zgrat | 9d077371cd1d6dc2b8b337d0bc978afb1e910a947bb0e14c15a37c70c745704c

General

Target

05595fa61734a9acede85154fc8fe03b.exe
Size

1.7MB
MD5

05595fa61734a9acede85154fc8fe03b
SHA1

c3842ef0d4b88b53098c9fcb36082219f39b112f
SHA256

9d077371cd1d6dc2b8b337d0bc978afb1e910a947bb0e14c15a37c70c745704c
SHA512

9e959d30eac39b3fe81f36360f29f4ecdc2c5d7b5b71a12c593f0754860e696822530e022552db3c0d9c1df189a18425bb7030bf7a0d869331a2bbda154f6066
SSDEEP

49152:yopU78Oe8T6UQJ+Ss4ie6tu4HY90Jm9WbV:y+E1e87Y+QKZm9WbV

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2872-6-0x0000000005F40000-0x0000000005FB8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-7-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-8-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-10-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-18-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-24-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-28-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-36-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-44-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-48-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-54-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-56-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-52-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-66-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-70-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-68-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-64-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-62-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-60-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-58-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-50-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-46-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-42-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-40-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-38-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-34-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-32-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-30-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-26-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-22-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-20-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-16-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-14-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2872-12-0x0000000005F40000-0x0000000005FB2000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

05595fa61734a9acede85154fc8fe03b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\outlook = "\"C:\\Users\\Admin\\AppData\\Roaming\\outlook.exe\""	05595fa61734a9acede85154fc8fe03b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

05595fa61734a9acede85154fc8fe03b.exepowershell.exe

pid	process
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
2872	05595fa61734a9acede85154fc8fe03b.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

05595fa61734a9acede85154fc8fe03b.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2872 05595fa61734a9acede85154fc8fe03b.exe
Token: SeDebugPrivilege 1556 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2872	05595fa61734a9acede85154fc8fe03b.exe
Token: SeDebugPrivilege	1556	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

05595fa61734a9acede85154fc8fe03b.exeWScript.exe

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
"C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Glkcwxl.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\outlook.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
C:\Users\Admin\AppData\Local\Temp\05595fa61734a9acede85154fc8fe03b.exe
2⤵
PID:2008

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Glkcwxl.vbs
Filesize
137B

MD5
41c8a8551ff6fc7a2b9aadcff976ca0f

SHA1
444db8be2af0b1128229ac46e4963e0570159c3c

SHA256
bc147b5a209f5db13fa86ce6906be0d4dfec76469af3f304d490f10443cf5df5

SHA512
b52b716c3827a20d9298a32c8243f8e506c77c4be10e29e39a17ba303d0c65d70e257ab4f1c7368e99608c53ec12e6a1e7287e3d644df1f4cdbc539a501763c8

Download Submit
memory/1556-2405-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-2404-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1556-2403-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1556-2402-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-2401-0x00000000745A0000-0x0000000074B4B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-64-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-46-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-8-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-10-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-18-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-24-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-28-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-36-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-44-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-48-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-54-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-56-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-52-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-66-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-70-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-68-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-1-0x0000000000350000-0x0000000000512000-memory.dmp

Filesize
1.8MB

Download
memory/2872-62-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-60-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-58-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-50-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-7-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-42-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-40-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-38-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-34-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-32-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-30-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-26-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-22-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-20-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-16-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-14-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-12-0x0000000005F40000-0x0000000005FB2000-memory.dmp

Filesize
456KB

Download
memory/2872-6-0x0000000005F40000-0x0000000005FB8000-memory.dmp

Filesize
480KB

Download
memory/2872-2398-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-5-0x00000000080D0000-0x0000000008280000-memory.dmp

Filesize
1.7MB

Download
memory/2872-4-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2872-3-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-2-0x0000000004F10000-0x0000000004F50000-memory.dmp

Filesize
256KB

Download
memory/2872-0-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	WScript.exe
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	WScript.exe
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	WScript.exe
PID 2872 wrote to memory of 2160	2872	05595fa61734a9acede85154fc8fe03b.exe	WScript.exe
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1532	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2160 wrote to memory of 1556	2160	WScript.exe	powershell.exe
PID 2160 wrote to memory of 1556	2160	WScript.exe	powershell.exe
PID 2160 wrote to memory of 1556	2160	WScript.exe	powershell.exe
PID 2160 wrote to memory of 1556	2160	WScript.exe	powershell.exe
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1536	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1412	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1768	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1380	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 1736	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2660	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2360	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2336	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe
PID 2872 wrote to memory of 2008	2872	05595fa61734a9acede85154fc8fe03b.exe	05595fa61734a9acede85154fc8fe03b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads