zgrat | 9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948

Analysis

max time kernel
299s
max time network
316s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
Size

1.7MB
MD5

794742e196658504969c2a0734f88bcb
SHA1

319842492ca9627b1baefe98c449a584227d064d
SHA256

9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948
SHA512

5c46d60e2b4dea9ecd076ddd180dae6cae90f42c5ed0b120f9d6b3162a7c3ab1a63643fda6e238d05c62c9eff5ff7135af776c50d465e94479096b89ccdf2b51
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 8 IoCs

resource	yara_rule
behavioral1/memory/2480-0-0x0000000000EC0000-0x0000000001080000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0008000000017550-26.dat	family_zgrat_v1
behavioral1/files/0x0031000000016d12-81.dat	family_zgrat_v1
behavioral1/files/0x0031000000016d12-80.dat	family_zgrat_v1
behavioral1/memory/1508-82-0x0000000000960000-0x0000000000B20000-memory.dmp	family_zgrat_v1
behavioral1/memory/2452-105-0x00000000009E0000-0x0000000000BA0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1568-127-0x0000000000040000-0x0000000000200000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0031000000016d12-335.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 25 IoCs

pid	Process
1508	Idle.exe
2452	Idle.exe
1568	Idle.exe
2896	Idle.exe
2996	Idle.exe
2764	Idle.exe
240	Idle.exe
1212	Idle.exe
2284	Idle.exe
2400	Idle.exe
2192	Idle.exe
2844	Idle.exe
108	Idle.exe
2448	Idle.exe
344	Idle.exe
2228	Idle.exe
2536	Idle.exe
2632	Idle.exe
2484	Idle.exe
2368	Idle.exe
2180	Idle.exe
2360	Idle.exe
672	Idle.exe
2776	Idle.exe
2572	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
21	raw.githubusercontent.com
49	raw.githubusercontent.com
53	raw.githubusercontent.com
7	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
4	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
43	raw.githubusercontent.com
13	raw.githubusercontent.com
5	raw.githubusercontent.com
35	raw.githubusercontent.com
15	raw.githubusercontent.com
17	raw.githubusercontent.com
27	raw.githubusercontent.com
47	raw.githubusercontent.com
51	raw.githubusercontent.com
29	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\69ddcba757bf72	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6cb0b6c459d5d3	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\sppsvc.exe	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File opened for modification	C:\Windows\twain_32\sppsvc.exe	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
File created	C:\Windows\twain_32\0a1fd5f707cd16	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Idle.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Idle.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
816	PING.EXE
1372	PING.EXE
1956	PING.EXE
2556	PING.EXE
1532	PING.EXE
924	PING.EXE
2068	PING.EXE
904	PING.EXE
2728	PING.EXE
312	PING.EXE
2616	PING.EXE
2596	PING.EXE
2908	PING.EXE
2500	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
2696	powershell.exe
2772	powershell.exe
2780	powershell.exe
2680	powershell.exe
2372	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1508	Idle.exe
Token: SeDebugPrivilege	2452	Idle.exe
Token: SeDebugPrivilege	1568	Idle.exe
Token: SeDebugPrivilege	2896	Idle.exe
Token: SeDebugPrivilege	2996	Idle.exe
Token: SeDebugPrivilege	2764	Idle.exe
Token: SeDebugPrivilege	240	Idle.exe
Token: SeDebugPrivilege	1212	Idle.exe
Token: SeDebugPrivilege	2284	Idle.exe
Token: SeDebugPrivilege	2400	Idle.exe
Token: SeDebugPrivilege	2192	Idle.exe
Token: SeDebugPrivilege	2844	Idle.exe
Token: SeDebugPrivilege	108	Idle.exe
Token: SeDebugPrivilege	2448	Idle.exe
Token: SeDebugPrivilege	344	Idle.exe
Token: SeDebugPrivilege	2228	Idle.exe
Token: SeDebugPrivilege	2536	Idle.exe
Token: SeDebugPrivilege	2632	Idle.exe
Token: SeDebugPrivilege	2484	Idle.exe
Token: SeDebugPrivilege	2368	Idle.exe
Token: SeDebugPrivilege	2180	Idle.exe
Token: SeDebugPrivilege	2360	Idle.exe
Token: SeDebugPrivilege	672	Idle.exe
Token: SeDebugPrivilege	2776	Idle.exe
Token: SeDebugPrivilege	2572	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2780	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	37
PID 2480 wrote to memory of 2780	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	37
PID 2480 wrote to memory of 2780	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	37
PID 2480 wrote to memory of 2772	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	36
PID 2480 wrote to memory of 2772	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	36
PID 2480 wrote to memory of 2772	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	36
PID 2480 wrote to memory of 2696	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	35
PID 2480 wrote to memory of 2696	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	35
PID 2480 wrote to memory of 2696	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	35
PID 2480 wrote to memory of 2372	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	34
PID 2480 wrote to memory of 2372	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	34
PID 2480 wrote to memory of 2372	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	34
PID 2480 wrote to memory of 2680	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	32
PID 2480 wrote to memory of 2680	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	32
PID 2480 wrote to memory of 2680	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	32
PID 2480 wrote to memory of 2640	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	38
PID 2480 wrote to memory of 2640	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	38
PID 2480 wrote to memory of 2640	2480	9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe	38
PID 2640 wrote to memory of 2816	2640	cmd.exe	40
PID 2640 wrote to memory of 2816	2640	cmd.exe	40
PID 2640 wrote to memory of 2816	2640	cmd.exe	40
PID 2640 wrote to memory of 2888	2640	cmd.exe	41
PID 2640 wrote to memory of 2888	2640	cmd.exe	41
PID 2640 wrote to memory of 2888	2640	cmd.exe	41
PID 2640 wrote to memory of 1508	2640	cmd.exe	42
PID 2640 wrote to memory of 1508	2640	cmd.exe	42
PID 2640 wrote to memory of 1508	2640	cmd.exe	42
PID 1508 wrote to memory of 1960	1508	Idle.exe	43
PID 1508 wrote to memory of 1960	1508	Idle.exe	43
PID 1508 wrote to memory of 1960	1508	Idle.exe	43
PID 1960 wrote to memory of 3000	1960	cmd.exe	46
PID 1960 wrote to memory of 3000	1960	cmd.exe	46
PID 1960 wrote to memory of 3000	1960	cmd.exe	46
PID 1960 wrote to memory of 2360	1960	cmd.exe	45
PID 1960 wrote to memory of 2360	1960	cmd.exe	45
PID 1960 wrote to memory of 2360	1960	cmd.exe	45
PID 1960 wrote to memory of 2452	1960	cmd.exe	47
PID 1960 wrote to memory of 2452	1960	cmd.exe	47
PID 1960 wrote to memory of 2452	1960	cmd.exe	47
PID 2452 wrote to memory of 1604	2452	Idle.exe	50
PID 2452 wrote to memory of 1604	2452	Idle.exe	50
PID 2452 wrote to memory of 1604	2452	Idle.exe	50
PID 1604 wrote to memory of 2940	1604	cmd.exe	52
PID 1604 wrote to memory of 2940	1604	cmd.exe	52
PID 1604 wrote to memory of 2940	1604	cmd.exe	52
PID 1604 wrote to memory of 312	1604	cmd.exe	53
PID 1604 wrote to memory of 312	1604	cmd.exe	53
PID 1604 wrote to memory of 312	1604	cmd.exe	53
PID 1604 wrote to memory of 1568	1604	cmd.exe	54
PID 1604 wrote to memory of 1568	1604	cmd.exe	54
PID 1604 wrote to memory of 1568	1604	cmd.exe	54
PID 1568 wrote to memory of 1752	1568	Idle.exe	55
PID 1568 wrote to memory of 1752	1568	Idle.exe	55
PID 1568 wrote to memory of 1752	1568	Idle.exe	55
PID 1752 wrote to memory of 1100	1752	cmd.exe	57
PID 1752 wrote to memory of 1100	1752	cmd.exe	57
PID 1752 wrote to memory of 1100	1752	cmd.exe	57
PID 1752 wrote to memory of 2932	1752	cmd.exe	58
PID 1752 wrote to memory of 2932	1752	cmd.exe	58
PID 1752 wrote to memory of 2932	1752	cmd.exe	58
PID 1752 wrote to memory of 2896	1752	cmd.exe	59
PID 1752 wrote to memory of 2896	1752	cmd.exe	59
PID 1752 wrote to memory of 2896	1752	cmd.exe	59
PID 2896 wrote to memory of 2584	2896	Idle.exe	60

C:\Users\Admin\AppData\Local\Temp\9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe
"C:\Users\Admin\AppData\Local\Temp\9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\sppsvc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZMHgSCicKh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2816
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2888
- - C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
    "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cplHXgq9QN.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2360
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3000
    - - C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aFjl1awzEf.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:312
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VLs15dYucg.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2932
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Szt3JT3T8R.bat"
        10⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2984
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ldsg1wMtok.bat"
        12⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:2556
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M87tNVNy86.bat"
        14⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2500
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfwAG7KGXH.bat"
        16⤵
        
        PID:2180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2300
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EoBbgPmrRE.bat"
        18⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2044
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v8e4zbUuNh.bat"
        20⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2068
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CyIaH4v8D9.bat"
        22⤵
        
        PID:2792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:2908
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SA3vp411kb.bat"
        24⤵
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2592
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rdey4A1QMG.bat"
        26⤵
        
        PID:2988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2760
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pZgFYZT4yN.bat"
        28⤵
        
        PID:2664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:1532
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SfwyRFOJUR.bat"
        30⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:1552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:924
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4KPDhjeqrI.bat"
        32⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:1172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:816
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xrgiezM67a.bat"
        34⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:3024
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y3yp8Lh1nv.bat"
        36⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:2588
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddtUB3Qwlt.bat"
        38⤵
        
        PID:764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2732
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NTIt1NKYHR.bat"
        40⤵
        
        PID:1640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        41⤵
        Runs ping.exe
        
        PID:2500
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i4n06VBpBg.bat"
        42⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        Runs ping.exe
        
        PID:1372
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ad8adCyX4o.bat"
        44⤵
        
        PID:916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:1784
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQQp9H1T4Q.bat"
        46⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:904
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xeM6k5O3TR.bat"
        48⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        49⤵
        Runs ping.exe
        
        PID:2596
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ITN63wlJd.bat"
        50⤵
        
        PID:2824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:2880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:1956
        
        C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe
        
        "C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WHmS6dpJ03.bat"
        52⤵
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        53⤵
        Runs ping.exe
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe

Filesize
1.7MB

MD5
794742e196658504969c2a0734f88bcb

SHA1
319842492ca9627b1baefe98c449a584227d064d

SHA256
9c5914a64dfd0c0a52a6c7b6972491dc2517474143c1e78750697ecd6558b948

SHA512
5c46d60e2b4dea9ecd076ddd180dae6cae90f42c5ed0b120f9d6b3162a7c3ab1a63643fda6e238d05c62c9eff5ff7135af776c50d465e94479096b89ccdf2b51

Download Submit
C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe

Filesize
946KB

MD5
4a006dad64db2b31d5992effface54af

SHA1
a755c3d3d56aa38ae8072a4c1e05b1b8c7061d46

SHA256
283ec9ac21ba3485b8761cf2ab79cadd7e4cee577c1163307332e0971f0b583b

SHA512
be624574c18bf81756d59eda0d8f01be819a84a027967a2e50c5529f77968c5fa1fa06b6f023f3e0a0da701346353d6b652757ece10951742ddce17c0dea1b64

Download Submit
C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe

Filesize
1.0MB

MD5
1f4246554feb09c90d4f81ffd7135fa2

SHA1
8c458d5e32ec8bca61b7c69c1823bd29d3093d65

SHA256
d9d3ae4896f12aea194146eb70377b73947f5864a1cff3d32f408a27fc2ec0f6

SHA512
a09c1766fc44f01ff133bfc72dc70dbaeca796f80b33fc319a50682b2048364c24be8d000cac5fec956eada161da1d624591029eb4f1d7a7aa740d5ec3268523

Download Submit
C:\Recovery\720a7ca2-9b9e-11ee-89df-aefc3be66ef1\Idle.exe

Filesize
1.4MB

MD5
fc70022a617baf45a9a9df3ccb4527eb

SHA1
da66294bd49ea61bc1a22c777574cac52cd61fff

SHA256
e88ca76a42b7d7ad58c5803ff4f492fb96f55ffb4e876c5c6e091070a7054c08

SHA512
c017ea026e38701507145542421e903a4f3fa122843124c61097da058dd1709c4b7cf374ef741bf697d56239aad7aa62f84f70958b6f4b1c8a7447621433ed2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPDhjeqrI.bat

Filesize
185B

MD5
ff9938443c6f29eb5ae60c795009ffba

SHA1
ce12aff334ca18c98088e5a255ccc090762c0632

SHA256
9da10384bfa098732573a55a6555241a0bc4be04efc28a1ae354f7358818d9cc

SHA512
bbd9b050b6195b61d43d77d9bcdd5e7f08607377d915281dc9a2072cfda60a4d41457f8bf34a18d1840c4f7ad4703ea70267e14f6714948cf5cf3911689683f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQQp9H1T4Q.bat

Filesize
185B

MD5
d6849f6b396e23c1655c32648205cfd3

SHA1
64186feb0e28b432e4055aa8a3c2fb7ca53dbbc6

SHA256
e6a1794d94e3c5fd672920a061239ef49c0b47695e724c38d41b3d7025bbbffe

SHA512
07a020dc6a40198feb40718280a828a132a68862c9c6664b41197f09addfaaf7123d6b8887216c395fa4fa4a92bf00ef84396c6ac1118485fd88a591c40562e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ad8adCyX4o.bat

Filesize
233B

MD5
ee55623b47378aaecc23676650e0be51

SHA1
342f684e32ca25b1ab7b6c65f0ae048b104dd5d0

SHA256
53f1387c87702dfdd7da4c6e9880c3400180fa37aece232aeb1fd487d769f93d

SHA512
784a7aa4cbcba7509e955954f47a7e1bf8d3be0ea7b74a67944b691b3fac4a2b5cacab7f38f31654f36cb6c36c759fa10232f7a14538f0fa065b730b468ab821

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyIaH4v8D9.bat

Filesize
185B

MD5
f8db158f884132428c203bffaa977091

SHA1
3d2ae14e0a2a6c669af0c71a87243d2e0d6603f3

SHA256
687a59e9e0c402310b429cd6639fff45b5c69a1f428e22842ca4317af70c7090

SHA512
7c222d7fa6c8da2cb179ea021646beb6d0707c2d99303fa42bca25db71915a3c7716397873136c19bd58af2b3c5ec1f27bc7670f3956cda9e80e5521a66b00b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoBbgPmrRE.bat

Filesize
233B

MD5
7389e5b786e06e449cbef30bb952f634

SHA1
8e365d2a61b2c4689d1aeeb8f3ed473b36ebe6cc

SHA256
e17d806f42df8eb6c59b7e00ceae63e0f74cbcb07d2b683cbaab3cf33298814f

SHA512
6d9b57d88fa9b655af20a2bc838d7f39791fc63fe156d8d012661a0067f184b326e330e3d3779d5f2d62fe063024eae3da61ca90969ca4aca9e0f117639d69c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\M87tNVNy86.bat

Filesize
233B

MD5
5be8aba1154f39b5b670a6bb432bce49

SHA1
d97d66ec8450639a8638295272d1e57539637804

SHA256
49fd97dfbbacacf620099edaee6d21420253d7037dd7fcc08cba620cc4a3d53b

SHA512
1eededafc5c6db245e91ac367030e4730b272011e81c8ec0684b957e46523252cf6ca220b48147c5d850e8d592864aa1617265456ac6d092f07ecb5bc4e4f37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTIt1NKYHR.bat

Filesize
185B

MD5
005d0f524a91a8d77629f1bd8ff9c40f

SHA1
3f82acdb5f8b0ad5485bec121cab33c97420f691

SHA256
22d3c57561728d156f63427ce9f5dff1f21d68aca91eeeb32352e413744838a8

SHA512
ba205d827b5b92b27e45eb211d962c6a9cfadd99a6978a757e1b3bb21ba7399e88f4d58b0e42fe7276415b69954af40fe970aa476a67d51c90027528dc32906b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SA3vp411kb.bat

Filesize
233B

MD5
26e1cb1abb0b10287f58e66e0ff86aab

SHA1
62d4cf552e1c448bd8beb89c067731c6ad420e88

SHA256
a1fc61cea7ac49e2c175f1668783093b83d94571769f4b8d1523e9e039d7fd33

SHA512
82125ab28e92909d658b042c8c008cfe4c046652874d35c1383e1ba460a2943eb14ac575c69d8d679de567a7130e11aa94eec8ea5e858cc38a96c290534bb4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SfwyRFOJUR.bat

Filesize
185B

MD5
fab0a4f388080e1e7f74edc647fe6150

SHA1
9b5d376c2f2d55478090797ee8266dbd714b5b0d

SHA256
0cfc2b617de1f09d231bc1690496890be13b6e3cd55fd41ce677779ab6075e8a

SHA512
9fcfee0501ad8d35a916b92c395c5f3c59b98c62394b4be88124909fa0020c64e8c26a546dd726497a381ea7306288f28a7f2e5de792252b2d83aa0b1db72808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Szt3JT3T8R.bat

Filesize
233B

MD5
eaba8ce19ffc0248133d357f0f056ae6

SHA1
95d237fb22a0064b20f8cafcb49ef11b4a8880ee

SHA256
08f21aa8f52fb7b62a25d53fa378b5767428294cade304229be17c50321610b2

SHA512
0a4b9216000c09cd68e23eb1ab524692b6434de099cfdb60b24f85ec351b894c4896d9f1a4b0d47a5e4f1b2d72440e765947baae6a84c06092d55a2f98a4d9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLs15dYucg.bat

Filesize
233B

MD5
d592ddcd542903b9c0eaf9402edc9121

SHA1
9fae1c598e83e85b97dcde7bf5db93fe18b30c54

SHA256
a570232086a5a94bcd520edbd12711e613cd5b5d68d63c0fc65c05b86d19d2cd

SHA512
7684706cb6ff9a8325015dbcdfcf0c330e7decd470838ba3e397e7b50c0911415906779035ab766881b7435d811f7bf329e11c2226f0284c0ad03e4f0ac704ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y3yp8Lh1nv.bat

Filesize
233B

MD5
8f35029605d69b8e1ef04f90c218c56b

SHA1
121cf9e677fc6216052a4da57b653fc054a36a4e

SHA256
8f45423ce7398c80dc9cef5f6a6aa02d54277b6301af90e0f5f5f3a83fc66da7

SHA512
89b3372eb80fdffcb8a193aea709d41eed4c5da272d353bcc7c975b691e624d626dc69fafe2aa8f5c0be728cf4fd43008858cf0d5414997f36eb15e744863f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMHgSCicKh.bat

Filesize
233B

MD5
46e1fc9af0c8409286de5d2700483742

SHA1
22e0b9fd63043cd69af0125fb4ca805a4d67bc5f

SHA256
60b5b079518a21c175bf2d88674d6043a2ebb01e5d6360511a87f25a484d24d8

SHA512
f8e3810d8653c804b3a85a3e89a4185eee890560d7073bef0ea89476978ba7bf28139d949dadd25657aa98fd5e2fe859a07e169f06bb3f3c6474516a4068318b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfwAG7KGXH.bat

Filesize
233B

MD5
6964c881720f470d61abc8bda4d70f98

SHA1
82ab255776935ed0e8e50a6030d1720a39f84413

SHA256
d1c03e458289e69320a8e28738246eb67644e57f117a3e220515fb8a9f5ed9d7

SHA512
a55b5f647100d7cbf5bfb4236ecf36a5524a7753ea311de63e0065880a5a4aa36d193455f3a2b129dd0f1afe39eeedc5426104242436ff7400ec3bc962f4c5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\aFjl1awzEf.bat

Filesize
185B

MD5
72364be70dab07f9216975905550fb7a

SHA1
f1bff444bc6518f2a8874c22ab58bd37c25c9ae7

SHA256
cd8b0ef3ce84204184f909111969b3537d65ddbf54c8c1dd862db89bafcd560b

SHA512
5c98009fbcdf6e83359690fde78f1da236b809e148e0706aae82a9f7609e9b7be947866015a9fba4b27acfe100b54bd06f0f76a9cd1655a875fe449a81c8666a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cplHXgq9QN.bat

Filesize
233B

MD5
be6ed90a8c75af7de46d7c5ec333e2b4

SHA1
2341f4da7370d23b4dc36b80ef9f992e62a1a5ce

SHA256
137d5736782e781f94538adde2ce3acf5718a1f8e010d813a9e26de7329df1ba

SHA512
d7f5989b2f2f9bf942e24cea522631d29a6a810ed81abd5af234fdd52256869f9526f8134ac17281a9aa0d93741265fbbc8a9db8c8ba04a74a8f09194b1c1578

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddtUB3Qwlt.bat

Filesize
233B

MD5
5d3bc0bcd8e917e46325b939b19a4a54

SHA1
ae51d767321c1522eef5f8c415295cd18516be10

SHA256
f95c2e54e456befc24cc01e28a564d5705944ce7670f6e8d7eb98be15275d522

SHA512
e85ea004f319d119b8215a192e41cf80e75b6a728f05456fca008b7f3c2c7078fa4d9926e7811ccb624802580ee386f2e7e9dba7db8a35258821332f83df6275

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4n06VBpBg.bat

Filesize
185B

MD5
55c5430b93b5a435cffdd6590a78bbbb

SHA1
4cc97d41316a037752aedf64f85d95f329dd7137

SHA256
bcd328c52b239171bb06d0caa9d11bb853fe43026fb5ce67a944df638dd01f1d

SHA512
87b62d3233c1f4c1e2dfa9ae00b304574a2269fe8d7d9c77b6a62aec349e64838d4cc39fa7b27c41f54b55e9f5be0fe0690cd343fcc741284cc775b953e65127

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldsg1wMtok.bat

Filesize
185B

MD5
cef18ee5c5423eb060f0aa69362926ab

SHA1
97d5e06f78c46c406d03cfe9b956ed4d6a1c5d31

SHA256
988c314f87854ab9d7eb77e718557c318eb4599a115ce0ed5a853b07180895a1

SHA512
d82e7207d6bd1f3ca5d83b5a29ab469e251b0f1be587a242f6eef4fde9736a5ad6694cb8767d0310c3d8530293359b06b97ce369d825e49fe38bea4feeee0cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pZgFYZT4yN.bat

Filesize
185B

MD5
d41e872f7da4273623803d1dfbcb31dd

SHA1
c6fc9229a87ee3cba9cbda657d361177e10259a3

SHA256
8b79cb34c9a2cb8198dba4f85a85d33d9f9b281f40d4e7e3582cbf6ae496c8d0

SHA512
eee670825cc5208d29a5d79001d7ec56f9c17de05712d48f0e67ba05e3710ccfecf23746b8141d965ae740a0e1698ebd43d1f129510c11aeb9c60ad9f8df001e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdey4A1QMG.bat

Filesize
185B

MD5
3bc71c5a33ac4fff34f28642b8e356ab

SHA1
0e83d5cc176e27b119874461b8515fa23f42b7e7

SHA256
b6bee0ce322c06542aef6f63230b24c6d5746974f9d16f2e89087fe5d3f1a5af

SHA512
edc359a1ee6a89f7574b07d622fae88ab4d8e2c73075f822a1397c1ba19fa6306cc1131ec649f597137e95dd8f757c7745ecadf5beea6c20042008d55999bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8e4zbUuNh.bat

Filesize
185B

MD5
0b098e355d420cda4659c87e8917efe4

SHA1
4eca9a73fa52c8d090ffb40f5a9cfeb59e418ca6

SHA256
b47dbb72c44eef9f1beaafb885ed1f980c98679ead251b0e0e8f80e1b506b64e

SHA512
5d65ceb49631215c367ade199f48937ef123c1cc6cf3264377268a1864ef3701da2c18ba9dfe9f001d628e4ebf07885269b1e62c2bee176ec214c12e5023f19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrgiezM67a.bat

Filesize
233B

MD5
674d66c73164aa3c59b52b5659789a95

SHA1
0f1ee1cabc827e1d1fc1772998013943e4aa9635

SHA256
59600a4ad5683e4a951fdd76f2261ce53343824c24d6115f19d085da2ab9213a

SHA512
d3d66ebb86aa63096481c58901137a575de5809df8474e6f32af19348ab51e8edd876ed11ab0cbe33e633329a05f0e11f2bc677dc82c3c81bb886b3d666b99bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d6282e57de9ede6634d20fb1ede5259b

SHA1
06ad4f7284085158ea9a2fdbda36a5a272ae7446

SHA256
7776455866e25c154207f06341142699ca23450c72f709c49fbdcc4c2c9ca7ff

SHA512
5c5c67747b42ad576068ea6a8276686f56ee622d14853351dbda72745835229b9239fd1d8f45a9258fec46dc43a34f615e1986a23a7d868a269f9162e5660e03

Download Submit
memory/1508-91-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/1508-96-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/1508-95-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/1508-97-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1508-87-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/1508-89-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/1508-86-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/1508-83-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1508-85-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1508-84-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/1508-82-0x0000000000960000-0x0000000000B20000-memory.dmp

Filesize
1.8MB

Download
memory/1508-103-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1568-128-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/1568-127-0x0000000000040000-0x0000000000200000-memory.dmp

Filesize
1.8MB

Download
memory/2372-76-0x000007FEEF320000-0x000007FEEFCBD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-78-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2372-93-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2372-74-0x00000000025DB000-0x0000000002642000-memory.dmp

Filesize
412KB

Download
memory/2372-75-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/2452-109-0x0000000000740000-0x00000000007C0000-memory.dmp

Filesize
512KB

Download
memory/2452-114-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/2452-125-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2452-119-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2452-118-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2452-116-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/2452-111-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2452-110-0x0000000000740000-0x00000000007C0000-memory.dmp

Filesize
512KB

Download
memory/2452-106-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2452-105-0x00000000009E0000-0x0000000000BA0000-memory.dmp

Filesize
1.8MB

Download
memory/2452-107-0x0000000000740000-0x00000000007C0000-memory.dmp

Filesize
512KB

Download
memory/2452-108-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2480-10-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2480-0-0x0000000000EC0000-0x0000000001080000-memory.dmp

Filesize
1.8MB

Download
memory/2480-5-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/2480-2-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/2480-17-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2480-4-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/2480-3-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2480-7-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2480-16-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2480-1-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2480-14-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/2480-8-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2480-57-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2480-11-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/2480-13-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2680-79-0x00000000026CB000-0x0000000002732000-memory.dmp

Filesize
412KB

Download
memory/2680-71-0x000007FEEF320000-0x000007FEEFCBD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-77-0x00000000026C4000-0x00000000026C7000-memory.dmp

Filesize
12KB

Download
memory/2696-72-0x000000000250B000-0x0000000002572000-memory.dmp

Filesize
412KB

Download
memory/2696-65-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/2696-59-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2696-63-0x0000000002500000-0x0000000002580000-memory.dmp

Filesize
512KB

Download
memory/2696-60-0x000007FEEF320000-0x000007FEEFCBD000-memory.dmp

Filesize
9.6MB

Download
memory/2696-67-0x000007FEEF320000-0x000007FEEFCBD000-memory.dmp

Filesize
9.6MB

Download
memory/2696-62-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/2696-58-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2772-70-0x000000000266B000-0x00000000026D2000-memory.dmp

Filesize
412KB

Download
memory/2772-66-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/2772-61-0x000007FEEF320000-0x000007FEEFCBD000-memory.dmp

Filesize
9.6MB

Download
memory/2780-68-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2780-69-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2780-73-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2780-64-0x000007FEEF320000-0x000007FEEFCBD000-memory.dmp

Filesize
9.6MB

Download