zgrat | c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

max time kernel
139s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-05-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

347KB
MD5

1cb742cb95699d994e1cc6810c6f7642
SHA1

103ea603322859742a3e51c5e517a927b9dcd40c
SHA256

c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
SHA512

79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795
SSDEEP

6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000d000000012674-8.dat	family_zgrat_v1
behavioral1/files/0x0031000000014228-20.dat	family_zgrat_v1
behavioral1/memory/2172-24-0x0000000000920000-0x0000000000CC2000-memory.dmp	family_zgrat_v1
behavioral1/memory/1784-128-0x00000000010F0000-0x0000000001492000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\explorer.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\smss.exe\", \"C:\\Program Files\\Uninstall Information\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\", \"C:\\Users\\Default\\Cookies\\explorer.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\dwm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\blockcontainerWincrtdll\\dwm.exe\", \"C:\\Program Files\\DVD Maker\\smss.exe\""	Sessionperf.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1496	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1496	schtasks.exe	34

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1680	powershell.exe
2364	powershell.exe
1952	powershell.exe
1064	powershell.exe
1600	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

Processes:

Checker.exeSessionperf.exesmss.exe

pid	Process
2952	Checker.exe
2172	Sessionperf.exe
1784	smss.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2776	cmd.exe
2776	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Cookies\\explorer.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\blockcontainerWincrtdll\\dwm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\blockcontainerWincrtdll\\dwm.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Uninstall Information\\explorer.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Cookies\\explorer.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\DVD Maker\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\DVD Maker\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Uninstall Information\\explorer.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCBFC951C1B0214184B4134147E1E8C5E.TMP	csc.exe
File created	\??\c:\Windows\System32\ickr0a.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

Sessionperf.exe

description	ioc	Process
File created	C:\Program Files\DVD Maker\smss.exe	Sessionperf.exe
File created	C:\Program Files\DVD Maker\69ddcba757bf72	Sessionperf.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	Sessionperf.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1976	schtasks.exe
2188	schtasks.exe
1256	schtasks.exe
1760	schtasks.exe
1584	schtasks.exe
1852	schtasks.exe
1224	schtasks.exe
2876	schtasks.exe
772	schtasks.exe
2080	schtasks.exe
480	schtasks.exe
576	schtasks.exe
2248	schtasks.exe
536	schtasks.exe
912	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2492	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	Process
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe
2172	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

smss.exe

pid	Process
1784	smss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exe

description	pid	Process
Token: SeDebugPrivilege	2992	Loader.exe
Token: SeDebugPrivilege	2172	Sessionperf.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1784	smss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

smss.exe

pid	Process
1784	smss.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.exe

description	pid	Process	procid_target
PID 2992 wrote to memory of 2952	2992	Loader.exe	28
PID 2992 wrote to memory of 2952	2992	Loader.exe	28
PID 2992 wrote to memory of 2952	2992	Loader.exe	28
PID 2992 wrote to memory of 2952	2992	Loader.exe	28
PID 2952 wrote to memory of 2800	2952	Checker.exe	29
PID 2952 wrote to memory of 2800	2952	Checker.exe	29
PID 2952 wrote to memory of 2800	2952	Checker.exe	29
PID 2952 wrote to memory of 2800	2952	Checker.exe	29
PID 2800 wrote to memory of 2776	2800	WScript.exe	30
PID 2800 wrote to memory of 2776	2800	WScript.exe	30
PID 2800 wrote to memory of 2776	2800	WScript.exe	30
PID 2800 wrote to memory of 2776	2800	WScript.exe	30
PID 2776 wrote to memory of 2492	2776	cmd.exe	32
PID 2776 wrote to memory of 2492	2776	cmd.exe	32
PID 2776 wrote to memory of 2492	2776	cmd.exe	32
PID 2776 wrote to memory of 2492	2776	cmd.exe	32
PID 2776 wrote to memory of 2172	2776	cmd.exe	33
PID 2776 wrote to memory of 2172	2776	cmd.exe	33
PID 2776 wrote to memory of 2172	2776	cmd.exe	33
PID 2776 wrote to memory of 2172	2776	cmd.exe	33
PID 2172 wrote to memory of 2772	2172	Sessionperf.exe	38
PID 2172 wrote to memory of 2772	2172	Sessionperf.exe	38
PID 2172 wrote to memory of 2772	2172	Sessionperf.exe	38
PID 2772 wrote to memory of 1684	2772	csc.exe	40
PID 2772 wrote to memory of 1684	2772	csc.exe	40
PID 2772 wrote to memory of 1684	2772	csc.exe	40
PID 2172 wrote to memory of 1600	2172	Sessionperf.exe	53
PID 2172 wrote to memory of 1600	2172	Sessionperf.exe	53
PID 2172 wrote to memory of 1600	2172	Sessionperf.exe	53
PID 2172 wrote to memory of 1064	2172	Sessionperf.exe	54
PID 2172 wrote to memory of 1064	2172	Sessionperf.exe	54
PID 2172 wrote to memory of 1064	2172	Sessionperf.exe	54
PID 2172 wrote to memory of 1952	2172	Sessionperf.exe	55
PID 2172 wrote to memory of 1952	2172	Sessionperf.exe	55
PID 2172 wrote to memory of 1952	2172	Sessionperf.exe	55
PID 2172 wrote to memory of 2364	2172	Sessionperf.exe	56
PID 2172 wrote to memory of 2364	2172	Sessionperf.exe	56
PID 2172 wrote to memory of 2364	2172	Sessionperf.exe	56
PID 2172 wrote to memory of 1680	2172	Sessionperf.exe	57
PID 2172 wrote to memory of 1680	2172	Sessionperf.exe	57
PID 2172 wrote to memory of 1680	2172	Sessionperf.exe	57
PID 2172 wrote to memory of 1620	2172	Sessionperf.exe	63
PID 2172 wrote to memory of 1620	2172	Sessionperf.exe	63
PID 2172 wrote to memory of 1620	2172	Sessionperf.exe	63
PID 1620 wrote to memory of 672	1620	cmd.exe	65
PID 1620 wrote to memory of 672	1620	cmd.exe	65
PID 1620 wrote to memory of 672	1620	cmd.exe	65
PID 1620 wrote to memory of 3052	1620	cmd.exe	66
PID 1620 wrote to memory of 3052	1620	cmd.exe	66
PID 1620 wrote to memory of 3052	1620	cmd.exe	66
PID 1620 wrote to memory of 1784	1620	cmd.exe	67
PID 1620 wrote to memory of 1784	1620	cmd.exe	67
PID 1620 wrote to memory of 1784	1620	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2492
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2l1w4ago\2l1w4ago.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4663.tmp" "c:\Windows\System32\CSCBFC951C1B0214184B4134147E1E8C5E.TMP"
        7⤵
        
        PID:1684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ncvKtqNz6p.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3052
        
        C:\Program Files\DVD Maker\smss.exe
        
        "C:\Program Files\DVD Maker\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\blockcontainerWincrtdll\dwm.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\blockcontainerWincrtdll\dwm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Cookies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4663.tmp

Filesize
1KB

MD5
45a2068af4d7c4902a970523be32c304

SHA1
bf908d866b18f9aa760dc4c2e6aad52df0c91960

SHA256
a54b4f55bd0e48b2981b6f56d446704d80f9ca5649a2bcee1fd7e56ec9983290

SHA512
e4d056070a5fe4ed0f3d38b16cecf320d71fbb55845593314bc2c6da753dc97e4550623dd142baf3b0615e0a0947e4e43b98acaaad8b07dec6937557524c8eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncvKtqNz6p.bat

Filesize
211B

MD5
11ac384deb56f786bcce8408d42645ed

SHA1
1a599bd9993895f83b72951295ad69ce10f3d5ea

SHA256
d42f81af3f733a6bce4a4039007aad3b58254d0891d7bceec9cac1bb493448d1

SHA512
60575ac2bafa5140a911dc647a7e4d2b38065e896877209663350adb19e73595c8a42d273a7dc053aa0fc5f9b945ad56ad8f37d39eea18079276fa5267f849b8

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4abc33adbbcf12483e732c2acc578d9c

SHA1
cdea3ab7332077853dedb2f27f76731d269b4e3f

SHA256
71d84a4b8277df0594c947873fc4ab74a749c2347a30221436ed0e28142482a4

SHA512
12116fac458bc8516c021890acfcad8ab89e41af83471fad20c13d0539013a8ff344e51085554376bb46c51543f3e15716d4f1e5fcf8b2f2cd9e3dc532d16dd8

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2l1w4ago\2l1w4ago.0.cs

Filesize
366B

MD5
1d6127d9bd02dc495c5add76996402f6

SHA1
ce53b9a158f4b94b6bb6bd7af2a412e3d2cd05ec

SHA256
34759ce874da8d9c7bfa8e098f3b086ce4b1b9806f34bb07d618074683233850

SHA512
39ea9c7efc38cc5357b768c1284ff5c4e78434b227941d13b4808c5aa4f1e2e01b23327af35f480f2b51c6559a3c1d5ac66c9e5f52a617f6070c7c5483e2702f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2l1w4ago\2l1w4ago.cmdline

Filesize
235B

MD5
815e404ee70c328c5bdc87c9e83a8ee9

SHA1
29a3d9c5a34fda67890d6bed6b5be9216397975f

SHA256
a5ac75090516c0d3a0db99d81d7e9cfa5727cf0c9db2200c7a536bf098411c91

SHA512
438bec27fe466ddfd9aef44354ed8217b2b8fe3a35e4490b877b7b1e7d5e422b7c17b406df46e81d991459275e7071905fd4d5dc04a861412e296da223552dd4

Download Submit
\??\c:\Windows\System32\CSCBFC951C1B0214184B4134147E1E8C5E.TMP

Filesize
1KB

MD5
3ffa0b85adc175bc535d5b61b093b6a5

SHA1
7fa7715f9f18aa1d9edc45935ca867602fa37894

SHA256
f05ea17245f2e54aa3b2a0a8ede3f86af5fb4e4f0cf0a6aa69c4e95103304d46

SHA512
d1034200ad1232d7e36d3d867e701357c9eb8e8ad063743deceb563b24eb099e6ea660e38099cf161c12c97fe11cf6b044a31846949d63d4a121f1692c9e6fde

Download Submit
\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
memory/1064-125-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1784-128-0x00000000010F0000-0x0000000001492000-memory.dmp

Filesize
3.6MB

Download
memory/1952-124-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2172-48-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/2172-62-0x0000000002370000-0x000000000237E000-memory.dmp

Filesize
56KB

Download
memory/2172-36-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2172-38-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/2172-40-0x0000000002200000-0x000000000220E000-memory.dmp

Filesize
56KB

Download
memory/2172-44-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/2172-42-0x0000000002230000-0x000000000223E000-memory.dmp

Filesize
56KB

Download
memory/2172-24-0x0000000000920000-0x0000000000CC2000-memory.dmp

Filesize
3.6MB

Download
memory/2172-50-0x0000000002330000-0x0000000002346000-memory.dmp

Filesize
88KB

Download
memory/2172-46-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/2172-52-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/2172-56-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/2172-58-0x0000000002320000-0x0000000002330000-memory.dmp

Filesize
64KB

Download
memory/2172-60-0x0000000002480000-0x00000000024DA000-memory.dmp

Filesize
360KB

Download
memory/2172-54-0x0000000002260000-0x000000000226E000-memory.dmp

Filesize
56KB

Download
memory/2172-34-0x0000000002210000-0x0000000002228000-memory.dmp

Filesize
96KB

Download
memory/2172-64-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/2172-68-0x0000000002440000-0x0000000002458000-memory.dmp

Filesize
96KB

Download
memory/2172-70-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2172-66-0x0000000002390000-0x000000000239E000-memory.dmp

Filesize
56KB

Download
memory/2172-72-0x000000001AAE0000-0x000000001AB2E000-memory.dmp

Filesize
312KB

Download
memory/2172-28-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2172-30-0x00000000021D0000-0x00000000021EC000-memory.dmp

Filesize
112KB

Download
memory/2172-32-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2172-26-0x00000000008F0000-0x0000000000916000-memory.dmp

Filesize
152KB

Download
memory/2992-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

Filesize
4KB

Download
memory/2992-10-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-3-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-2-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-1-0x0000000000880000-0x00000000008DE000-memory.dmp

Filesize
376KB

Download