zgrat | 0dc7d8248f6ce6c32678640c7451424cd02ceb26b53123d05998e48cce556b04

Analysis

max time kernel
18s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccd934c7dd80e3c5281f6912e8e5923e.exe
Size

3.4MB
MD5

ccd934c7dd80e3c5281f6912e8e5923e
SHA1

8312f5101416a5a740a1de07882c662624c16b40
SHA256

0dc7d8248f6ce6c32678640c7451424cd02ceb26b53123d05998e48cce556b04
SHA512

ffec04a0e8d23eaf845a79d32fe0ddd68421c4b4e5103c7081d204b66ab6740c2960797164769c9a65971c257638d4ea4db84a43efaa8ca77145a360e969da88
SSDEEP

98304:yIk/dVyE8L2EQLuGKR70la1O9g5Ws4/ITyH29hH:rk1MPL5QLE7Qa09g+IT9

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023246-12.dat	family_zgrat_v1
behavioral2/files/0x0008000000023246-11.dat	family_zgrat_v1
behavioral2/memory/4240-13-0x0000000000EE0000-0x0000000001274000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000200000001e6e2-95.dat	family_zgrat_v1
behavioral2/files/0x000200000001e6e2-123.dat	family_zgrat_v1
behavioral2/files/0x000200000001e6e2-122.dat	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	4116	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4116	schtasks.exe	88

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
752	schtasks.exe
3340	schtasks.exe
1676	schtasks.exe
2612	schtasks.exe
4536	schtasks.exe
1700	schtasks.exe
3016	schtasks.exe
2196	schtasks.exe
4644	schtasks.exe
1508	schtasks.exe
1012	schtasks.exe
2188	schtasks.exe
556	schtasks.exe
3620	schtasks.exe
4716	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	Process not Found

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4828	1776	Process not Found	84
PID 1776 wrote to memory of 4828	1776	Process not Found	84
PID 1776 wrote to memory of 4828	1776	Process not Found	84

C:\Users\Admin\AppData\Local\Temp\ccd934c7dd80e3c5281f6912e8e5923e.exe
"C:\Users\Admin\AppData\Local\Temp\ccd934c7dd80e3c5281f6912e8e5923e.exe"
1⤵
PID:1776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" "
    3⤵
    PID:4816
  - - C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe
      "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet/agentServerComponent.exe"
      4⤵
      PID:4240
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\idzlyfws\idzlyfws.cmdline"
        5⤵
        
        PID:516
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA350.tmp" "c:\Windows\System32\CSC1493A8AF2A944127854A2EEFF3EE4055.TMP"
        6⤵
        
        PID:232
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KM1EQg0VNB.bat"
        5⤵
        
        PID:4844
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4444
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1712
      - C:\Users\All Users\USOShared\Logs\User\conhost.exe
        
        "C:\Users\All Users\USOShared\Logs\User\conhost.exe"
        6⤵
        
        PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\USOShared\Logs\User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\USOShared\Logs\User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServerComponenta" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\agentServerComponent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServerComponent" /sc ONLOGON /tr "'C:\Windows\ShellComponents\agentServerComponent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServerComponenta" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellComponents\agentServerComponent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\Camera Roll\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\Camera Roll\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOShared\Logs\User\conhost.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\ProgramData\USOShared\Logs\User\conhost.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KM1EQg0VNB.bat

Filesize
178B

MD5
112f8037486ff1b365de86dedf85e896

SHA1
328a4664a344e65811ed91cad17f982086290b00

SHA256
b2c8b7070e7637b1fae164bcf3106adef069bcf5f89bf7b6836c546c14942dc9

SHA512
74bd9efacba29c4c11d99a43f05e8f475d814a7bfa2af1446b8cf0ecfd3e97f0df3845ef18331d70cc99823f3e89834e93d7e3e41c601fe9d431413693b13eef

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat

Filesize
93B

MD5
b32388f95a1ac97cfca0a1a41c47604d

SHA1
568a535fd5a9175f4ed27c6716d65f917ca893df

SHA256
49d7bc2b118c854658c90b0fa9c47de42eb9f2426833e86b049bb33733bea5b9

SHA512
bcd9531dfd247542633c9cecacf1a46c7be70173a2ed6845386bd567ea7cb0c49aec4d3ed315ee80aaabd3ca96cee0c6e762e42d85b74b59793a4d766b83edc5

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe

Filesize
211B

MD5
4d658105afcc52322262e2c793a8083a

SHA1
c81a04e2cf3ce5cdeab1c54673d9f9bdf646c43d

SHA256
e6ff322411e42d01aeb523e70b1fa1023d5427e1c6eed2d19a8b2eaa1b26acda

SHA512
a47b97494f1ca7528026adc4aabfbdc73e944e6342beb380022f0f3f72ce8b603517863cf31340068a9ee10229feca3a7e77f34644609c514b5568e49e29c7be

Download Submit
C:\Users\All Users\USOShared\Logs\User\conhost.exe

Filesize
3.5MB

MD5
4b6bf7e06b6f4b01999a6febcddc09b7

SHA1
639ee42edde44f4ebe892aa0ac4fbddc49e144b8

SHA256
10dbba3481930c060fbcadfa77ff358e058578cf8cd12688e712bec4bfd99bc8

SHA512
36228e618307dd8d84939414f26dff00b8e003287af43ff7690cdb5b01e30e54958d33afb2938917d3013ef334367d30ce935d5bb48fa5b01e1321e09309bca8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idzlyfws\idzlyfws.0.cs

Filesize
371B

MD5
86183cd3e44687282ba02d61616fa639

SHA1
f92d6809c0b418bb07afc0700af95f7e9fd3f4fe

SHA256
b64b41a0ee2b5bf4d606918ae60bf90eb4aa925fa02d985bc2fe25b8b0c1cf51

SHA512
74cb758a8dc2d402d86701b1f1f5eebf3fbeba33abf51c57035dc8ad8535d2ac45c5749e9987d9983d7a76f8b53468c83159a23b46c1e74f38ac4dc0eb38e710

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\idzlyfws\idzlyfws.cmdline

Filesize
235B

MD5
366929b31a19b891c3ff08afdf8ad2fa

SHA1
6d8d1e153ad16279db3342eecc944d0a05c3e0da

SHA256
51340494396cf4c80483b411db5db2af7e1629534dbfdbafc7edd3307e5c7738

SHA512
271926da88b80484db8060c45270e47169df9abb8e3d2d8a5dbc06105c16b82cbd058a8cd8eef0a14b01701c722f9983da6a6f950357969b8ea3ae5c47031cc4

Download Submit
memory/632-127-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/632-124-0x00007FF9EE790000-0x00007FF9EF251000-memory.dmp

Filesize
10.8MB

Download
memory/632-125-0x000000001B260000-0x000000001B270000-memory.dmp

Filesize
64KB

Download
memory/632-126-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4240-55-0x00007FFA0CEA0000-0x00007FFA0CEA1000-memory.dmp

Filesize
4KB

Download
memory/4240-63-0x000000001D560000-0x000000001D572000-memory.dmp

Filesize
72KB

Download
memory/4240-24-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/4240-27-0x0000000001B90000-0x0000000001B9E000-memory.dmp

Filesize
56KB

Download
memory/4240-26-0x00007FFA0CF20000-0x00007FFA0CF21000-memory.dmp

Filesize
4KB

Download
memory/4240-28-0x00007FFA0CF10000-0x00007FFA0CF11000-memory.dmp

Filesize
4KB

Download
memory/4240-30-0x00000000033F0000-0x000000000340C000-memory.dmp

Filesize
112KB

Download
memory/4240-31-0x0000000003580000-0x00000000035D0000-memory.dmp

Filesize
320KB

Download
memory/4240-32-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/4240-33-0x00007FFA0CF00000-0x00007FFA0CF01000-memory.dmp

Filesize
4KB

Download
memory/4240-35-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4240-36-0x00007FFA0CEF0000-0x00007FFA0CEF1000-memory.dmp

Filesize
4KB

Download
memory/4240-38-0x0000000003410000-0x0000000003428000-memory.dmp

Filesize
96KB

Download
memory/4240-39-0x00007FFA0CEE0000-0x00007FFA0CEE1000-memory.dmp

Filesize
4KB

Download
memory/4240-41-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/4240-43-0x00007FFA0CED0000-0x00007FFA0CED1000-memory.dmp

Filesize
4KB

Download
memory/4240-45-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/4240-42-0x00007FFA0CF40000-0x00007FFA0CFFE000-memory.dmp

Filesize
760KB

Download
memory/4240-46-0x00007FFA0CEC0000-0x00007FFA0CEC1000-memory.dmp

Filesize
4KB

Download
memory/4240-48-0x0000000003430000-0x000000000343E000-memory.dmp

Filesize
56KB

Download
memory/4240-50-0x0000000003440000-0x000000000344E000-memory.dmp

Filesize
56KB

Download
memory/4240-52-0x00007FFA0CEB0000-0x00007FFA0CEB1000-memory.dmp

Filesize
4KB

Download
memory/4240-22-0x00007FF9EE790000-0x00007FF9EF251000-memory.dmp

Filesize
10.8MB

Download
memory/4240-54-0x00000000035D0000-0x00000000035E2000-memory.dmp

Filesize
72KB

Download
memory/4240-51-0x00007FFA0CF40000-0x00007FFA0CFFE000-memory.dmp

Filesize
760KB

Download
memory/4240-57-0x0000000003450000-0x0000000003460000-memory.dmp

Filesize
64KB

Download
memory/4240-58-0x00007FFA0CE90000-0x00007FFA0CE91000-memory.dmp

Filesize
4KB

Download
memory/4240-59-0x00007FFA0CE80000-0x00007FFA0CE81000-memory.dmp

Filesize
4KB

Download
memory/4240-61-0x000000001D540000-0x000000001D556000-memory.dmp

Filesize
88KB

Download
memory/4240-23-0x00007FFA0CF40000-0x00007FFA0CFFE000-memory.dmp

Filesize
760KB

Download
memory/4240-64-0x00007FFA0CE70000-0x00007FFA0CE71000-memory.dmp

Filesize
4KB

Download
memory/4240-68-0x0000000003460000-0x000000000346E000-memory.dmp

Filesize
56KB

Download
memory/4240-66-0x00007FFA0CE60000-0x00007FFA0CE61000-memory.dmp

Filesize
4KB

Download
memory/4240-65-0x000000001DAB0000-0x000000001DFD8000-memory.dmp

Filesize
5.2MB

Download
memory/4240-71-0x000000001BFD0000-0x000000001BFE0000-memory.dmp

Filesize
64KB

Download
memory/4240-69-0x00007FFA0CE50000-0x00007FFA0CE51000-memory.dmp

Filesize
4KB

Download
memory/4240-72-0x00007FFA0CE40000-0x00007FFA0CE41000-memory.dmp

Filesize
4KB

Download
memory/4240-74-0x000000001BFE0000-0x000000001BFF0000-memory.dmp

Filesize
64KB

Download
memory/4240-75-0x00007FFA0CE30000-0x00007FFA0CE31000-memory.dmp

Filesize
4KB

Download
memory/4240-77-0x000000001D5E0000-0x000000001D63A000-memory.dmp

Filesize
360KB

Download
memory/4240-78-0x00007FFA0CE20000-0x00007FFA0CE21000-memory.dmp

Filesize
4KB

Download
memory/4240-80-0x000000001BFF0000-0x000000001BFFE000-memory.dmp

Filesize
56KB

Download
memory/4240-83-0x000000001D580000-0x000000001D590000-memory.dmp

Filesize
64KB

Download
memory/4240-81-0x00007FFA0CE10000-0x00007FFA0CE11000-memory.dmp

Filesize
4KB

Download
memory/4240-84-0x00007FFA0CE00000-0x00007FFA0CE01000-memory.dmp

Filesize
4KB

Download
memory/4240-86-0x000000001D590000-0x000000001D59E000-memory.dmp

Filesize
56KB

Download
memory/4240-89-0x000000001D5C0000-0x000000001D5D8000-memory.dmp

Filesize
96KB

Download
memory/4240-90-0x00007FFA0CDE0000-0x00007FFA0CDE1000-memory.dmp

Filesize
4KB

Download
memory/4240-21-0x00000000033C0000-0x00000000033E6000-memory.dmp

Filesize
152KB

Download
memory/4240-18-0x00007FFA0CF40000-0x00007FFA0CFFE000-memory.dmp

Filesize
760KB

Download
memory/4240-87-0x00007FFA0CDF0000-0x00007FFA0CDF1000-memory.dmp

Filesize
4KB

Download
memory/4240-92-0x000000001D690000-0x000000001D6DE000-memory.dmp

Filesize
312KB

Download
memory/4240-120-0x00007FFA0CF40000-0x00007FFA0CFFE000-memory.dmp

Filesize
760KB

Download
memory/4240-119-0x00007FF9EE790000-0x00007FF9EF251000-memory.dmp

Filesize
10.8MB

Download
memory/4240-19-0x00007FFA0CF30000-0x00007FFA0CF31000-memory.dmp

Filesize
4KB

Download
memory/4240-17-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/4240-16-0x0000000001B10000-0x0000000001B11000-memory.dmp

Filesize
4KB

Download
memory/4240-15-0x000000001C000000-0x000000001C010000-memory.dmp

Filesize
64KB

Download
memory/4240-14-0x00007FF9EE790000-0x00007FF9EF251000-memory.dmp

Filesize
10.8MB

Download
memory/4240-13-0x0000000000EE0000-0x0000000001274000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads