zgrat | 72d37461bae5b05ce82a70a2d170b4c1e0cd134284d8efbfcf09ec69dee50d11

Analysis

max time kernel
141s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe
Size

3.4MB
MD5

2c100ae7c04ea5d72e149d17611baca1
SHA1

a3e8248074789657ccb0a7cc196d22bfffbcb18a
SHA256

72d37461bae5b05ce82a70a2d170b4c1e0cd134284d8efbfcf09ec69dee50d11
SHA512

5955d8099047c56e159566cd3be6ab34596473d7809ce8771999a93df984876e34e6b4f1e6dda1ae44429f6ab476c68216940b2165efeb2ff58c32010317b679
SSDEEP

98304:yluaK1DE0mfhxWA3FbcSX7rhouLWssH2aryKUvg8r8TU:uuaK1DE04YA3FbcSX7FouLrrHPITU

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233b7-10.dat	family_zgrat_v1
behavioral2/memory/2700-12-0x0000000000480000-0x0000000000808000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	portrefNet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 12 IoCs

pid	Process
2700	portrefNet.exe
3128	SppExtComObj.exe
2928	SppExtComObj.exe
4988	SppExtComObj.exe
2052	SppExtComObj.exe
3088	SppExtComObj.exe
2180	SppExtComObj.exe
2880	SppExtComObj.exe
4624	SppExtComObj.exe
856	SppExtComObj.exe
4660	SppExtComObj.exe
3312	SppExtComObj.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\GameBarPresenceWriter\66fc9ff0ee96c2	portrefNet.exe
File created	C:\Windows\uk-UA\wininit.exe	portrefNet.exe
File created	C:\Windows\uk-UA\56085415360792	portrefNet.exe
File created	C:\Windows\uk-UA\SppExtComObj.exe	portrefNet.exe
File created	C:\Windows\uk-UA\e1ef82546f0b02	portrefNet.exe
File created	C:\Windows\GameBarPresenceWriter\sihost.exe	portrefNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	portrefNet.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	SppExtComObj.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
760	PING.EXE
3000	PING.EXE
3512	PING.EXE
3884	PING.EXE
4008	PING.EXE
4220	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe
2700	portrefNet.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	portrefNet.exe
Token: SeDebugPrivilege	3128	SppExtComObj.exe
Token: SeDebugPrivilege	2928	SppExtComObj.exe
Token: SeDebugPrivilege	4988	SppExtComObj.exe
Token: SeDebugPrivilege	2052	SppExtComObj.exe
Token: SeDebugPrivilege	3088	SppExtComObj.exe
Token: SeDebugPrivilege	2180	SppExtComObj.exe
Token: SeDebugPrivilege	2880	SppExtComObj.exe
Token: SeDebugPrivilege	4624	SppExtComObj.exe
Token: SeDebugPrivilege	856	SppExtComObj.exe
Token: SeDebugPrivilege	4660	SppExtComObj.exe
Token: SeDebugPrivilege	3312	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1928	2036	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe	84
PID 2036 wrote to memory of 1928	2036	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe	84
PID 2036 wrote to memory of 1928	2036	72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe	84
PID 1928 wrote to memory of 2312	1928	WScript.exe	86
PID 1928 wrote to memory of 2312	1928	WScript.exe	86
PID 1928 wrote to memory of 2312	1928	WScript.exe	86
PID 2312 wrote to memory of 2700	2312	cmd.exe	88
PID 2312 wrote to memory of 2700	2312	cmd.exe	88
PID 2700 wrote to memory of 1528	2700	portrefNet.exe	91
PID 2700 wrote to memory of 1528	2700	portrefNet.exe	91
PID 1528 wrote to memory of 4900	1528	cmd.exe	93
PID 1528 wrote to memory of 4900	1528	cmd.exe	93
PID 1528 wrote to memory of 760	1528	cmd.exe	94
PID 1528 wrote to memory of 760	1528	cmd.exe	94
PID 1528 wrote to memory of 3128	1528	cmd.exe	96
PID 1528 wrote to memory of 3128	1528	cmd.exe	96
PID 3128 wrote to memory of 3180	3128	SppExtComObj.exe	97
PID 3128 wrote to memory of 3180	3128	SppExtComObj.exe	97
PID 3180 wrote to memory of 2588	3180	cmd.exe	99
PID 3180 wrote to memory of 2588	3180	cmd.exe	99
PID 3180 wrote to memory of 2244	3180	cmd.exe	100
PID 3180 wrote to memory of 2244	3180	cmd.exe	100
PID 3180 wrote to memory of 2928	3180	cmd.exe	101
PID 3180 wrote to memory of 2928	3180	cmd.exe	101
PID 2928 wrote to memory of 3324	2928	SppExtComObj.exe	102
PID 2928 wrote to memory of 3324	2928	SppExtComObj.exe	102
PID 3324 wrote to memory of 3588	3324	cmd.exe	104
PID 3324 wrote to memory of 3588	3324	cmd.exe	104
PID 3324 wrote to memory of 4440	3324	cmd.exe	105
PID 3324 wrote to memory of 4440	3324	cmd.exe	105
PID 3324 wrote to memory of 4988	3324	cmd.exe	106
PID 3324 wrote to memory of 4988	3324	cmd.exe	106
PID 4988 wrote to memory of 4784	4988	SppExtComObj.exe	107
PID 4988 wrote to memory of 4784	4988	SppExtComObj.exe	107
PID 4784 wrote to memory of 4256	4784	cmd.exe	109
PID 4784 wrote to memory of 4256	4784	cmd.exe	109
PID 4784 wrote to memory of 3000	4784	cmd.exe	110
PID 4784 wrote to memory of 3000	4784	cmd.exe	110
PID 4784 wrote to memory of 2052	4784	cmd.exe	111
PID 4784 wrote to memory of 2052	4784	cmd.exe	111
PID 2052 wrote to memory of 716	2052	SppExtComObj.exe	112
PID 2052 wrote to memory of 716	2052	SppExtComObj.exe	112
PID 716 wrote to memory of 1148	716	cmd.exe	114
PID 716 wrote to memory of 1148	716	cmd.exe	114
PID 716 wrote to memory of 3512	716	cmd.exe	115
PID 716 wrote to memory of 3512	716	cmd.exe	115
PID 716 wrote to memory of 3088	716	cmd.exe	116
PID 716 wrote to memory of 3088	716	cmd.exe	116
PID 3088 wrote to memory of 1200	3088	SppExtComObj.exe	117
PID 3088 wrote to memory of 1200	3088	SppExtComObj.exe	117
PID 1200 wrote to memory of 1156	1200	cmd.exe	119
PID 1200 wrote to memory of 1156	1200	cmd.exe	119
PID 1200 wrote to memory of 2056	1200	cmd.exe	120
PID 1200 wrote to memory of 2056	1200	cmd.exe	120
PID 1200 wrote to memory of 2180	1200	cmd.exe	121
PID 1200 wrote to memory of 2180	1200	cmd.exe	121
PID 2180 wrote to memory of 4928	2180	SppExtComObj.exe	122
PID 2180 wrote to memory of 4928	2180	SppExtComObj.exe	122
PID 4928 wrote to memory of 3412	4928	cmd.exe	124
PID 4928 wrote to memory of 3412	4928	cmd.exe	124
PID 4928 wrote to memory of 2836	4928	cmd.exe	125
PID 4928 wrote to memory of 2836	4928	cmd.exe	125
PID 4928 wrote to memory of 2880	4928	cmd.exe	126
PID 4928 wrote to memory of 2880	4928	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe
"C:\Users\Admin\AppData\Local\Temp\72D37461BAE5B05CE82A70A2D170B4C1E0CD134284D8E.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgemsWebdll\mwWwmxw2kqhuNOXs3iKVCNL.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgemsWebdll\pSHGEt1KNYwFf1hnsmPOmsTyOQ1HsALJIBCTZl44eK0EhfZn9707.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\bridgemsWebdll\portrefNet.exe
      "C:\bridgemsWebdll/portrefNet.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QYGlPFMrpV.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4900
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:760
      - C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2244
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4440
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kTLD8xjVtV.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:3000
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iEW5dCkeha.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:3512
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2056
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2836
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\26i24I6rG0.bat"
        19⤵
        
        PID:3644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3652
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\liBLcijL4Q.bat"
        21⤵
        
        PID:4480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4484
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aocknmtqfY.bat"
        23⤵
        
        PID:4944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:3884
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat"
        25⤵
        
        PID:2920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        Runs ping.exe
        
        PID:4008
        
        C:\Recovery\WindowsRE\SppExtComObj.exe
        
        "C:\Recovery\WindowsRE\SppExtComObj.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gzlPEas6c9.bat"
        27⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\26i24I6rG0.bat

Filesize
214B

MD5
d6a40896231d9ba0c4e9b2cd50f6fe1a

SHA1
249d922f77c835f7ec95c60c08f37224c9384843

SHA256
8e5ad667781f17fd61b4239b7adcdb8ade2f19738661ef802aa85ed9b14b4443

SHA512
d204684db3a411756e67206ef9db66f483e24c7f9149e6806b8b9bc3edeb0764f65b7cf9e2304fa727a62b17a284f9bee66fd5c240ae6110da2ed2f52a2b8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat

Filesize
214B

MD5
b8f8aa1983c3be148116a0a9690be434

SHA1
ed22f33b9e5faffa047e045a6449b6a8b2ad880d

SHA256
f31a94ab96e9c71e9ac3cb44a0605bbe4cc2e0c4f84c34b85e9ed6eb73a336a7

SHA512
8c66ad719774158ceddd2b8958ae44545a272783bc00430a18c80c395c3a008027d9d90b0a30b2f89278b667c9de6474650dd4dd6feb8b78d754922fdb0c8cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat

Filesize
214B

MD5
6188483aeb8c0760cb87521bf2ac9a38

SHA1
ba359551d71b603daa71be6d645aefd796747e30

SHA256
aa312f6bf7e3392b1723fcb4d44467817351df83afa41d398a1ecd7e7973dc22

SHA512
50910c70d9b3e4367b4d707e6eca479cffa753658c1afb4cf09d9371ddc2efba645dbec7881f86a2c722eaaa34218c7ad83453b231349bbf86996358344c1c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYGlPFMrpV.bat

Filesize
166B

MD5
aa7b2d575568032cbe758fe385ebf181

SHA1
86da83890af0e145b05031dc47542907456d5f43

SHA256
4b5bd5bd0d612ac3c1e28d15bc0531a1fc944c829cdee77eba8b3c278bd1e735

SHA512
aa60ae37598873f4438478c4b1edef30a327b8d0772b4d2185f64df3562c872238208fd5d76d5005ff6ccfae4d5ab20489070cef2e0c1759ac8a6b2fd838ab61

Download Submit
C:\Users\Admin\AppData\Local\Temp\aocknmtqfY.bat

Filesize
166B

MD5
3284a80ca1245bb989dff28e10ce66ee

SHA1
c0a632ecae1c6b87b771d06a5609bd77597b735d

SHA256
12a6ce76bbb2d139e221478b57dd2ba25fdf617161c61447a0c52059696bb6e6

SHA512
7e0c7d284965f4d4498a22873960279ac1a96ffbdfc7a8e246b18b80a7b4f1b4b46c727a90f5f15a538a58502e914e4ad80def7cc85ac22691b6cc6c1f1f0bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cHG0lItX2O.bat

Filesize
214B

MD5
c7dc12586d0a09c0510a314138e0bc69

SHA1
a6bfbf8d31341ee06b3840d0c9bac1bcdbd701d3

SHA256
608f32011e439d1ac3407d7adab3c3ccc9920ba8fce042c65c853d1ae33abae8

SHA512
dcf638a5ef1a497c01d6233460d54882bab12683c39ee8b160c5b1e80305ee3e48b9aee0f7237b28aab30d4c8eb8076575556aaf0785a6dd90447b7e0dc4cd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzlPEas6c9.bat

Filesize
166B

MD5
5974bd032ec6461bd2166cd6816bce1e

SHA1
36c2d91f4a0c2f9564e00fe9663ad615411f4427

SHA256
4ee303d756764946098d92545f12bb5bef26e13b6bea2c6070762de04ff1750f

SHA512
803272865d2bc524de1a86b9f76468640d8c6b0ea5e2fdda51bed6fca66ba4fd5d9abfcecb1a4e9f989820330226fa2eb0085524ea8a5aabcf458d9bfd165e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEW5dCkeha.bat

Filesize
166B

MD5
1b0d48edbbcb23b5156a15f33e483707

SHA1
49d7ff97e7a8e145478e60dc3b24d8681c8acab7

SHA256
4e4e77acc443b42d8b3dd81c83ef3f0de5faf7f87fe62029102999bb71f92880

SHA512
ae09b7c2f08200f49a2b2e8df4246cf77e2d27d1f54c9664d5bafe80c90c80aa1d508b0e0e1c6216217c3c1a2a4ab16a65a7dc2f41e81b2dd74e0b09434b324a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kTLD8xjVtV.bat

Filesize
166B

MD5
42d416ccdaed582ad59b3c2b8eb70637

SHA1
e00b52d4cd07ce6f026455f0d42c1d45e3caa8fd

SHA256
dab1263d51c138ecc9dcf4a1051eea3eda1a321a839cb76eff0a8c1d9716c597

SHA512
2d80f069a32293fa5b2f22c18f3f973ecf1ee2874124fdce4b8688689a7003fa336f0cd4fa7a43dd7c06ca814c57db724f24253dcd749ef98596fa04ba61adac

Download Submit
C:\Users\Admin\AppData\Local\Temp\liBLcijL4Q.bat

Filesize
214B

MD5
3c47e3be690aa7fb87ace9fd2585cd37

SHA1
0aa1180c787d84c5c37e8094ddf73b7e38a33391

SHA256
93418f3db230555a660b19f840c3cd15e19ceef37fd1ae92ee398f0d125156be

SHA512
b248b3a9fb13756df1ba3300a0a679ee21c71825dc332f0f8db9073ab48821252ded80f5e944b10b5f15fa1b42d28a967feb01ed5b4dc4c5651b3545e6bd034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p52E8qRc0z.bat

Filesize
166B

MD5
564fef5358548fb0f0a93b9a8bd6a82c

SHA1
0f19beb0b54f61ec57670ead5a67b87d1ac5fb53

SHA256
c09fce30ed03a708bd8cebf385830f882d129e9eb4fb6c34639a459734818d02

SHA512
08b64d7c8794882d2d69de7591ccdc6dc47777acab72857f3b11024fc4b316de2492a7f710ecdcfdff6e7e3a894337677ead4c12f86cc4044c80868c89eae9e3

Download Submit
C:\bridgemsWebdll\mwWwmxw2kqhuNOXs3iKVCNL.vbe

Filesize
245B

MD5
d909e3759a2db2ec1f1e23a61ded4aad

SHA1
9ad44ebdd8c090181f6a5ead1c03233739e2c7a5

SHA256
f82b1ead3e4f3e7c88633095be0ca6df5cd8106fa910727c8fb4ec93194928bb

SHA512
2f0ca7982542a58fd6aa3224a65cd1887e0014ad1c5305cfd89c4006b3e8ed808a6546b907eacf63555bd15c99937e24a51bba9931c6cc96a1467a8053a4b531

Download Submit
C:\bridgemsWebdll\pSHGEt1KNYwFf1hnsmPOmsTyOQ1HsALJIBCTZl44eK0EhfZn9707.bat

Filesize
91B

MD5
f9d826541152593617de889e1729ea02

SHA1
7c1283dfbd7f021ea5b19fbc3d64bb8542077916

SHA256
6baa580fe4110a1df3db995716683640ffcbb940d56529154d606871689affda

SHA512
78d612e7c3fe2cc9ac6efb7f58243d988a6816cfbc725f4be4a95908ae9f52ce757fc880b4c03f224c2d949178deee036f98f9234c9b3f42c74f6022683e0459

Download Submit
C:\bridgemsWebdll\portrefNet.exe

Filesize
3.5MB

MD5
e6efdcd592d5833f28e12d3a12901660

SHA1
165ecd79d3ad1353c960435554fbc9380a7951d0

SHA256
aa253669cd8adf25bdbb60b2497bb89bcff54facd27a2c5a35bc2e7f1ff461b4

SHA512
0109098f116d60a53ad59edf8c1e5a326bb6073e77c07a4b627ef24b8c74522b7c0a1fc4585f50e0e154c4c6c4bb48ece3ddb7c625f25deb551b263b0ba99aa1

Download Submit
memory/856-329-0x000000001BDA0000-0x000000001BDEE000-memory.dmp

Filesize
312KB

Download
memory/2052-189-0x000000001BC80000-0x000000001BCCE000-memory.dmp

Filesize
312KB

Download
memory/2180-245-0x000000001B8A0000-0x000000001B8EE000-memory.dmp

Filesize
312KB

Download
memory/2700-30-0x000000001B540000-0x000000001B54E000-memory.dmp

Filesize
56KB

Download
memory/2700-20-0x000000001B700000-0x000000001B750000-memory.dmp

Filesize
320KB

Download
memory/2700-43-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/2700-45-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/2700-47-0x000000001B820000-0x000000001B87A000-memory.dmp

Filesize
360KB

Download
memory/2700-49-0x000000001B7C0000-0x000000001B7CE000-memory.dmp

Filesize
56KB

Download
memory/2700-51-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/2700-53-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

Filesize
56KB

Download
memory/2700-55-0x000000001B880000-0x000000001B898000-memory.dmp

Filesize
96KB

Download
memory/2700-57-0x000000001B8F0000-0x000000001B93E000-memory.dmp

Filesize
312KB

Download
memory/2700-73-0x000000001B8A0000-0x000000001B8EE000-memory.dmp

Filesize
312KB

Download
memory/2700-39-0x000000001BCE0000-0x000000001C208000-memory.dmp

Filesize
5.2MB

Download
memory/2700-12-0x0000000000480000-0x0000000000808000-memory.dmp

Filesize
3.5MB

Download
memory/2700-38-0x000000001B790000-0x000000001B7A2000-memory.dmp

Filesize
72KB

Download
memory/2700-36-0x000000001B770000-0x000000001B786000-memory.dmp

Filesize
88KB

Download
memory/2700-13-0x00007FFD85903000-0x00007FFD85905000-memory.dmp

Filesize
8KB

Download
memory/2700-34-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

Filesize
64KB

Download
memory/2700-15-0x000000001B660000-0x000000001B686000-memory.dmp

Filesize
152KB

Download
memory/2700-32-0x000000001B750000-0x000000001B762000-memory.dmp

Filesize
72KB

Download
memory/2700-28-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/2700-26-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/2700-17-0x0000000002890000-0x000000000289E000-memory.dmp

Filesize
56KB

Download
memory/2700-24-0x000000001B6B0000-0x000000001B6C8000-memory.dmp

Filesize
96KB

Download
memory/2700-22-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2700-19-0x000000001B690000-0x000000001B6AC000-memory.dmp

Filesize
112KB

Download
memory/2700-41-0x000000001B6E0000-0x000000001B6EE000-memory.dmp

Filesize
56KB

Download
memory/2880-273-0x000000001C2B0000-0x000000001C2FE000-memory.dmp

Filesize
312KB

Download
memory/2928-133-0x000000001C0F0000-0x000000001C13E000-memory.dmp

Filesize
312KB

Download
memory/3088-217-0x000000001C4E0000-0x000000001C52E000-memory.dmp

Filesize
312KB

Download
memory/3128-104-0x000000001C630000-0x000000001C67E000-memory.dmp

Filesize
312KB

Download
memory/3312-385-0x000000001CEB0000-0x000000001CEFE000-memory.dmp

Filesize
312KB

Download
memory/4624-301-0x000000001C640000-0x000000001C68E000-memory.dmp

Filesize
312KB

Download
memory/4660-357-0x000000001BD00000-0x000000001BD4E000-memory.dmp

Filesize
312KB

Download
memory/4988-161-0x000000001B830000-0x000000001B87E000-memory.dmp

Filesize
312KB

Download