zgrat | 35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689

Analysis

max time kernel
11s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 10:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe
Size

3.4MB
MD5

a94547769c3f9ce3594946f16d31ec16
SHA1

7a2753ecc00244a55cca74527b264e7f18659daf
SHA256

35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689
SHA512

6940ac5b321c62fc4f6c94d1f046e1238bf00ca9f0c27fab122af74241aa44c424745159c60e3053532db2698bdb922dca761f8bbff652fe8dad771aa1983178
SSDEEP

98304:yaGGHdfWybAk/avUcqWSbTUzHW+XAWf7uXXx:JGedfWe/CvNqWSnXBI7unx

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 18 IoCs

resource	yara_rule
behavioral1/files/0x000c000000016764-11.dat	family_zgrat_v1
behavioral1/files/0x000c000000016764-12.dat	family_zgrat_v1
behavioral1/files/0x000c000000016764-10.dat	family_zgrat_v1
behavioral1/memory/2752-13-0x00000000001F0000-0x0000000000576000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000c000000016764-9.dat	family_zgrat_v1
behavioral1/files/0x00070000000173dc-84.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-97.dat	family_zgrat_v1
behavioral1/memory/1496-98-0x0000000000230000-0x00000000005B6000-memory.dmp	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-96.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-151.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-204.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-308.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-357.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-411.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-463.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-515.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-568.dat	family_zgrat_v1
behavioral1/files/0x000a000000016d0e-621.dat	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2144	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2144	schtasks.exe	32

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1820	schtasks.exe
1212	schtasks.exe
2372	schtasks.exe
2572	schtasks.exe
2168	schtasks.exe
1440	schtasks.exe
2096	schtasks.exe
2696	schtasks.exe
2916	schtasks.exe
1672	schtasks.exe
2064	schtasks.exe
2072	schtasks.exe
1216	schtasks.exe
2112	schtasks.exe
856	schtasks.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
1984	PING.EXE
2360	PING.EXE
1984	PING.EXE
2960	PING.EXE
1644	PING.EXE
1692	PING.EXE
2152	PING.EXE
680	PING.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2460	2180	35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe	21
PID 2180 wrote to memory of 2460	2180	35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe	21
PID 2180 wrote to memory of 2460	2180	35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe	21
PID 2180 wrote to memory of 2460	2180	35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe	21

C:\Users\Admin\AppData\Local\Temp\35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe
"C:\Users\Admin\AppData\Local\Temp\35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\driverruntime\lOGn1vzITof4.vbe"
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\driverruntime\i5zSTekZccWHomwpzhFca040UT744SVhuMPteV7Hd8e15f3OsbqO.bat" "
    3⤵
    PID:2848

C:\driverruntime\HyperBrowser.exe
"C:\driverruntime/HyperBrowser.exe"
1⤵
PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Adm582Lgzu.bat"
  2⤵
  PID:2056
- - C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
    "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
    3⤵
    PID:1496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6jqn6DqxiC.bat"
      4⤵
      PID:692
    - - C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        5⤵
        
        PID:2232
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fIZrPQRpQG.bat"
        6⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2708
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        7⤵
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat"
        8⤵
        
        PID:1532
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        9⤵
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat"
        10⤵
        
        PID:2432
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        11⤵
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat"
        12⤵
        
        PID:1728
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        13⤵
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat"
        14⤵
        
        PID:1848
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        15⤵
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VXTmetMh5k.bat"
        16⤵
        
        PID:1376
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        17⤵
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
        18⤵
        
        PID:400
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        19⤵
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dNZC7W0h3T.bat"
        20⤵
        
        PID:1424
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        21⤵
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fGOYhFobNz.bat"
        22⤵
        
        PID:2300
        
        C:\Windows\PolicyDefinitions\es-ES\audiodg.exe
        
        "C:\Windows\PolicyDefinitions\es-ES\audiodg.exe"
        23⤵
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZVE1dxM5B8.bat"
        24⤵
        
        PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:784

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1732

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2516

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:680

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1552

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1984

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2360

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2380

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1656

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2928

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2072
- C:\Windows\system32\PING.EXE
  ping -n 10 localhost
  2⤵
  - Runs ping.exe
  PID:1692
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1484

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2120

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1984

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1040

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:2960

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1696

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1644

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1fnMmvhPbk.bat

Filesize
174B

MD5
41d92cf5e18e64b4dc4c22104da2452b

SHA1
78298dc2074f336879a16f547f0bff4bdd198efd

SHA256
1eeacd30312117bb3630f24b49e7533997b28727c2eda6e588cd3805c3a3fab9

SHA512
35434442cd806c80907c8dcd87aaaed07e8b41090f4c9f2ced0af5d6301f2dadb9dad27029e92b73cf6356d25417e7205698a6defe79752db83b14c4cf6fa037

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ZZGHVO0om.bat

Filesize
174B

MD5
51ade05be2e1d626fc371fbdc099314c

SHA1
4da0afcf99ba0a038bc687757edaabdee03cdec2

SHA256
61a3dbc2902fa006daec8a88e5f9526fc7b8a593d0089db379a18c5c273d7728

SHA512
ed8c1936cca5785a7768cff29c0952af00f0eab2f87e8a7ab171b501c4be41318f28d806ada5e16bb7ee6a2eca84c0fca5ac538da27f5c4266a0520d65ee6bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6jqn6DqxiC.bat

Filesize
222B

MD5
fabe112cc7058e0a439e0f2bb842d971

SHA1
a50e892d84a0998a61294584e53ff5fb4305bedf

SHA256
553f3e804ede4493f61ed501243a49fbd44327df2ddee6726b14ec69ce19a6d1

SHA512
da731875bf3a0ef020385ac3cfcbef21998a256c8f0af065fd9fde268a5c1f5adcec9f457b194cbe4d15f6100e1d1335d17f7705fc53238203d31931c7d5b14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adm582Lgzu.bat

Filesize
222B

MD5
4f9bf48f9dc32811cc1ff9c01430bddc

SHA1
6b7d798a733d3cf971cbcdf057ebe558f86046de

SHA256
a91c3c092327714278ab70384857bec892f29f7a6aac0bb550921e953a2c7181

SHA512
cd6038f4377811d41ddf07ba885fbc721cd93649f671a4751c4b0dfeb3e29b8a5ead895959615a207f6cce6c9b4a3723852801d50ea73c2ba49ed2cc2edd7d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VXTmetMh5k.bat

Filesize
222B

MD5
9915c9b9d0749f8f309919ea65da640a

SHA1
471e26394c04f9611bc86860fdc3116e119d2ee1

SHA256
344c0f08ffa318bcb7e8ebbc594fcde33b0a7400816b49bc640c897b7165dab7

SHA512
adbab9578773b7bd3903aa045f40a3468d6ac3e583c820a6b83fb57c47451b6bad8917c024968dc5e7e4aba381718016cb35b565351757c37aae170b744813f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsfXZ1b1OE.bat

Filesize
222B

MD5
d1a3c666f7b1a3366088aa2df4697fbf

SHA1
746e70f347c8396e67f8753a724ae691e0953dfb

SHA256
046b108f6d0e8f9101b6585a9c97bfbc8e2e298ee6bb07f18437c1143384b7a6

SHA512
c397da3f36db8d53d5e422b58786fd63a198f72b1f21996acfd6b030772fdf7b410119610584432baccce253f7c59a5fec60addb5050deaadace751a3f54089e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZVE1dxM5B8.bat

Filesize
174B

MD5
849d1845517f86cd8331b20802e332e8

SHA1
c681da593a04179ce0e4b7abe05ba21c1366cee4

SHA256
0dc9a2b82ba9f2f79a250e6268882ed0f32c4a2df50e85b90a4920d9d9a45623

SHA512
d4ac6678b8d597b9a65ff596ebbc9a84d6ffdba4edc3d3ad5c584d446aa4e761e651786f56b0be7ac01ceb3e598be2aef960aa69ea0153a83ad6252b725bc279

Download Submit
C:\Users\Admin\AppData\Local\Temp\dNZC7W0h3T.bat

Filesize
174B

MD5
e5bbf13be861a3c016d34769814853f8

SHA1
c015d1dd547c576d0e8c189c17e47407e42bf828

SHA256
c5ef7bc2c155d0eace80382aaa01ef1355910f9d907e3df094375007cae1bad0

SHA512
6b47a8b8776862c390c6df462c8a9fcf2edd1c071c418f9974f89578d11aba2820a6902a3c755ea6315829449b43074b308c398e1f83694500bdcacd41eb3ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat

Filesize
174B

MD5
ff3c70ce44b65a75944c6c500aa594de

SHA1
7016a535164879ce8abcb2bb5898d7e1e8da0b5f

SHA256
5be0d2e6643898a0a36ff025103601fca7d997bb449e626c881eea94f66d780f

SHA512
a8d373760015ffaf670f694bc72e7dc3b54407780800e3b03029327be19fefdc45485801f8415cc3978aadb49412ef06d4917ae71037824bff63a558e3dc15d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGOYhFobNz.bat

Filesize
174B

MD5
854c50bde12f61ccaeac80d25a354018

SHA1
e9442a0264cfd89865777c0aec83f48da8589234

SHA256
832164cfe08ba36d3add68a43337eec1cefa9ee38f99c4e582c34844196e446c

SHA512
b3bc63f7fba5641f8a8475e15b45a9bb66d9b85bd7c61f15ed9d35daadfe1e7d75a36e0b2db50fef2d8b1d0008ff5963afce9f93709db31b3d3c33e9035ce9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fIZrPQRpQG.bat

Filesize
174B

MD5
0bc00dbf16e2c2bfb777f7bd36325c25

SHA1
52b6d3c11099474f1dfa2e0846cc2d7b53a34940

SHA256
8c597accbc37464d593a54cb6df44474ef567a17451a88f5a768b6caed8e4dc7

SHA512
10ef38a8705514dd9867b6e8836c2d66c9705a744996a24c4b4c0ff7c4eec4a69553f151adae9f3e0e0b510c00fa52428b9c6388482c2312f3ad52792144038c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat

Filesize
174B

MD5
23de2f2aeb1946b9bb10b1a108d65ad7

SHA1
ae77b2e9427932c1e6297a551769a8230e27adb3

SHA256
db0ce1978c58aafe4859d1b090f883c9061e4d7509b395cd246f4bdab3882912

SHA512
8c688ce93cc3d29c84e055628021e094e35fe3f3b616885dd5b09d5b1e604d91b3b272f652b33cbf24057518199c1ef5f7b8aea3cd3e89dabfbe7844b6f9b227

Download Submit
C:\Users\Public\Downloads\spoolsv.exe

Filesize
189KB

MD5
885e0ee42149c0789bf9d976c21e9960

SHA1
891cbe81c67765b77e6f1d8639a05e0628af2f05

SHA256
3694f2d0c655e7f65801264fa0060889ae9921bddcf1ca7aefc7ee0097ab2cd9

SHA512
40fd8058c9e8b1aa7d23b847c2b05d1315fb3b5d72ad7f998d0f5eae293abb499f6caf7a5385fef6cff83200e90b884475006e572a95bed16a94815dea47c645

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
238KB

MD5
7513e29ab6359b1acac8f207a5d95bf1

SHA1
ea4d2dbb5c1744f444334ed05c2bef890f9be2d2

SHA256
970a0d983d565847bf6c45c3d8a1c6df66a26f981b60666ac0166317390d3daa

SHA512
e6ea8adbbbf0b0e501f178d906871e90dce310a1bbed8d3c6ca001615129d32e22806af61d46317e58390e64d9186ebd906de622f8f4bfbd07fbefa214551fec

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
132KB

MD5
a20fc57b1d84e4b1848aad06b1138b40

SHA1
1de53af6995e4a47cfb5c7d82864a489be296753

SHA256
c58cafb64bc60efd53a1325b76ea7751d789630ee82f48977c385e4fb95f3919

SHA512
6151ec9cd2b9626ff3148e4702f7c40cb53acd210ee078eaefe2d1a59e4f0b8cf674c2ebd1efed4b4c26707bfbf5a2c36b8e57d7021374448305689eee9ee309

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
181KB

MD5
e6d5ed4a2e453bd7827a246ebe990ac7

SHA1
6a1aae4bd711344393582d2be3d387dbaa9e5971

SHA256
19bff8b9f699143c6c99e86ef4e7a18e786fcee5c1c2e242e76d91faa3b27377

SHA512
d9e249c66ebe0b6a19ae24293b458dfc58331d03fb0267738c2702b3e25747fd1280da1fc19b99c497cdf4026dc6192ce418d44ee6182f8e5125a48da8218665

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
42KB

MD5
a48c5cefe799b242d0415409129f6839

SHA1
24e3dc1b67cda00aa7a0cc4738261ffcbd41056e

SHA256
db995a77e046b546bf88da7eeb0d5e2aaf31d9631ffd7ef9205472b5d6491d37

SHA512
474edc978e4cae66785b9249e1ee9f197f1c19e574e54949891bbed23d9af50acf13d9e78955a867285e444f9520dfb83be5146d270c7ccf5f110b7a015a542d

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
23KB

MD5
276cc854d44caa863ff495e156fb19f0

SHA1
9d3b886f28e77136fcb9b45b67a1912cd1d3a431

SHA256
690c4fd8126f8796575cc67d689df4fd69799b76e0dbcefc9b58b9674730e73d

SHA512
da865e51a565dbbad3645af5348180b6c35d52243eac475a537f67e10078df73af5fd32bef4154e8bd23fdcdfde7112c5685a82b0ab62e246ece44c1a2ff5087

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
229KB

MD5
db2fa5a8fb24f63a2b18c83c37b462f9

SHA1
7356afa6aef6d8de9d1f8075a94754a9cba1e307

SHA256
49f7dbcf6c1aa5e4241adbf77a8d59452935b141e0b2103d5e44eb5491cfc17e

SHA512
3a88a07755fca17eb45d826d059ae7f2a062dbc281f82a0cbe99c24bc085b0d3e7473e77f83377354d3a867c47709cf23a4df56b9289ae38efbc93716e9195ab

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
60KB

MD5
174b71587a5f4fd8b26887b0946624a2

SHA1
dde53001bfa4b0a498ad052c4c915392fb82e4bc

SHA256
1b807129622e36f7fa336ed32a4852009658ac036c48b5aa6dd54193a5ce15c2

SHA512
927c7d6940a9f2f70757c02c1dc798f4d56e506afed96eb2a3e43164bdcac2049545e50779fea4cfd2e835d2fb8fc0d2e767ec616024fcbfb95793426fbafcd5

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
1KB

MD5
19ac2b3bfb3c443cd215e1688ab0cfc5

SHA1
d62f8c2034d575e0709806a0fbbf435da56f4719

SHA256
3c6a6f4bfb069f9647103ae37dababdbce959d02d959ccae2ab90088f77e6c0a

SHA512
c1f53ec590e2e7ddfa565e4e449e553a48fb2737e2991cc24998a4b572d30dcd8a02385623b7e884abbcf927b977cbd1f4b9910abb4af95f5d23771c7aa34087

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
56KB

MD5
b2ff25825cb392b9e82aa330a39d15b6

SHA1
09699bb4eeb6422c2f59e9c30c53cedcec50dfca

SHA256
535663e84886b908d795a2cf5f4355c0c3355dff66bdd26f1b8d9b363e4b60f2

SHA512
9fdba1c42e106644a57429b830be496238eff3db7d9294767053ac80e2df2d68e589026e2c3a8cfd8290b337fe79d0a9c04fa2c6017aaf8f453b41a803b70d78

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
45KB

MD5
201e69b9ccbbfaef9fb577f89f4ebb17

SHA1
0de06b7bc964eae338a27ed649b9bb0fc13e233c

SHA256
df8560e580094d8e288fabce40522b90955d2054242bfe84a364ae0c18c6cc74

SHA512
1b27d5b6050d546865f809c65596e6b4a01b90a6992d05609972134be0e264fc477e45d7b594ee5b17eaf31a973b4c6883b1256544ccf3fbc552bdb2bf10790c

Download Submit
C:\Windows\PolicyDefinitions\es-ES\audiodg.exe

Filesize
19KB

MD5
cd03acfc00720225931ff538a9ad97e4

SHA1
732d1f6e904ff9ce76f67409e1390f2e7ab55393

SHA256
1e862e6fafe3715a3cacc5deabd401f4c381f0ca025e33f20b2ae0e3b1731816

SHA512
e7613325274e49909f51be13a23739eb8f1e22e1b861ccb5d88fb5c5a9145cbf5570e3d8b78a7d2e182f68cb411dd1cb3c6f97f8a199c58443e7d3bfe4bb5fa1

Download Submit
C:\driverruntime\HyperBrowser.exe

Filesize
253KB

MD5
3940514ceea45f1949b343e216bdcf11

SHA1
9632c95c3ce247a4704b3be8de518ff83afd3108

SHA256
f2b0077fe2008b314889f3655b35dc8775f0e6814510470194739943973db90f

SHA512
ab2cb3d9e4079da0d75f4a685403fbef3dfed3f1562c690d02c6e562fa82b74c87e9181fba3642fe3cc8ddc82d26cc22f039e40c3fb3a696cc68d5ef8e0dce8e

Download Submit
C:\driverruntime\HyperBrowser.exe

Filesize
262KB

MD5
77cf5fcd073deb416618b26afdb8a5e3

SHA1
51b6e507e3ee66ca0421ad61ed891f17f22aecf8

SHA256
ab642ecd9e9d8e8268b42e7586b03d9b17122002f03ed6915e5d38434d7716f6

SHA512
9ddc43f59dfab54d317cb47fdd543decbf673d00d26c1baf8f11e6918fd116b73bc8f38c27e9b789599b3e20106793a03625e67f1e67769624c3e270df14c413

Download Submit
C:\driverruntime\i5zSTekZccWHomwpzhFca040UT744SVhuMPteV7Hd8e15f3OsbqO.bat

Filesize
86B

MD5
2d20db6122450fdd175cf73d4ff6453d

SHA1
9d096f02847fcf09ceb4e5bbfaf18e67a3499529

SHA256
014efe499144db3d2d65d6d6be47ab806f3392902f3804e20abc28e2c196e6ed

SHA512
0a9739c3ea5d058263c4b504ddc64403703e2d5c7235176b5c498c17258087d0807d388e210c03429fbfd847e600dcb102e93d6cc0998fc45e20799de84b1b9c

Download Submit
C:\driverruntime\lOGn1vzITof4.vbe

Filesize
255B

MD5
d7b78164e8e6e4565d9d518995f7616b

SHA1
84caab43657f322e407bbe243c21b6fe757fe180

SHA256
167e1c62e5921c18063038a38851d7b39bd98214fda83f8fc89c72fdaa3dffa3

SHA512
5a07163186e14406beb796743cf40d2ee1f7630e5d610a1085ca5e726f8c8e94e1d59a5474a5723b0182e7aaa75daeadb8916f95d57db5af0208bd0a6bf486d0

Download Submit
\driverruntime\HyperBrowser.exe

Filesize
141KB

MD5
f767df605403f62a6a189c9e11e4e145

SHA1
30ba5f01fbb544bdd968b74d73085d6335270e8a

SHA256
e83f4af8de9f24e7510cec15572612e51a2afa460ffe52a6f1cb4c396b4c1feb

SHA512
eed8aad4304d39219109f4f85be2f4a3fd392066e15a1e110bf45770286fbc753d2c4590824b894da12e45b55d1a0b7b87b731182b166b0dc2bef8adde870daf

Download Submit
\driverruntime\HyperBrowser.exe

Filesize
236KB

MD5
41dee7017f95b3aa8a4b13326ebe2e4d

SHA1
b8e617230153e438231aea5bac797a91b3e26600

SHA256
8f603366217f0c8972eb1275cddac519904e80a34e6fac3c5a648fa4595e3949

SHA512
0a12c508a9b1c7dfb83c7528714ca7c2e918f8198491acd6ab1ab3c646088bbbaa240c6b75fbf7321f10d0b50a8b573a126ba41b5f5cde6fb1d3df72effd9e0a

Download Submit
memory/1496-107-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/1496-110-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/1496-116-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/1496-118-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/1496-119-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/1496-120-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/1496-121-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1496-122-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/1496-113-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/1496-109-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/1496-104-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1496-102-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1496-103-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/1496-98-0x0000000000230000-0x00000000005B6000-memory.dmp

Filesize
3.5MB

Download
memory/1496-101-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1496-100-0x000000001AD00000-0x000000001AD80000-memory.dmp

Filesize
512KB

Download
memory/1496-99-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-71-0x0000000002330000-0x000000000233E000-memory.dmp

Filesize
56KB

Download
memory/2752-29-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/2752-27-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2752-26-0x0000000077290000-0x0000000077291000-memory.dmp

Filesize
4KB

Download
memory/2752-25-0x0000000000920000-0x000000000093C000-memory.dmp

Filesize
112KB

Download
memory/2752-23-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2752-19-0x00000000772A0000-0x00000000772A1000-memory.dmp

Filesize
4KB

Download
memory/2752-32-0x0000000002200000-0x0000000002218000-memory.dmp

Filesize
96KB

Download
memory/2752-33-0x0000000077260000-0x0000000077261000-memory.dmp

Filesize
4KB

Download
memory/2752-35-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2752-40-0x0000000000910000-0x000000000091E000-memory.dmp

Filesize
56KB

Download
memory/2752-42-0x0000000077240000-0x0000000077241000-memory.dmp

Filesize
4KB

Download
memory/2752-43-0x0000000077230000-0x0000000077231000-memory.dmp

Filesize
4KB

Download
memory/2752-44-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2752-45-0x0000000077220000-0x0000000077221000-memory.dmp

Filesize
4KB

Download
memory/2752-47-0x0000000002240000-0x0000000002252000-memory.dmp

Filesize
72KB

Download
memory/2752-50-0x0000000077210000-0x0000000077211000-memory.dmp

Filesize
4KB

Download
memory/2752-52-0x0000000002260000-0x0000000002276000-memory.dmp

Filesize
88KB

Download
memory/2752-53-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2752-54-0x0000000077200000-0x0000000077201000-memory.dmp

Filesize
4KB

Download
memory/2752-57-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2752-58-0x00000000771F0000-0x00000000771F1000-memory.dmp

Filesize
4KB

Download
memory/2752-59-0x00000000771E0000-0x00000000771E1000-memory.dmp

Filesize
4KB

Download
memory/2752-65-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/2752-69-0x00000000771A0000-0x00000000771A1000-memory.dmp

Filesize
4KB

Download
memory/2752-95-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-73-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/2752-79-0x00000000024E0000-0x000000000252E000-memory.dmp

Filesize
312KB

Download
memory/2752-75-0x0000000002350000-0x000000000235E000-memory.dmp

Filesize
56KB

Download
memory/2752-77-0x0000000002470000-0x0000000002488000-memory.dmp

Filesize
96KB

Download
memory/2752-68-0x0000000002390000-0x00000000023EA000-memory.dmp

Filesize
360KB

Download
memory/2752-66-0x00000000771B0000-0x00000000771B1000-memory.dmp

Filesize
4KB

Download
memory/2752-63-0x0000000002230000-0x0000000002240000-memory.dmp

Filesize
64KB

Download
memory/2752-61-0x0000000002220000-0x000000000222E000-memory.dmp

Filesize
56KB

Download
memory/2752-56-0x0000000002310000-0x0000000002322000-memory.dmp

Filesize
72KB

Download
memory/2752-49-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/2752-41-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-38-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/2752-36-0x0000000077250000-0x0000000077251000-memory.dmp

Filesize
4KB

Download
memory/2752-30-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/2752-20-0x00000000007B0000-0x00000000007D6000-memory.dmp

Filesize
152KB

Download
memory/2752-21-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2752-17-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2752-16-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2752-15-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2752-14-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-13-0x00000000001F0000-0x0000000000576000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads