccb529146c765dbb374a66b03efd0562

SHA1
ad19e86c5f234a6ecd338d77e55fa41caa0001cf

SHA256
5b3e8dd0ebaf56835436ec59fb4e46d40c4b72aaaf2e30280d1dfefa3beccfd6

SHA512
a7a60b9ea041f944a8cd6ea6fcecac84053e5365e197717b457d6236c3fa0cbff4ec80c71b99c7df9ca2401f36a45c4867ab2c56d5f5566f5f8f84fbc5e53b03

Download Submit
\??\c:\Windows\System32\CSCD6257470FA474771AC6052A6987C92C5.TMP

Filesize
1KB

MD5
3fcb2bd8a227751c0367dff5940613bb

SHA1
bcca174ab4499de5713d836fbc368966aa1f5b2c

SHA256
aca1f364ec354097cdecc50336698c1180b10ae84fc6051eab154482e0965e8c

SHA512
c7357bb6ee27df96ba39066e893ce8521cb1d5c550be24ced7f860e11cc36ecc04fbec14f61da920bca04e0ae150df8dbc53de0c4a6880afa6067bccfe767672

Download Submit
memory/656-120-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/656-119-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1200-191-0x0000000001390000-0x0000000001732000-memory.dmp

Filesize
3.6MB

Download
memory/1624-189-0x00000000002E0000-0x0000000000682000-memory.dmp

Filesize
3.6MB

Download
memory/1680-196-0x0000000000220000-0x00000000005C2000-memory.dmp

Filesize
3.6MB

Download
memory/1876-182-0x00000000010C0000-0x0000000001462000-memory.dmp

Filesize
3.6MB

Download
memory/1896-173-0x0000000000320000-0x00000000006C2000-memory.dmp

Filesize
3.6MB

Download
memory/1936-185-0x0000000000F20000-0x00000000012C2000-memory.dmp

Filesize
3.6MB

Download
memory/2240-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

Filesize
4KB

Download
memory/2240-10-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-3-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-2-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-1-0x00000000012A0000-0x00000000012FE000-memory.dmp

Filesize
376KB

Download
memory/2344-176-0x0000000000E80000-0x0000000001222000-memory.dmp

Filesize
3.6MB

Download
memory/2364-128-0x00000000009A0000-0x0000000000D42000-memory.dmp

Filesize
3.6MB

Download
memory/2476-179-0x0000000000A40000-0x0000000000DE2000-memory.dmp

Filesize
3.6MB

Download
memory/2712-40-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/2712-68-0x000000001A9E0000-0x000000001A9F8000-memory.dmp

Filesize
96KB

Download
memory/2712-72-0x000000001AB70000-0x000000001ABBE000-memory.dmp

Filesize
312KB

Download
memory/2712-70-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2712-66-0x0000000002410000-0x000000000241E000-memory.dmp

Filesize
56KB

Download
memory/2712-28-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2712-30-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/2712-64-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/2712-62-0x0000000002370000-0x000000000237E000-memory.dmp

Filesize
56KB

Download
memory/2712-56-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2712-60-0x000000001B700000-0x000000001B75A000-memory.dmp

Filesize
360KB

Download
memory/2712-58-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/2712-54-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/2712-38-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/2712-42-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/2712-52-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/2712-50-0x0000000002330000-0x0000000002346000-memory.dmp

Filesize
88KB

Download
memory/2712-48-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2712-46-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/2712-44-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/2712-36-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2712-34-0x0000000000760000-0x0000000000778000-memory.dmp

Filesize
96KB

Download
memory/2712-32-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2712-26-0x00000000006E0000-0x0000000000706000-memory.dmp

Filesize
152KB

Download
memory/2712-24-0x0000000000300000-0x00000000006A2000-memory.dmp

Filesize
3.6MB

Download