zgrat | f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e40160ff1f09d7445f2cdcd24104701.exe
Size

1.8MB
MD5

1e40160ff1f09d7445f2cdcd24104701
SHA1

c660d302b2941a93c51cd1f857298126a3c0b219
SHA256

f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c
SHA512

ea3b325f2f4a75849a06859fd1f933c38abc425c542c1bd2b8b65abd7aff05a75d07caeb47656a9f699558306cc5fe789bf43cfc2c0676c5bd8d4109b0c015f0
SSDEEP

49152:uGkkhDESYZ24c4W3cs9gIDxH6HMfKZkQ6rQ:uGkkhDE74SR6gGHfy6

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2196-1-0x0000000000390000-0x000000000056E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2432-24-0x0000000000F90000-0x000000000116E000-memory.dmp	family_zgrat_v1
behavioral1/memory/320-43-0x00000000011B0000-0x000000000138E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1740-90-0x0000000001260000-0x000000000143E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2676-119-0x00000000012F0000-0x00000000014CE000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1448	PING.EXE
600	PING.EXE
2152	PING.EXE
1444	PING.EXE
2008	PING.EXE
2088	PING.EXE
1264	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2196	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe
2432	1e40160ff1f09d7445f2cdcd24104701.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2432	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	836	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	320	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	1980	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2344	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2632	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	1624	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	1740	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2184	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2420	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2676	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	2040	1e40160ff1f09d7445f2cdcd24104701.exe
Token: SeDebugPrivilege	1700	1e40160ff1f09d7445f2cdcd24104701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2616	2196	1e40160ff1f09d7445f2cdcd24104701.exe	28
PID 2196 wrote to memory of 2616	2196	1e40160ff1f09d7445f2cdcd24104701.exe	28
PID 2196 wrote to memory of 2616	2196	1e40160ff1f09d7445f2cdcd24104701.exe	28
PID 2616 wrote to memory of 2516	2616	cmd.exe	30
PID 2616 wrote to memory of 2516	2616	cmd.exe	30
PID 2616 wrote to memory of 2516	2616	cmd.exe	30
PID 2616 wrote to memory of 2152	2616	cmd.exe	31
PID 2616 wrote to memory of 2152	2616	cmd.exe	31
PID 2616 wrote to memory of 2152	2616	cmd.exe	31
PID 2616 wrote to memory of 2432	2616	cmd.exe	32
PID 2616 wrote to memory of 2432	2616	cmd.exe	32
PID 2616 wrote to memory of 2432	2616	cmd.exe	32
PID 2432 wrote to memory of 1232	2432	1e40160ff1f09d7445f2cdcd24104701.exe	33
PID 2432 wrote to memory of 1232	2432	1e40160ff1f09d7445f2cdcd24104701.exe	33
PID 2432 wrote to memory of 1232	2432	1e40160ff1f09d7445f2cdcd24104701.exe	33
PID 1232 wrote to memory of 1060	1232	cmd.exe	35
PID 1232 wrote to memory of 1060	1232	cmd.exe	35
PID 1232 wrote to memory of 1060	1232	cmd.exe	35
PID 1232 wrote to memory of 1252	1232	cmd.exe	36
PID 1232 wrote to memory of 1252	1232	cmd.exe	36
PID 1232 wrote to memory of 1252	1232	cmd.exe	36
PID 1232 wrote to memory of 836	1232	cmd.exe	37
PID 1232 wrote to memory of 836	1232	cmd.exe	37
PID 1232 wrote to memory of 836	1232	cmd.exe	37
PID 836 wrote to memory of 2204	836	1e40160ff1f09d7445f2cdcd24104701.exe	38
PID 836 wrote to memory of 2204	836	1e40160ff1f09d7445f2cdcd24104701.exe	38
PID 836 wrote to memory of 2204	836	1e40160ff1f09d7445f2cdcd24104701.exe	38
PID 2204 wrote to memory of 1236	2204	cmd.exe	40
PID 2204 wrote to memory of 1236	2204	cmd.exe	40
PID 2204 wrote to memory of 1236	2204	cmd.exe	40
PID 2204 wrote to memory of 1444	2204	cmd.exe	41
PID 2204 wrote to memory of 1444	2204	cmd.exe	41
PID 2204 wrote to memory of 1444	2204	cmd.exe	41
PID 2204 wrote to memory of 320	2204	cmd.exe	42
PID 2204 wrote to memory of 320	2204	cmd.exe	42
PID 2204 wrote to memory of 320	2204	cmd.exe	42
PID 320 wrote to memory of 2296	320	1e40160ff1f09d7445f2cdcd24104701.exe	43
PID 320 wrote to memory of 2296	320	1e40160ff1f09d7445f2cdcd24104701.exe	43
PID 320 wrote to memory of 2296	320	1e40160ff1f09d7445f2cdcd24104701.exe	43
PID 2296 wrote to memory of 2680	2296	cmd.exe	45
PID 2296 wrote to memory of 2680	2296	cmd.exe	45
PID 2296 wrote to memory of 2680	2296	cmd.exe	45
PID 2296 wrote to memory of 2008	2296	cmd.exe	46
PID 2296 wrote to memory of 2008	2296	cmd.exe	46
PID 2296 wrote to memory of 2008	2296	cmd.exe	46
PID 2296 wrote to memory of 1980	2296	cmd.exe	49
PID 2296 wrote to memory of 1980	2296	cmd.exe	49
PID 2296 wrote to memory of 1980	2296	cmd.exe	49
PID 1980 wrote to memory of 612	1980	1e40160ff1f09d7445f2cdcd24104701.exe	50
PID 1980 wrote to memory of 612	1980	1e40160ff1f09d7445f2cdcd24104701.exe	50
PID 1980 wrote to memory of 612	1980	1e40160ff1f09d7445f2cdcd24104701.exe	50
PID 612 wrote to memory of 1028	612	cmd.exe	52
PID 612 wrote to memory of 1028	612	cmd.exe	52
PID 612 wrote to memory of 1028	612	cmd.exe	52
PID 612 wrote to memory of 1780	612	cmd.exe	53
PID 612 wrote to memory of 1780	612	cmd.exe	53
PID 612 wrote to memory of 1780	612	cmd.exe	53
PID 612 wrote to memory of 2344	612	cmd.exe	54
PID 612 wrote to memory of 2344	612	cmd.exe	54
PID 612 wrote to memory of 2344	612	cmd.exe	54
PID 2344 wrote to memory of 2804	2344	1e40160ff1f09d7445f2cdcd24104701.exe	55
PID 2344 wrote to memory of 2804	2344	1e40160ff1f09d7445f2cdcd24104701.exe	55
PID 2344 wrote to memory of 2804	2344	1e40160ff1f09d7445f2cdcd24104701.exe	55
PID 2804 wrote to memory of 1308	2804	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
"C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2516
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
    "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1060
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1252
    - - C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UUMu1rrm8x.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat"
        14⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat"
        16⤵
        
        PID:892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"
        18⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
        20⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat"
        22⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat"
        24⤵
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat"
        26⤵
        
        PID:1952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e40160ff1f09d7445f2cdcd24104701.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat"
        28⤵
        
        PID:1292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat

Filesize
198B

MD5
dd5915764bf16cceb54627ecc91ec993

SHA1
efc906659030f1fe4c7848d3bb5939da5ecb47ae

SHA256
71dbb1b34f8f93049950f951500c150efdd29d92d83e8bb361505cb83687da4b

SHA512
181f438f2ae14330f0e29b4377588847b5f2c296aed96a04eaf083fe85aacc1ab956de9ea1cd12746a8e15326c22f62b5ba81dec5f28b2b1909b2f57a77aa559

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ybTWoiUnd.bat

Filesize
198B

MD5
bd54ff99c8f38dfdbbb78c1d88458b61

SHA1
0f44f24d21beb6387cca79bd43cf7df38a9abf4d

SHA256
ccbf666200d81d0b20983fc71ae0f80843f6593cd591599e52ad14a36a842da9

SHA512
fdf4523ad6e2d9addada6e895f1f4f4e953aca47cc3224bc7d0af5c30d5bf4fb02ed29b909b4fb202c63833c4fe859f7a11a254eb7fbe5d8dab96d785e5a3bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cbgcnWXuE.bat

Filesize
198B

MD5
0e34a41661b4072ff4018d572e1beb61

SHA1
485d4d87c3e9b19c1961d265abb7c0a826c6ab1a

SHA256
01128fc889dc198fbb759d6f59f05a952bbc3e3f30274ffaa1c40919cb47e486

SHA512
680c773beb7943c5ae223323e0dd295765eb0a78c1e3644c211484331b3a6dd13790df7f5c9372ad05084c4958d764402c84f21c4b737d6977872d2e6ac479ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat

Filesize
198B

MD5
7baa87e6af6e0ab2e63d6e011542d037

SHA1
0d5fedae3decc1a05113008cd13e44f020d5eeb9

SHA256
936579c0cdf2634135b8315fc0c2122f12c9cb75f5f13f58a98458acec94f32a

SHA512
7d168997d46cbbd9dac32548ffe716f5d500686ad08a3e1613c1286c161710721a55f487dc4550dff96aeaa62bdc37d6bcb07df706ebafb95a7aa61bb5b0f263

Download Submit
C:\Users\Admin\AppData\Local\Temp\D80XHT6V1e.bat

Filesize
246B

MD5
ab6385959f208c6233400bdb781cf311

SHA1
ad5d3f8a31373d86cf0bd43f87d5b94ce74ebd01

SHA256
f62d02a8e3c0b79f81ed0ba558c4551de2da5da0dae23cca4076135ee899a391

SHA512
b141ce56dd293885e9c14038ec0db0fe92c733df8762215c653bdc626af6280ca5b51d712382e56ba6e736395ac884b374cadf04674d3dc6cd711d98db5ad8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HdPNv8gS74.bat

Filesize
246B

MD5
52dfc30d55e7aa4f211ab803d77dede9

SHA1
43755693aeb724341ec1d1858942565ae841af38

SHA256
7dd60de281278d85614fccb7fd38f2c86a210840953fb8495240897db8768860

SHA512
7743a4e17ad9ad53aae5485f0b49ea4cfcc7d1bef820a362125c0581ddbc269ef2c08918d52f06d06d44daaed5aea523cdb86154a04862cf9960d14b24dfdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat

Filesize
246B

MD5
b4ae2da665aa4a5121022248daa3df5c

SHA1
fcdf5a915921cc257298287080ea1c2b4b5f3b94

SHA256
c7995191feaca8d997769bc699224598392cc0960e85acf825203b83d767b74f

SHA512
d95c7ad2dd03b27632a0b7c8b2d20cb6ab749093fd71dd3be0b5f68123337a50e139dceffcfb873b515b40af9e6204f30d10e35931b93e5adc5f60ae2d4aaddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat

Filesize
246B

MD5
582e6cd595ae09acae91998d7d8e949a

SHA1
9b5c838a38c1c399d2b19a6a399ec5bfebd00839

SHA256
2a3058e456f2528bc88d7b657862c411a59e00aecf2a8fe064c60b9b36664283

SHA512
89d76b600e3fb9a0e4cdca6ed66d969d3acd6de77ace79473cc19798dd8434b9a927a9e3807fb6a43fb48a6bacff72b6ea20042ac81e2cb2bf8b27ebae7d8200

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pk8wsQHxqc.bat

Filesize
246B

MD5
1a5b5c581b703216433a601eb74bf716

SHA1
7c5cda8554cf821c267763f3dae06fbfa4d32a76

SHA256
daade1e9094bb7e8043d9ae6a4611aca4861731e43446df99446a9f7d22f47ef

SHA512
7ca9c867251da8e3c6b29fe957c9a9009ef925b66af5385ae7bdb682d02a0883361723d2cf28e3364db16a675f844d4b5789c500c1c7bb9fc90ef12fd6ffd406

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUMu1rrm8x.bat

Filesize
198B

MD5
041dc6e4455c326e9d0fcabbc40cdac9

SHA1
d3592393b08b9b18fe2db774e06412f87a351006

SHA256
0ebd95c1ac3d6f0107e14c48f8a0a14d336aceaf7e253148e417d76cc45539f9

SHA512
c855083b842285ed0ac67afdf795574c06697f4f926a03b1e0d265b4b269aae4d0fdc697c1cc4028010bc6556133381378f647d70a2b72d82899c7b39affbda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat

Filesize
246B

MD5
13345bda9a7089cb4614ca37088fd8f9

SHA1
ebe532ed26f6c0ef07ff2f1905be59a6b4678b05

SHA256
54e705247bda1f850674c7886d19ddf57e49092f79c93b88569dd8fb9b4f5e88

SHA512
bdbe216aab548d1dbbbc1cb1e7f37b78729b90de27f5e3a096b9cdd3e09ee00ab855d9e26ac3746f32994e74c22b365433b4d2d23daac3c264c3d16c9a313811

Download Submit
C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat

Filesize
198B

MD5
12f8c617dd4adfbf0f6f321e3d79b64d

SHA1
9bce99b58b00eb1b72dcafde8b00cf6c59869db1

SHA256
41d476613b61af5a283543f80714fb11a7f2af1332ee202b42423fab466f3f16

SHA512
1b840d06222af12251d4e1f8aae578832d144c4dec9b1d8b75474c24e9488260fa27cd0077a4d754928c3a6adaf1ef85247ef0d21dc17f70c3c6b469dfb46f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat

Filesize
198B

MD5
001a5e30eb601687a8ecf42a5b1a3b0e

SHA1
5d939e89c5d32463cea998649a0071cf9cdc7e18

SHA256
ea5eed2fd6333f3455429785881e04c285b6f36a7a22e3466154700bca39663f

SHA512
0b8a08d2a83280480760735c1167bd5bf0e1b88b52723639161e1494b8edcebf9e6b98ffd6474959a08aa8cac66763400a31b55a5ce3ef9c0ecb449030979229

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvZOdU8aJP.bat

Filesize
246B

MD5
aefd6a68c2c6fa2210110f50cdf80d52

SHA1
07df3b6a86223f0256642f798f50efd7dc77a4b1

SHA256
f188253068e96ca968a2ed1e35e0c767dde8e29fb16201eeec8d27860caaaf99

SHA512
c20d738c059fc597df2bcc7598cba0a94909c347fccbc503103e8f4b926c5f70bcc93c064e41d550780d0027b2d184e9fd55c54f5887d6751078c2f78de7edae

Download Submit
memory/320-43-0x00000000011B0000-0x000000000138E000-memory.dmp

Filesize
1.9MB

Download
memory/1740-90-0x0000000001260000-0x000000000143E000-memory.dmp

Filesize
1.9MB

Download
memory/2196-9-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-12-0x00000000005C0000-0x00000000005D8000-memory.dmp

Filesize
96KB

Download
memory/2196-23-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-16-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-17-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-8-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2196-14-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2196-15-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/2196-1-0x0000000000390000-0x000000000056E000-memory.dmp

Filesize
1.9MB

Download
memory/2196-10-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-6-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/2196-4-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2196-3-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-24-0x0000000000F90000-0x000000000116E000-memory.dmp

Filesize
1.9MB

Download
memory/2676-119-0x00000000012F0000-0x00000000014CE000-memory.dmp

Filesize
1.9MB

Download