zgrat | ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Size

3.5MB
MD5

57c35a58ecb435c7975af0d43f3d603b
SHA1

c7bb75bf3b93128ed53997301b8f2d94a49a9787
SHA256

ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b
SHA512

f186273b9b2bdafaa63b884dba5eb07def3a11582964e644b107b6d586cce5f8e324be298368313d1eface07d8f90a03017626a991251038342951cc81c90618
SSDEEP

98304:U3oPPSKkooFPSJWRp0rDDf221usZ2gz9OwY:UZK+JSBZ2gT

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 11 IoCs

resource	yara_rule
behavioral1/memory/1992-1-0x00000000010A0000-0x000000000142C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1776-64-0x0000000000030000-0x00000000003BC000-memory.dmp	family_zgrat_v1
behavioral1/memory/2712-92-0x00000000011B0000-0x000000000153C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1504-147-0x00000000002C0000-0x000000000064C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2312-175-0x0000000001210000-0x000000000159C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2376-230-0x0000000000240000-0x00000000005CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1672-258-0x0000000000D40000-0x00000000010CC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1740-287-0x0000000000D80000-0x000000000110C000-memory.dmp	family_zgrat_v1
behavioral1/memory/1876-315-0x0000000000250000-0x00000000005DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1812-343-0x00000000008F0000-0x0000000000C7C000-memory.dmp	family_zgrat_v1
behavioral1/memory/3024-372-0x00000000010D0000-0x000000000145C000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 11 IoCs

resource	yara_rule
behavioral1/memory/1992-1-0x00000000010A0000-0x000000000142C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1776-64-0x0000000000030000-0x00000000003BC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2712-92-0x00000000011B0000-0x000000000153C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1504-147-0x00000000002C0000-0x000000000064C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2312-175-0x0000000001210000-0x000000000159C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/2376-230-0x0000000000240000-0x00000000005CC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1672-258-0x0000000000D40000-0x00000000010CC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1740-287-0x0000000000D80000-0x000000000110C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1876-315-0x0000000000250000-0x00000000005DC000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1812-343-0x00000000008F0000-0x0000000000C7C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/3024-372-0x00000000010D0000-0x000000000145C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2612	PING.EXE
2976	PING.EXE
1488	PING.EXE
324	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1776	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2712	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1708	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1504	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2312	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2180	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	2376	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1672	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1740	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1876	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	1812	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
Token: SeDebugPrivilege	3024	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1276	1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	29
PID 1992 wrote to memory of 1276	1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	29
PID 1992 wrote to memory of 1276	1992	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	29
PID 1276 wrote to memory of 860	1276	cmd.exe	31
PID 1276 wrote to memory of 860	1276	cmd.exe	31
PID 1276 wrote to memory of 860	1276	cmd.exe	31
PID 1276 wrote to memory of 1044	1276	cmd.exe	32
PID 1276 wrote to memory of 1044	1276	cmd.exe	32
PID 1276 wrote to memory of 1044	1276	cmd.exe	32
PID 1276 wrote to memory of 1776	1276	cmd.exe	33
PID 1276 wrote to memory of 1776	1276	cmd.exe	33
PID 1276 wrote to memory of 1776	1276	cmd.exe	33
PID 1776 wrote to memory of 2732	1776	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	34
PID 1776 wrote to memory of 2732	1776	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	34
PID 1776 wrote to memory of 2732	1776	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	34
PID 2732 wrote to memory of 3044	2732	cmd.exe	36
PID 2732 wrote to memory of 3044	2732	cmd.exe	36
PID 2732 wrote to memory of 3044	2732	cmd.exe	36
PID 2732 wrote to memory of 1932	2732	cmd.exe	37
PID 2732 wrote to memory of 1932	2732	cmd.exe	37
PID 2732 wrote to memory of 1932	2732	cmd.exe	37
PID 2732 wrote to memory of 2712	2732	cmd.exe	38
PID 2732 wrote to memory of 2712	2732	cmd.exe	38
PID 2732 wrote to memory of 2712	2732	cmd.exe	38
PID 2712 wrote to memory of 2904	2712	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	39
PID 2712 wrote to memory of 2904	2712	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	39
PID 2712 wrote to memory of 2904	2712	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	39
PID 2904 wrote to memory of 1000	2904	cmd.exe	41
PID 2904 wrote to memory of 1000	2904	cmd.exe	41
PID 2904 wrote to memory of 1000	2904	cmd.exe	41
PID 2904 wrote to memory of 2976	2904	cmd.exe	42
PID 2904 wrote to memory of 2976	2904	cmd.exe	42
PID 2904 wrote to memory of 2976	2904	cmd.exe	42
PID 2904 wrote to memory of 1708	2904	cmd.exe	43
PID 2904 wrote to memory of 1708	2904	cmd.exe	43
PID 2904 wrote to memory of 1708	2904	cmd.exe	43
PID 1708 wrote to memory of 1904	1708	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	44
PID 1708 wrote to memory of 1904	1708	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	44
PID 1708 wrote to memory of 1904	1708	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	44
PID 1904 wrote to memory of 2384	1904	cmd.exe	46
PID 1904 wrote to memory of 2384	1904	cmd.exe	46
PID 1904 wrote to memory of 2384	1904	cmd.exe	46
PID 1904 wrote to memory of 2240	1904	cmd.exe	47
PID 1904 wrote to memory of 2240	1904	cmd.exe	47
PID 1904 wrote to memory of 2240	1904	cmd.exe	47
PID 1904 wrote to memory of 1504	1904	cmd.exe	48
PID 1904 wrote to memory of 1504	1904	cmd.exe	48
PID 1904 wrote to memory of 1504	1904	cmd.exe	48
PID 1504 wrote to memory of 2592	1504	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	51
PID 1504 wrote to memory of 2592	1504	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	51
PID 1504 wrote to memory of 2592	1504	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	51
PID 2592 wrote to memory of 2320	2592	cmd.exe	53
PID 2592 wrote to memory of 2320	2592	cmd.exe	53
PID 2592 wrote to memory of 2320	2592	cmd.exe	53
PID 2592 wrote to memory of 2556	2592	cmd.exe	54
PID 2592 wrote to memory of 2556	2592	cmd.exe	54
PID 2592 wrote to memory of 2556	2592	cmd.exe	54
PID 2592 wrote to memory of 2312	2592	cmd.exe	55
PID 2592 wrote to memory of 2312	2592	cmd.exe	55
PID 2592 wrote to memory of 2312	2592	cmd.exe	55
PID 2312 wrote to memory of 1768	2312	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	56
PID 2312 wrote to memory of 1768	2312	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	56
PID 2312 wrote to memory of 1768	2312	ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe	56
PID 1768 wrote to memory of 2024	1768	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
"C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YkVt9kOuik.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:860
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1044
- - C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
    "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3044
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WBTzkrAkDM.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dvHErHhaAz.bat"
        14⤵
        
        PID:312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat"
        16⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat"
        18⤵
        
        PID:2532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat"
        20⤵
        
        PID:2140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U5BoPe2aCH.bat"
        22⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat"
        24⤵
        
        PID:2904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee9e7f2070f70631af332623a0c5d2b337fe225509a4efc52e5e77f9174e709b.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
        26⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Lvud1u8Gv5.bat

Filesize
230B

MD5
031294081e135d379cd914ee327eaaae

SHA1
1ba8370b1d35903f2d2bbef55377a4bc7e5750de

SHA256
96b8cf3aaa2f48cca945a249411b5de426fda291d813534013900b81869b963c

SHA512
4c60f9610a4dd6027bff2872ee77ec847d149f691691e133f46351e0f2524402eba81d1de7541a8fcc8056c18eddcb6ceb5158c11ec8d18750bbe6d01da98ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\U5BoPe2aCH.bat

Filesize
230B

MD5
ee8ea9a8fd76ffb4a5a3c77ff473b945

SHA1
8d0d54f8a2cb34fd2a7c43d5bbf3b1d729a7d539

SHA256
aad0c7515895df37c9907b4bed01eabbe76aac0b88a9a494b1c42e7c5fe222cb

SHA512
32cc35d652fb4fa5a06d97859d5e0531b06a68b3a7ad9111ab4c895c1cd4ff2ab1c169f4e6ec836e18aefc11611b939d331b81a1a8043a31d02e0cc6a6c4f716

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBTzkrAkDM.bat

Filesize
278B

MD5
a95b74af660f5e0e52427a25637f7311

SHA1
e4243fdd72658fb1f9265d8ddee090f734795496

SHA256
003d5b3d45d1b1913149edb4f09a0743605cb4f838c67815334a906891d16f41

SHA512
751c01ac6682102b8cbbfb37586d7a844c51f9c55eaadeab3bbb3ebe235a4790c2c1bbe02dfaf789379f39e36215dd8288d1089efe29c7c7b8401f158f0dffa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat

Filesize
278B

MD5
988d8ca84a493f076138603b8e87ee85

SHA1
5e1ca0a711617d044d7dfcc73dbe5921701fcbf4

SHA256
872c906c88e41f1cc2c7b940e34a443df075825c7b8adc2f1f7ab24d08b9971f

SHA512
b441f71583030398ff966976dddc0a0aa8d8a79a3a2e1055b0a79daa042e6c8bb933604d8ce231f6783840c3e4df4d9b0dc6aab38019e5bcbb144231a0fb4f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkVt9kOuik.bat

Filesize
278B

MD5
e2cff11932296cf00be00f2befbd8acc

SHA1
2f19f11507c84cf0668ef92841ccb9eb95144937

SHA256
0dc76e7a09f3278b5cdf8617e2ffd5cf3ae7f9421dc41ce0d027d5821923390b

SHA512
a792fe2eb29b86a695b8644f79097af5d7efff3331d75331de00c3132721a7e2513eccbd611420fa39d887256e977546a63112bb89b8e0852203a815b49aa408

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat

Filesize
278B

MD5
d052057c88e8c763c0480acec3b39fc8

SHA1
0d9fd131a1a4f87c512eb1705b211553be3331a8

SHA256
608202bf5bc47df2e127f116b40305ab020bdd7fa5eb338545d92b08207f4534

SHA512
a0e5c3faf6785802a3e608850965decd3ba49cbe4bbc2d73dac862d9553402d661c970afb269616a4a8c47e20e18448a93f5874e1cd9ece87aa078de273fdd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat

Filesize
278B

MD5
6ac5b89239e3c0aba336d3e1c1bdefaf

SHA1
2e68f2f011d00164ee0c01df9156d5d11e8b037b

SHA256
a4af56c76cae1fc112e80ca3ce47bd7c1fc5b3b76fc5ffd11b26d97352e67c5b

SHA512
b691c7654c478720bab2e795abb196502eae46ed7c9b83611d5ff29e6a9f78abc5b58707953f0554ffa4a516c3d1a38b42fd2dcc87ac14fb91d405ffae31f2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvHErHhaAz.bat

Filesize
278B

MD5
f7ea65119b664afcb1c8dafd4f88cbad

SHA1
00bb5e845b9171dceb9e53a4acbc6aa8431819b2

SHA256
0c356071531cba955d78dc2898704533a19af1561f12f1deb513fbd4095c05bd

SHA512
4a251a4bea8f4f5e92be09ff1a00aafed9c69ca84f49471288bdb8966f61aa75b8ed093163418436a69eab87e8d09480b9bb1fa42596e5fd35cf0b7f1fa99b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\fn6aS0VTUV.bat

Filesize
230B

MD5
4d7f6c04803a98c68166634dcee41f31

SHA1
f23ad72e1264ca6151c7bddccf93124735d917c3

SHA256
ff5a0bfe7d52c494769b95879919764c28c39b9d9eb383c6e91cb655651e38c6

SHA512
10e15827a98d562a2106359f1a1f53d28ac65b9d06244f468310972d8727b78a4344a07833317f0e3e01c3c02430df79b25438d8caea37506e12f1f4268c7d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat

Filesize
230B

MD5
c142b510525bc818701d12a832ee1f72

SHA1
775e14d9d3a117dc16bb0cc227ff61c80ad83418

SHA256
34ed822a3c6624731a7a540ce0445c30ae21b8310f15b623458eb4f6c619e8f8

SHA512
a5516ee1516d8d885d9328d67b39aaf1c16873003c817dfa3ff2d1bb337abbddeafbb329d6ba74ada0fd035460adec2f74680c52a6cd4833a56f74fae2709532

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat

Filesize
278B

MD5
b6c1bb60a4af357eb0d3dc6055527ae4

SHA1
7824afb808646582e7c39ed4c2794a131e15f1da

SHA256
3b1449255c6f21a589abe98e3a0de28042c1c5d61adb4cc29824e75ac39d3015

SHA512
d0b09afa3a394f8c2f117793aa5bc98b86b48d352fb1879e04fed813cabd275a2fc0aa47632a6c26bac3317bde573c9d159d9df11f97e0bbd5049e36d97c4925

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat

Filesize
278B

MD5
38057ff9c2986766244de10eb8a6eb9e

SHA1
fb4569d3ce15f141dc936c08158346876759f796

SHA256
69f36a8725bb7bf68498ccc531f41d98c086ce4f928dae63e4690476ff0ddbac

SHA512
477e54f34b8714ce5d0786ccee9314efeac196d8391a9af5feaa61d074a8c76f5ea09a1a3de0b536bcfb806d9d52045f0b9d1c4089641e8278256d408fab4c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sVWBOBo5KY.bat

Filesize
278B

MD5
3f79ff33cd55f32eefcaac95af89ffa8

SHA1
23ae9df4f7ac0774e0fb115d1abb4a878dc63eec

SHA256
580a5ab862ad578247f753cfe6a7c58ac793122cec7958c22aa4373753964c9f

SHA512
106006f3173c748c329675f8843799a18747e5a4e037b3709b6f42feafebe9914cc13731e9457494bd25e628163c80b4d662234ae041bab5f866a969548c27d5

Download Submit
memory/1504-147-0x00000000002C0000-0x000000000064C000-memory.dmp

Filesize
3.5MB

Download
memory/1672-258-0x0000000000D40000-0x00000000010CC000-memory.dmp

Filesize
3.5MB

Download
memory/1740-287-0x0000000000D80000-0x000000000110C000-memory.dmp

Filesize
3.5MB

Download
memory/1776-64-0x0000000000030000-0x00000000003BC000-memory.dmp

Filesize
3.5MB

Download
memory/1812-343-0x00000000008F0000-0x0000000000C7C000-memory.dmp

Filesize
3.5MB

Download
memory/1876-315-0x0000000000250000-0x00000000005DC000-memory.dmp

Filesize
3.5MB

Download
memory/1992-31-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-28-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/1992-33-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/1992-35-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/1992-37-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/1992-39-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/1992-41-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/1992-43-0x000000001AF60000-0x000000001AFBA000-memory.dmp

Filesize
360KB

Download
memory/1992-45-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

Filesize
56KB

Download
memory/1992-47-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/1992-49-0x0000000000ED0000-0x0000000000EDE000-memory.dmp

Filesize
56KB

Download
memory/1992-51-0x0000000001010000-0x0000000001028000-memory.dmp

Filesize
96KB

Download
memory/1992-53-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

Filesize
48KB

Download
memory/1992-55-0x000000001B3E0000-0x000000001B42E000-memory.dmp

Filesize
312KB

Download
memory/1992-56-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/1992-57-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-23-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-63-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-25-0x0000000000680000-0x000000000068E000-memory.dmp

Filesize
56KB

Download
memory/1992-26-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-1-0x00000000010A0000-0x000000000142C000-memory.dmp

Filesize
3.5MB

Download
memory/1992-22-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/1992-30-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/1992-0-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/1992-17-0x0000000000A60000-0x0000000000A78000-memory.dmp

Filesize
96KB

Download
memory/1992-2-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-18-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-20-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/1992-3-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-15-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-14-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/1992-12-0x0000000000830000-0x000000000084C000-memory.dmp

Filesize
112KB

Download
memory/1992-10-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1992-8-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-7-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1992-6-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/1992-4-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2312-175-0x0000000001210000-0x000000000159C000-memory.dmp

Filesize
3.5MB

Download
memory/2376-230-0x0000000000240000-0x00000000005CC000-memory.dmp

Filesize
3.5MB

Download
memory/2712-92-0x00000000011B0000-0x000000000153C000-memory.dmp

Filesize
3.5MB

Download
memory/3024-372-0x00000000010D0000-0x000000000145C000-memory.dmp

Filesize
3.5MB

Download