zgrat | c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70

max time kernel
139s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-05-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

347KB
MD5

1cb742cb95699d994e1cc6810c6f7642
SHA1

103ea603322859742a3e51c5e517a927b9dcd40c
SHA256

c9c660914e4d58a6e0dd460afae6e4af288c9f191ad8592dc95db5a69868fc70
SHA512

79f9a70232b3470ef9386d9b3d987b5370d0562959315d8239509000a1aa9274b13cecc4c6c871cd4d258a0cd19d30574e3280edd54fb108b6ffca7d8c7e4795
SSDEEP

6144:RrwFDD0tZzmf7GxMLEYaEzE2d9JK5/J1pZKM35QM6KkfiruhbOuzB:Rg07e7seE2dK71rKu5Q6kfirIbOuF

Score

10^/10

zgrat evasion execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/files/0x000900000001ab84-7.dat	family_zgrat_v1
behavioral2/files/0x000900000001ac6d-23.dat	family_zgrat_v1
behavioral2/memory/1708-25-0x0000000000900000-0x0000000000CA2000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\fontdrvhost.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\fontdrvhost.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Users\\Default User\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\fontdrvhost.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Users\\Default User\\SearchUI.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\fontdrvhost.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Users\\Default User\\SearchUI.exe\", \"C:\\Users\\Default User\\fontdrvhost.exe\", \"C:\\Windows\\RemotePackages\\RemoteDesktops\\unsecapp.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	5076	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	5076	schtasks.exe	79

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1380	powershell.exe
1368	powershell.exe
2496	powershell.exe
4524	powershell.exe
4708	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4472	Checker.exe
1708	Sessionperf.exe
2300	SearchUI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default User\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\unsecapp.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\RemotePackages\\RemoteDesktops\\unsecapp.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\es-ES\\fontdrvhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Users\\Default User\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Users\\Default User\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Default User\\fontdrvhost.exe\""	Sessionperf.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC92BCF2E3DC0412D92F3918243404150.TMP	csc.exe
File created	\??\c:\Windows\System32\leoba4.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe	Sessionperf.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\5b884080fd4f94	Sessionperf.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteDesktops\29c1c3cc0f7685	Sessionperf.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\unsecapp.exe	Sessionperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3856	schtasks.exe
4180	schtasks.exe
2684	schtasks.exe
4488	schtasks.exe
4752	schtasks.exe
1356	schtasks.exe
4012	schtasks.exe
2000	schtasks.exe
660	schtasks.exe
4940	schtasks.exe
4244	schtasks.exe
1108	schtasks.exe
1372	schtasks.exe
2692	schtasks.exe
4480	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1464	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1472	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe
1708	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	SearchUI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	420	Loader.exe
Token: SeDebugPrivilege	1708	Sessionperf.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeIncreaseQuotaPrivilege	1368	powershell.exe
Token: SeSecurityPrivilege	1368	powershell.exe
Token: SeTakeOwnershipPrivilege	1368	powershell.exe
Token: SeLoadDriverPrivilege	1368	powershell.exe
Token: SeSystemProfilePrivilege	1368	powershell.exe
Token: SeSystemtimePrivilege	1368	powershell.exe
Token: SeProfSingleProcessPrivilege	1368	powershell.exe
Token: SeIncBasePriorityPrivilege	1368	powershell.exe
Token: SeCreatePagefilePrivilege	1368	powershell.exe
Token: SeBackupPrivilege	1368	powershell.exe
Token: SeRestorePrivilege	1368	powershell.exe
Token: SeShutdownPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeSystemEnvironmentPrivilege	1368	powershell.exe
Token: SeRemoteShutdownPrivilege	1368	powershell.exe
Token: SeUndockPrivilege	1368	powershell.exe
Token: SeManageVolumePrivilege	1368	powershell.exe
Token: 33	1368	powershell.exe
Token: 34	1368	powershell.exe
Token: 35	1368	powershell.exe
Token: 36	1368	powershell.exe
Token: SeIncreaseQuotaPrivilege	4708	powershell.exe
Token: SeSecurityPrivilege	4708	powershell.exe
Token: SeTakeOwnershipPrivilege	4708	powershell.exe
Token: SeLoadDriverPrivilege	4708	powershell.exe
Token: SeSystemProfilePrivilege	4708	powershell.exe
Token: SeSystemtimePrivilege	4708	powershell.exe
Token: SeProfSingleProcessPrivilege	4708	powershell.exe
Token: SeIncBasePriorityPrivilege	4708	powershell.exe
Token: SeCreatePagefilePrivilege	4708	powershell.exe
Token: SeBackupPrivilege	4708	powershell.exe
Token: SeRestorePrivilege	4708	powershell.exe
Token: SeShutdownPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeSystemEnvironmentPrivilege	4708	powershell.exe
Token: SeRemoteShutdownPrivilege	4708	powershell.exe
Token: SeUndockPrivilege	4708	powershell.exe
Token: SeManageVolumePrivilege	4708	powershell.exe
Token: 33	4708	powershell.exe
Token: 34	4708	powershell.exe
Token: 35	4708	powershell.exe
Token: 36	4708	powershell.exe
Token: SeIncreaseQuotaPrivilege	4524	powershell.exe
Token: SeSecurityPrivilege	4524	powershell.exe
Token: SeTakeOwnershipPrivilege	4524	powershell.exe
Token: SeLoadDriverPrivilege	4524	powershell.exe
Token: SeSystemProfilePrivilege	4524	powershell.exe
Token: SeSystemtimePrivilege	4524	powershell.exe
Token: SeProfSingleProcessPrivilege	4524	powershell.exe
Token: SeIncBasePriorityPrivilege	4524	powershell.exe
Token: SeCreatePagefilePrivilege	4524	powershell.exe
Token: SeBackupPrivilege	4524	powershell.exe
Token: SeRestorePrivilege	4524	powershell.exe
Token: SeShutdownPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeSystemEnvironmentPrivilege	4524	powershell.exe
Token: SeRemoteShutdownPrivilege	4524	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2300	SearchUI.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 4472	420	Loader.exe	73
PID 420 wrote to memory of 4472	420	Loader.exe	73
PID 420 wrote to memory of 4472	420	Loader.exe	73
PID 4472 wrote to memory of 812	4472	Checker.exe	74
PID 4472 wrote to memory of 812	4472	Checker.exe	74
PID 4472 wrote to memory of 812	4472	Checker.exe	74
PID 812 wrote to memory of 2908	812	WScript.exe	75
PID 812 wrote to memory of 2908	812	WScript.exe	75
PID 812 wrote to memory of 2908	812	WScript.exe	75
PID 2908 wrote to memory of 1464	2908	cmd.exe	77
PID 2908 wrote to memory of 1464	2908	cmd.exe	77
PID 2908 wrote to memory of 1464	2908	cmd.exe	77
PID 2908 wrote to memory of 1708	2908	cmd.exe	78
PID 2908 wrote to memory of 1708	2908	cmd.exe	78
PID 1708 wrote to memory of 2504	1708	Sessionperf.exe	83
PID 1708 wrote to memory of 2504	1708	Sessionperf.exe	83
PID 2504 wrote to memory of 4676	2504	csc.exe	85
PID 2504 wrote to memory of 4676	2504	csc.exe	85
PID 1708 wrote to memory of 4524	1708	Sessionperf.exe	98
PID 1708 wrote to memory of 4524	1708	Sessionperf.exe	98
PID 1708 wrote to memory of 2496	1708	Sessionperf.exe	99
PID 1708 wrote to memory of 2496	1708	Sessionperf.exe	99
PID 1708 wrote to memory of 1368	1708	Sessionperf.exe	100
PID 1708 wrote to memory of 1368	1708	Sessionperf.exe	100
PID 1708 wrote to memory of 1380	1708	Sessionperf.exe	101
PID 1708 wrote to memory of 1380	1708	Sessionperf.exe	101
PID 1708 wrote to memory of 4708	1708	Sessionperf.exe	102
PID 1708 wrote to memory of 4708	1708	Sessionperf.exe	102
PID 1708 wrote to memory of 3876	1708	Sessionperf.exe	108
PID 1708 wrote to memory of 3876	1708	Sessionperf.exe	108
PID 3876 wrote to memory of 2288	3876	cmd.exe	110
PID 3876 wrote to memory of 2288	3876	cmd.exe	110
PID 3876 wrote to memory of 1472	3876	cmd.exe	111
PID 3876 wrote to memory of 1472	3876	cmd.exe	111
PID 3876 wrote to memory of 2300	3876	cmd.exe	113
PID 3876 wrote to memory of 2300	3876	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:420
- C:\Users\Admin\AppData\Roaming\Checker.exe
  "C:\Users\Admin\AppData\Roaming\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:1464
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwssmhxu\bwssmhxu.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D9C.tmp" "c:\Windows\System32\CSC92BCF2E3DC0412D92F3918243404150.TMP"
        7⤵
        
        PID:4676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchUI.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bKZKossMeK.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1472
        
        C:\Users\Default User\SearchUI.exe
        
        "C:\Users\Default User\SearchUI.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteDesktops\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
948c8177f1827fd6978f77fa49ad6461

SHA1
02a7b7c794f2f897ad97ac8d5925ef82abc91c52

SHA256
7414c1a03f35c10d52e487750ff5ee7c60bfa3be0a562da6d3c39e668bd191ea

SHA512
eb357baf840394125d10fdb28639585a35c35c735b683ea016a4332cc87e4c905771002ad81bcd43ee9a06a0d306c87d1681974f2a5dd5e4fd7ef8312170227a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1f1e0338bc94f2ee111a79c0ccb27a6

SHA1
8c56b104e4d121a0f4fd27052708765a74163951

SHA256
e40852b5dc0c55fe5c0bce11fecaef73ed7b4c94383f5a98d3badc838d1328b5

SHA512
a36d7c4f6a0e91301be8798f8f892020ec5f576d42eac25e672d1393a7523556fd75187085679247fe8e4c8a12a816b7b3d64d49bf49d0cb4a5c6b26c3ea3ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09a15e1ed93e43ff3cb7941f0d049e3d

SHA1
69080d5c40e0f3841e53b91778d427abf3d9d672

SHA256
b8a8d3892418d0666b12eaff1d6ec9f69c3b406b494fc3937832ebb05ebd51dd

SHA512
38badab88ad25d6399fbac16d65b2e0ec98eae31bc87588c92a65bc68e93725e93364efce2d62ae782687e82cb4a52c261a96a3d128f6d8b7c7db4c3023c35f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7D9C.tmp

Filesize
1KB

MD5
3d5482002051c96034babdf68c45cec5

SHA1
d152de99dee63ad54519b400bfc1e373c72a2db1

SHA256
a3ea4538a51dbdbd7e8a606586917afa6342f6300e74d38accbdd90552ad0702

SHA512
60387856d29e868650f7ef80b99cadcb609febc32f81736ce2d5ad7cb7cd0fceaaedd482c231fef049091ad8442ad41ad27f2fe31b4b165a5782dc8e362671b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0v4k3isr.g4h.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bKZKossMeK.bat

Filesize
162B

MD5
1f429c4b3396b83058c23fe8ef06f149

SHA1
68ab2b5a7abf8087b04a14b90b6d4d538f827fdf

SHA256
86fd28ffb8db1634ceef84a597265941cb493c9606bfd3263e687b5f53aeb05e

SHA512
a7fed96d818a8c4d4fc770fdffdeb754ef47b711b71835da10eabbe132034c2704b0de5d459a23f0a9e6c860fea596b83c26e642451fc930b2b9313f0ec99c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwssmhxu\bwssmhxu.0.cs

Filesize
397B

MD5
b5cde06c3ab0848b2c77527a132f6e1b

SHA1
fb10fcafecef5287a749285c4b6bc7e421f17a26

SHA256
0881b6bbeb1e05665a66e57bc1e05db1907733e2cdee739f26a04f16c56e143e

SHA512
2c3d3fa3df2ef1f11bf85903357bcb40aa975a91e1ecfc49ebde95fdbc6015208161a28a235d4c2cd56341fd1b064c80e26c71e0e88d20c86ba650bc523a969d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwssmhxu\bwssmhxu.cmdline

Filesize
235B

MD5
5c94ca60f27425df115437a08bf84f5b

SHA1
624ca3a1618a36d89b3717544fde5aee684fcf3c

SHA256
0162f0a87f7b110f30e11ed716afe7bc55d39f9d39bc96bd2e54ad218909ff53

SHA512
2f77aaad6ed9c9e8e80ff4d35329d10cb9dfeabd2eba4174348fbf1f7c98df6b50f2aeb372b021bf10e42fe62b6bbd749e0e7e2d938caf0c931bc360350c4fb9

Download Submit
\??\c:\Windows\System32\CSC92BCF2E3DC0412D92F3918243404150.TMP

Filesize
1KB

MD5
35d2029ed56d02bdd5f6f26e72234b06

SHA1
e3fcc132b8af4e099a5e614d8736689d87e1b83a

SHA256
e0ffde280f68e8f5f0059b987cf1e49557fc03f02e901fc3d1596e0f7f5d8881

SHA512
e3044d3870dec2c132d936394b255eabe771c568abf1dd344530f48233d3f8b0266d2fcdbfc2dd88941c94c1d761a39227dff41673fe2b1d1aa371ace8a7a0df

Download Submit
memory/420-3-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

Filesize
9.9MB

Download
memory/420-2-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

Filesize
9.9MB

Download
memory/420-0-0x0000000000D20000-0x0000000000D7E000-memory.dmp

Filesize
376KB

Download
memory/420-1-0x00007FFA54283000-0x00007FFA54284000-memory.dmp

Filesize
4KB

Download
memory/420-11-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-134-0x000002B1FE2F0000-0x000002B1FE366000-memory.dmp

Filesize
472KB

Download
memory/1708-31-0x0000000002E10000-0x0000000002E2C000-memory.dmp

Filesize
112KB

Download
memory/1708-71-0x000000001BD20000-0x000000001BD38000-memory.dmp

Filesize
96KB

Download
memory/1708-50-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1708-52-0x000000001BC20000-0x000000001BC36000-memory.dmp

Filesize
88KB

Download
memory/1708-54-0x000000001BC40000-0x000000001BC52000-memory.dmp

Filesize
72KB

Download
memory/1708-55-0x000000001C190000-0x000000001C6B6000-memory.dmp

Filesize
5.1MB

Download
memory/1708-57-0x0000000002E90000-0x0000000002E9E000-memory.dmp

Filesize
56KB

Download
memory/1708-59-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/1708-61-0x000000001B9B0000-0x000000001B9C0000-memory.dmp

Filesize
64KB

Download
memory/1708-63-0x000000001BCC0000-0x000000001BD1A000-memory.dmp

Filesize
360KB

Download
memory/1708-65-0x000000001BC60000-0x000000001BC6E000-memory.dmp

Filesize
56KB

Download
memory/1708-67-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/1708-69-0x000000001BC80000-0x000000001BC8E000-memory.dmp

Filesize
56KB

Download
memory/1708-48-0x0000000002E70000-0x0000000002E7C000-memory.dmp

Filesize
48KB

Download
memory/1708-73-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/1708-75-0x000000001BD90000-0x000000001BDDE000-memory.dmp

Filesize
312KB

Download
memory/1708-46-0x000000001B980000-0x000000001B992000-memory.dmp

Filesize
72KB

Download
memory/1708-44-0x0000000002E60000-0x0000000002E6E000-memory.dmp

Filesize
56KB

Download
memory/1708-42-0x0000000002E50000-0x0000000002E5E000-memory.dmp

Filesize
56KB

Download
memory/1708-40-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1708-25-0x0000000000900000-0x0000000000CA2000-memory.dmp

Filesize
3.6MB

Download
memory/1708-38-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/1708-36-0x0000000002E30000-0x0000000002E48000-memory.dmp

Filesize
96KB

Download
memory/1708-34-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/1708-32-0x000000001BBD0000-0x000000001BC20000-memory.dmp

Filesize
320KB

Download
memory/1708-29-0x0000000002C90000-0x0000000002C9E000-memory.dmp

Filesize
56KB

Download
memory/1708-27-0x0000000002DE0000-0x0000000002E06000-memory.dmp

Filesize
152KB

Download
memory/2496-122-0x000001E5AC000000-0x000001E5AC022000-memory.dmp

Filesize
136KB

Download