zgrat | 72d37461bae5b05ce82a70a2d170b4c1e0cd134284d8efbfcf09ec69dee50d11

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe
Size

3.4MB
MD5

2c100ae7c04ea5d72e149d17611baca1
SHA1

a3e8248074789657ccb0a7cc196d22bfffbcb18a
SHA256

72d37461bae5b05ce82a70a2d170b4c1e0cd134284d8efbfcf09ec69dee50d11
SHA512

5955d8099047c56e159566cd3be6ab34596473d7809ce8771999a93df984876e34e6b4f1e6dda1ae44429f6ab476c68216940b2165efeb2ff58c32010317b679
SSDEEP

98304:yluaK1DE0mfhxWA3FbcSX7rhouLWssH2aryKUvg8r8TU:uuaK1DE04YA3FbcSX7FouLrrHPITU

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 8 IoCs

Processes:

resource	yara_rule
\bridgemsWebdll\portrefNet.exe	family_zgrat_v1
behavioral1/memory/2628-13-0x0000000000320000-0x00000000006A8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2428-73-0x0000000000C30000-0x0000000000FB8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1008-101-0x0000000000EA0000-0x0000000001228000-memory.dmp	family_zgrat_v1
behavioral1/memory/1564-129-0x00000000010F0000-0x0000000001478000-memory.dmp	family_zgrat_v1
behavioral1/memory/2752-211-0x0000000001130000-0x00000000014B8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2424-239-0x00000000011B0000-0x0000000001538000-memory.dmp	family_zgrat_v1
behavioral1/memory/1548-295-0x00000000012B0000-0x0000000001638000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 13 IoCs

Processes:

portrefNet.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid	process
2628	portrefNet.exe
2428	wininit.exe
1008	wininit.exe
1564	wininit.exe
2076	wininit.exe
1428	wininit.exe
2752	wininit.exe
2424	wininit.exe
1476	wininit.exe
1548	wininit.exe
2176	wininit.exe
1316	wininit.exe
1996	wininit.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2836 cmd.exe
2836 cmd.exe

pid	process
2836	cmd.exe
2836	cmd.exe

Drops file in Program Files directory 4 IoCs

Processes:

portrefNet.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\it-IT\wininit.exe	portrefNet.exe
File created	C:\Program Files\Windows Mail\it-IT\56085415360792	portrefNet.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\wininit.exe	portrefNet.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\56085415360792	portrefNet.exe

Drops file in Windows directory 3 IoCs

Processes:

portrefNet.exe

description	ioc	process
File created	C:\Windows\ModemLogs\sppsvc.exe	portrefNet.exe
File opened for modification	C:\Windows\ModemLogs\sppsvc.exe	portrefNet.exe
File created	C:\Windows\ModemLogs\0a1fd5f707cd16	portrefNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2612 PING.EXE
1608 PING.EXE
2608 PING.EXE
1600 PING.EXE
336 PING.EXE
2728 PING.EXE
2528 PING.EXE

pid	process
2612	PING.EXE
1608	PING.EXE
2608	PING.EXE
1600	PING.EXE
336	PING.EXE
2728	PING.EXE
2528	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

portrefNet.exe

pid	process
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe
2628	portrefNet.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

portrefNet.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	2628	portrefNet.exe
Token: SeDebugPrivilege	2428	wininit.exe
Token: SeDebugPrivilege	1008	wininit.exe
Token: SeDebugPrivilege	1564	wininit.exe
Token: SeDebugPrivilege	2076	wininit.exe
Token: SeDebugPrivilege	1428	wininit.exe
Token: SeDebugPrivilege	2752	wininit.exe
Token: SeDebugPrivilege	2424	wininit.exe
Token: SeDebugPrivilege	1476	wininit.exe
Token: SeDebugPrivilege	1548	wininit.exe
Token: SeDebugPrivilege	2176	wininit.exe
Token: SeDebugPrivilege	1316	wininit.exe
Token: SeDebugPrivilege	1996	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exeWScript.execmd.exeportrefNet.execmd.exewininit.execmd.exewininit.execmd.exewininit.execmd.exewininit.execmd.exe

description	pid	process	target process
PID 2932 wrote to memory of 2176	2932	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe	WScript.exe
PID 2932 wrote to memory of 2176	2932	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe	WScript.exe
PID 2932 wrote to memory of 2176	2932	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe	WScript.exe
PID 2932 wrote to memory of 2176	2932	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe	WScript.exe
PID 2176 wrote to memory of 2836	2176	WScript.exe	cmd.exe
PID 2176 wrote to memory of 2836	2176	WScript.exe	cmd.exe
PID 2176 wrote to memory of 2836	2176	WScript.exe	cmd.exe
PID 2176 wrote to memory of 2836	2176	WScript.exe	cmd.exe
PID 2836 wrote to memory of 2628	2836	cmd.exe	portrefNet.exe
PID 2836 wrote to memory of 2628	2836	cmd.exe	portrefNet.exe
PID 2836 wrote to memory of 2628	2836	cmd.exe	portrefNet.exe
PID 2836 wrote to memory of 2628	2836	cmd.exe	portrefNet.exe
PID 2628 wrote to memory of 1912	2628	portrefNet.exe	cmd.exe
PID 2628 wrote to memory of 1912	2628	portrefNet.exe	cmd.exe
PID 2628 wrote to memory of 1912	2628	portrefNet.exe	cmd.exe
PID 1912 wrote to memory of 2792	1912	cmd.exe	chcp.com
PID 1912 wrote to memory of 2792	1912	cmd.exe	chcp.com
PID 1912 wrote to memory of 2792	1912	cmd.exe	chcp.com
PID 1912 wrote to memory of 1964	1912	cmd.exe	w32tm.exe
PID 1912 wrote to memory of 1964	1912	cmd.exe	w32tm.exe
PID 1912 wrote to memory of 1964	1912	cmd.exe	w32tm.exe
PID 1912 wrote to memory of 2428	1912	cmd.exe	wininit.exe
PID 1912 wrote to memory of 2428	1912	cmd.exe	wininit.exe
PID 1912 wrote to memory of 2428	1912	cmd.exe	wininit.exe
PID 2428 wrote to memory of 2380	2428	wininit.exe	cmd.exe
PID 2428 wrote to memory of 2380	2428	wininit.exe	cmd.exe
PID 2428 wrote to memory of 2380	2428	wininit.exe	cmd.exe
PID 2380 wrote to memory of 2264	2380	cmd.exe	chcp.com
PID 2380 wrote to memory of 2264	2380	cmd.exe	chcp.com
PID 2380 wrote to memory of 2264	2380	cmd.exe	chcp.com
PID 2380 wrote to memory of 2608	2380	cmd.exe	PING.EXE
PID 2380 wrote to memory of 2608	2380	cmd.exe	PING.EXE
PID 2380 wrote to memory of 2608	2380	cmd.exe	PING.EXE
PID 2380 wrote to memory of 1008	2380	cmd.exe	wininit.exe
PID 2380 wrote to memory of 1008	2380	cmd.exe	wininit.exe
PID 2380 wrote to memory of 1008	2380	cmd.exe	wininit.exe
PID 1008 wrote to memory of 1368	1008	wininit.exe	cmd.exe
PID 1008 wrote to memory of 1368	1008	wininit.exe	cmd.exe
PID 1008 wrote to memory of 1368	1008	wininit.exe	cmd.exe
PID 1368 wrote to memory of 1524	1368	cmd.exe	chcp.com
PID 1368 wrote to memory of 1524	1368	cmd.exe	chcp.com
PID 1368 wrote to memory of 1524	1368	cmd.exe	chcp.com
PID 1368 wrote to memory of 2212	1368	cmd.exe	w32tm.exe
PID 1368 wrote to memory of 2212	1368	cmd.exe	w32tm.exe
PID 1368 wrote to memory of 2212	1368	cmd.exe	w32tm.exe
PID 1368 wrote to memory of 1564	1368	cmd.exe	wininit.exe
PID 1368 wrote to memory of 1564	1368	cmd.exe	wininit.exe
PID 1368 wrote to memory of 1564	1368	cmd.exe	wininit.exe
PID 1564 wrote to memory of 848	1564	wininit.exe	cmd.exe
PID 1564 wrote to memory of 848	1564	wininit.exe	cmd.exe
PID 1564 wrote to memory of 848	1564	wininit.exe	cmd.exe
PID 848 wrote to memory of 1576	848	cmd.exe	chcp.com
PID 848 wrote to memory of 1576	848	cmd.exe	chcp.com
PID 848 wrote to memory of 1576	848	cmd.exe	chcp.com
PID 848 wrote to memory of 1680	848	cmd.exe	w32tm.exe
PID 848 wrote to memory of 1680	848	cmd.exe	w32tm.exe
PID 848 wrote to memory of 1680	848	cmd.exe	w32tm.exe
PID 848 wrote to memory of 2076	848	cmd.exe	wininit.exe
PID 848 wrote to memory of 2076	848	cmd.exe	wininit.exe
PID 848 wrote to memory of 2076	848	cmd.exe	wininit.exe
PID 2076 wrote to memory of 2976	2076	wininit.exe	cmd.exe
PID 2076 wrote to memory of 2976	2076	wininit.exe	cmd.exe
PID 2076 wrote to memory of 2976	2076	wininit.exe	cmd.exe
PID 2976 wrote to memory of 3020	2976	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe
"C:\Users\Admin\AppData\Local\Temp\72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgemsWebdll\mwWwmxw2kqhuNOXs3iKVCNL.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\bridgemsWebdll\pSHGEt1KNYwFf1hnsmPOmsTyOQ1HsALJIBCTZl44eK0EhfZn9707.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836

C:\bridgemsWebdll\portrefNet.exe
"C:\bridgemsWebdll/portrefNet.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JXKjRieH2c.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2792

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1964

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rsWxIDz3Cx.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2264

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2608

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\50TwasnRS2.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1524

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:2212

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:1576

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:1680

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gmfrQySV9n.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:3020

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:2548

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat"
15⤵
PID:2040

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1932

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:1936

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NxeDi3jWef.bat"
17⤵
PID:1812

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2348

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1600

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\336zK5Rer1.bat"
19⤵
PID:2200

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3032

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:2128

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tdcOVhdoAh.bat"
21⤵
PID:2872

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:988

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:336

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DNHOnF8KXH.bat"
23⤵
PID:864

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2924

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2728

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lpuFzxtUQC.bat"
25⤵
PID:2680

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2920

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2528

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat"
27⤵
PID:880

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2612

C:\Program Files\Windows Mail\it-IT\wininit.exe
"C:\Program Files\Windows Mail\it-IT\wininit.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoOjDDwUcv.bat"
29⤵
PID:1852

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:1504

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\336zK5Rer1.bat
Filesize
223B

MD5
732a8b791c818d9bf942275ad350922a

SHA1
4799fde960e76bf9c9ad48113ff9c77720bc6275

SHA256
8827dae47e40dd52fff5f8655a66ee146a0beb4d2cb3751dfd1b537c8e5b048e

SHA512
7f7e7c6db773744eb58273a22dbbdee8356a5f677ed38d30caa85034d624110cb5e5225a4d55b6ab230a7f1f0daf34a7d60fa45f27c0821cb630e4947418dd4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat
Filesize
175B

MD5
da7855db0be832f48b438459c0517b9b

SHA1
54c45eea78aee484bb864024e8bc2e47a091fd53

SHA256
2a4811f056a4c29c138e9b66b99d8205529c25d71b7af3a5b4e5ba220051e72e

SHA512
df376e38ca1b2b750860152892bd992daaea629c80547bdee49b64e16f7a7f3d8cf62ab6577750474866d4fb7927b636aa8f6a0ea138152449da92873648de4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\50TwasnRS2.bat
Filesize
223B

MD5
cb897c795e0be64442ec1b9263e09854

SHA1
26ad4df3793cdf2e50166ca11c5b3bb7217d23ce

SHA256
1f6a4e006213edfb3dfef1e487e30f4d600a0d4e9406ad0874a851097dccd626

SHA512
307c338980ed02205bc9d83f657ca99573daeeb5b4db14065a6095bd9e5231166604397de52f41bfcd72b5c5eb8a59d3f120a9b36af3840aa8bc15a75a98b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNHOnF8KXH.bat
Filesize
175B

MD5
0a63b142d5b91995c3ec414c3cfd3729

SHA1
0cdcb854c6f662b6eec30b9d30f6171de00728a9

SHA256
e0d4100468d6706ac0beb96b358b673b093ce17677a0f34699a7875479c7d5f4

SHA512
52c26a2cc5cc20f7a843662f6ef8edc54fb65539368cce86041c6216a43d5471b3d207b00a6e73d0525490dddf0eba3589d95a8ddb9cc5e1db9d460f85bcc9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\JXKjRieH2c.bat
Filesize
223B

MD5
bd9ebddfcc336119e172313dd8ee4346

SHA1
797b9b54bc2d5d45871b1dbd5cad5b9ea4d50887

SHA256
06ab6d3738f6c2ff7c95461a16db31ffe0542475802143604b877a6474465c31

SHA512
a9ebe0a656d5c5846e7daac3bf5a1dbd440165a6e3b252a5460a856e4f75051d7dd09ab71d501d9b366326500a97c94fe25b4ab4d82d46707c8690392ee4accd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NiOMBGhh72.bat
Filesize
223B

MD5
bcf68257de475fc525bb2db94a662112

SHA1
89f419144fe9e37e2330acbcae381e62ed1d7654

SHA256
a64ffdc95fce1889ba5a89c1314780686f68c789d5175b0706f26263dacf997d

SHA512
393655c7f2d185bb44f8ac9404552b8ac20225265c838b7e165c3890e8ab29854b8204885529ac7e66f15f7b2d203ea415abf9a11a15f3eed1ec250766e4c1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\NxeDi3jWef.bat
Filesize
175B

MD5
831a60e1ff17a72ca5f0953d3f5b8dae

SHA1
90a1ab43d67883772b50b4eeb838ff556a1ad101

SHA256
91412cb8505d976fcc57729c8d980690946b3ada1d066a37a66bb7a753b29112

SHA512
3bdcb1f8a8f57260197dfa6612cbe51c7b5b74e1a3aa4e10d55212452df8efc73cd79db3c86e2a5e4f18b43de5b6ef5bab324b6702a899f1e186405e16125d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZS3ivmkr8q.bat
Filesize
223B

MD5
a048b8689d8ab2141df8d61fb30c8672

SHA1
9634b7c0f0589d7f4e1af1472d10fabc5620fd54

SHA256
d865596bc8fec809a0655cd897b3e32ba80f95aa65b0bd3a1d0ed4024e01f26e

SHA512
06e81f60bcf88b40370e39d7e4adc2b3df7539451da0a84df0cbf4b0d766027d51d267b3d14f2c0e94e9cc2f3f3181aa7d5f98ae4526ab00320f5025775d999c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmfrQySV9n.bat
Filesize
223B

MD5
ab671172a40ec0cb9f607ee276cf00b8

SHA1
2db3cf161b1874476bbcad42f8fd1d47e4121f35

SHA256
9d2362c81dbedcc0fe8bbf4a235e5f1e087027f58735348758eeeba3ea58d920

SHA512
8af5a348a4b5c900ddb67d27957b4a52c6744f35b3deb679a9e45e1a9904a21561b8ce8ffca324a650fe744fee46c9cff55dcd0a35d034acad3b9e94bb712a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpuFzxtUQC.bat
Filesize
175B

MD5
a5aebf95a555a78d7729411c52546c05

SHA1
e7e4818c7617848b60a1cba10e38658f2ff12fd2

SHA256
63489eee2e04614185b96e26fc227533a27a8983252483725656ce324c730b9c

SHA512
42883fa0c28f39ce368d528de7baf73aea01933b8b86ac2e48e575ae904d24ccac1380aa6a7fc5a6918e264989c2e1e3d830f2d818cd8a30afd54da010e59266

Download Submit
C:\Users\Admin\AppData\Local\Temp\rsWxIDz3Cx.bat
Filesize
175B

MD5
426bbe6e2a15f22da7bb87c7d748e06b

SHA1
04a0e3688c92a4ac9aae10f2649b654960475cd5

SHA256
d60bf5b8d28fbcb8ebf21ed62c4572827fce507e3fcd31a75e2ee844db181148

SHA512
e205ec06e68d9c0665c0c1bceb64745a8bfef9461f10a23ce679745e3cd8ced4569b1177c8b115424cd9121dcb3162294d063caf70044e37b7be4d7cf7257efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdcOVhdoAh.bat
Filesize
175B

MD5
2abfc03080837e1aee0b0db0486e811d

SHA1
8b7e7323f9bcfc7abbefc3402181fb8f938f5266

SHA256
f04e7a6db5e6a013db1dcae1ffa53eee7199b73e81df79666fb0f092c5ff0471

SHA512
612cfb60149f61b663b157a09fa97ffb67fe1d955770d151b6ea9c955f821309f947808c1837ba797c59617e24a149f821e1b6fc74b024bcf6402e4da0939183

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoOjDDwUcv.bat
Filesize
175B

MD5
fb25af31fb65f3a49eb7ff533781b98e

SHA1
6d46d28adbf4a48121270dedac057716c14fcca1

SHA256
563a4f5e49b21f4aab3173382a70bbe11aed8667f8e2a97af1b4204bdbe5e57f

SHA512
309325340547e8cfdc8f222d8c5756316e30b9ed69935197a2b4fc4918e92940fd9852977e6cc5a32eb4638b4bbc2f4e5e4115d0b9d32001b9cbbbe8d93b5933

Download Submit
C:\bridgemsWebdll\mwWwmxw2kqhuNOXs3iKVCNL.vbe
Filesize
245B

MD5
d909e3759a2db2ec1f1e23a61ded4aad

SHA1
9ad44ebdd8c090181f6a5ead1c03233739e2c7a5

SHA256
f82b1ead3e4f3e7c88633095be0ca6df5cd8106fa910727c8fb4ec93194928bb

SHA512
2f0ca7982542a58fd6aa3224a65cd1887e0014ad1c5305cfd89c4006b3e8ed808a6546b907eacf63555bd15c99937e24a51bba9931c6cc96a1467a8053a4b531

Download Submit
C:\bridgemsWebdll\pSHGEt1KNYwFf1hnsmPOmsTyOQ1HsALJIBCTZl44eK0EhfZn9707.bat
Filesize
91B

MD5
f9d826541152593617de889e1729ea02

SHA1
7c1283dfbd7f021ea5b19fbc3d64bb8542077916

SHA256
6baa580fe4110a1df3db995716683640ffcbb940d56529154d606871689affda

SHA512
78d612e7c3fe2cc9ac6efb7f58243d988a6816cfbc725f4be4a95908ae9f52ce757fc880b4c03f224c2d949178deee036f98f9234c9b3f42c74f6022683e0459

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\bridgemsWebdll\portrefNet.exe
Filesize
3.5MB

MD5
e6efdcd592d5833f28e12d3a12901660

SHA1
165ecd79d3ad1353c960435554fbc9380a7951d0

SHA256
aa253669cd8adf25bdbb60b2497bb89bcff54facd27a2c5a35bc2e7f1ff461b4

SHA512
0109098f116d60a53ad59edf8c1e5a326bb6073e77c07a4b627ef24b8c74522b7c0a1fc4585f50e0e154c4c6c4bb48ece3ddb7c625f25deb551b263b0ba99aa1

Download Submit
memory/1008-101-0x0000000000EA0000-0x0000000001228000-memory.dmp

Filesize
3.5MB

Download
memory/1548-295-0x00000000012B0000-0x0000000001638000-memory.dmp

Filesize
3.5MB

Download
memory/1564-129-0x00000000010F0000-0x0000000001478000-memory.dmp

Filesize
3.5MB

Download
memory/2424-239-0x00000000011B0000-0x0000000001538000-memory.dmp

Filesize
3.5MB

Download
memory/2428-73-0x0000000000C30000-0x0000000000FB8000-memory.dmp

Filesize
3.5MB

Download
memory/2628-29-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/2628-35-0x0000000002360000-0x0000000002376000-memory.dmp

Filesize
88KB

Download
memory/2628-55-0x000000001B380000-0x000000001B3CE000-memory.dmp

Filesize
312KB

Download
memory/2628-51-0x000000001A960000-0x000000001A96E000-memory.dmp

Filesize
56KB

Download
memory/2628-49-0x000000001A950000-0x000000001A960000-memory.dmp

Filesize
64KB

Download
memory/2628-47-0x000000001A940000-0x000000001A94E000-memory.dmp

Filesize
56KB

Download
memory/2628-45-0x000000001A9A0000-0x000000001A9FA000-memory.dmp

Filesize
360KB

Download
memory/2628-43-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2628-41-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/2628-39-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/2628-37-0x0000000002380000-0x0000000002392000-memory.dmp

Filesize
72KB

Download
memory/2628-53-0x000000001AA00000-0x000000001AA18000-memory.dmp

Filesize
96KB

Download
memory/2628-13-0x0000000000320000-0x00000000006A8000-memory.dmp

Filesize
3.5MB

Download
memory/2628-33-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/2628-31-0x0000000002340000-0x0000000002352000-memory.dmp

Filesize
72KB

Download
memory/2628-27-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/2628-25-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2628-23-0x0000000000950000-0x0000000000968000-memory.dmp

Filesize
96KB

Download
memory/2628-21-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/2628-19-0x0000000000910000-0x000000000092C000-memory.dmp

Filesize
112KB

Download
memory/2628-17-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/2628-15-0x00000000008E0000-0x0000000000906000-memory.dmp

Filesize
152KB

Download
memory/2752-211-0x0000000001130000-0x00000000014B8000-memory.dmp

Filesize
3.5MB

Download