zgrat | 35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689

Analysis

max time kernel
0s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 10:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe
Size

3.4MB
MD5

a94547769c3f9ce3594946f16d31ec16
SHA1

7a2753ecc00244a55cca74527b264e7f18659daf
SHA256

35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689
SHA512

6940ac5b321c62fc4f6c94d1f046e1238bf00ca9f0c27fab122af74241aa44c424745159c60e3053532db2698bdb922dca761f8bbff652fe8dad771aa1983178
SSDEEP

98304:yaGGHdfWybAk/avUcqWSbTUzHW+XAWf7uXXx:JGedfWe/CvNqWSnXBI7unx

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 18 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023213-11.dat	family_zgrat_v1
behavioral2/memory/4736-12-0x0000000000F00000-0x0000000001286000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023213-10.dat	family_zgrat_v1
behavioral2/files/0x000600000002321c-89.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-105.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-104.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-168.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-231.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-293.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-353.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-414.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-474.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-534.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-593.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-651.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-711.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-771.dat	family_zgrat_v1
behavioral2/files/0x0006000000023220-831.dat	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	384	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	384	schtasks.exe	95

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3616	schtasks.exe
4860	schtasks.exe
4164	schtasks.exe
2740	schtasks.exe
752	schtasks.exe
3188	schtasks.exe
3304	schtasks.exe
2468	schtasks.exe
1100	schtasks.exe
2848	schtasks.exe
4732	schtasks.exe
4052	schtasks.exe
1132	schtasks.exe
1048	schtasks.exe
4416	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	Process not Found

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
4648	PING.EXE
1312	PING.EXE
860	PING.EXE
1068	PING.EXE
3540	PING.EXE
4232	PING.EXE
1384	PING.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4172	2032	Process not Found	32
PID 2032 wrote to memory of 4172	2032	Process not Found	32
PID 2032 wrote to memory of 4172	2032	Process not Found	32

C:\Users\Admin\AppData\Local\Temp\35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe
"C:\Users\Admin\AppData\Local\Temp\35bc5afb894e68ded5623e057d4f6a93543c487bf1b6e3943e3f332c4dd16689.exe"
1⤵
PID:2032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\driverruntime\lOGn1vzITof4.vbe"
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\driverruntime\i5zSTekZccWHomwpzhFca040UT744SVhuMPteV7Hd8e15f3OsbqO.bat" "
    3⤵
    PID:2352
  - - C:\driverruntime\HyperBrowser.exe
      "C:\driverruntime/HyperBrowser.exe"
      4⤵
      PID:4736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5HW5nWr7i.bat"
        5⤵
        
        PID:1440
      - C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        6⤵
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat"
        7⤵
        
        PID:3708
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        8⤵
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat"
        9⤵
        
        PID:624
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        10⤵
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ORkDibkCMC.bat"
        11⤵
        
        PID:2552
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        12⤵
        
        PID:712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UO0HaVbJ1O.bat"
        13⤵
        
        PID:540
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        14⤵
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cTMYZuI8Vj.bat"
        15⤵
        
        PID:2756
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        16⤵
        
        PID:1392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"
        17⤵
        
        PID:4732
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        18⤵
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat"
        19⤵
        
        PID:1880
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        20⤵
        
        PID:4616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2yB5vkEA4A.bat"
        21⤵
        
        PID:5116
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        22⤵
        
        PID:3236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dNZC7W0h3T.bat"
        23⤵
        
        PID:948
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        24⤵
        
        PID:4100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat"
        25⤵
        
        PID:2444
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        26⤵
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wh6Yr0oKcq.bat"
        27⤵
        
        PID:1028
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        28⤵
        
        PID:3184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qWxuQCq4fF.bat"
        29⤵
        
        PID:5028
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        30⤵
        
        PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1428

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732
- C:\Windows\system32\PING.EXE
  ping -n 10 localhost
  2⤵
  - Runs ping.exe
  PID:1312
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3540

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1228

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4232

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2228

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4428

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1384

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:5024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4648

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4384

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3576

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4412

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:860

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4844

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1068

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4396

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1420

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:444

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3472

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1704

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:3464

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\WmiPrvSE.exe

Filesize
127KB

MD5
5ec21d45371c50a02d9c9c2c090b4692

SHA1
697ce5a4d9619ba4b3ab3d22a829657076ac94e4

SHA256
4a3c4babaf5989fc710ce9bf420bb4653fc1d90ac8f4c926144669d573a72cb1

SHA512
1840e3ceaf91966920468a830017cbf93aa468dfddfc9ee924184f192d9501edf42949b0d7fb9293083ecb7f1dd8a014f6ae40d2826e4bffb9e9182d649d1dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
8ee01a9d8d8d1ecf515b687bf5e354ca

SHA1
c3b943dce30e425ae34e6737c7d5c3cdd92f79c5

SHA256
c45f52a36b283b46aae313b5a4fcbfbfb67b3c5ac4ee3ecd921087ddadb691a1

SHA512
6cb43253ddb3d2e5bdedcf76bc299e91ce970c6ccc53a2d9df7ba621435a6a704ce3990bdf59d939e513e609bab3daf8f110c1cca8485e1a9fe8536a67d41dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\2yB5vkEA4A.bat

Filesize
157B

MD5
595d367000b31211dbe1a7fb127205cc

SHA1
7794a522ddd40c0512352d6ed341287249f737e3

SHA256
288674d9c90740a70bec35f6ddb85970ec692b0e8f1ca7ba298188775def51e6

SHA512
b24259d6353a27aa18a6c9b75af67ff074a48c1f3885986d0d5a6d8beea01776b6ab7155bae9cd39b10af979c965223b46b2de06206adc69e345a549f7d9c612

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat

Filesize
157B

MD5
0f4f4ec371f74d68a08288cc23ff144f

SHA1
69d6f4c41d453e94d81ed3c37deb4001e419c048

SHA256
f0e6fc936b992e094d874083a0533444c9f828f66bc76e97f0b2e542c84f1cb0

SHA512
dd93e2dbae4474c30735180a83bad0d41de609a77c9799d795f98c3dc5a0621fa8e67dcf4f731aa762a0f7481f96802f92f3a70c327baef45a55838939e0fa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ORkDibkCMC.bat

Filesize
205B

MD5
3b742efeb17a230d0c2f4f3ae45366fe

SHA1
cd2b934ddcc23b6ee929d03ff42a27534437d2f6

SHA256
d2e527238d1561210b03b00bf581673125834b67f754cdf7a95fa8302fa4a664

SHA512
e3a8a564d51f285db709d7a4d27c20526bd199e86107a17e4ddd8957aac4e6cbba538ff7df55542df65dc8c0594564ec12c1271ecddbb78176ad565b2459c6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat

Filesize
205B

MD5
e8d8497b6140c6f7bd1cecac10f3dae8

SHA1
cddfce7239cf5e1b49b9044314ba79df7a3cb385

SHA256
3cd1dde59339a5a5bea72084df753a4c1f2712014b5899f4e4f32c651591388d

SHA512
bfb0377d1af085e2a5e6c4e5f62d681ef64e1bbb1e785c6474123c216f9a44d3dcb32ee905bfcc82e94713a877336c590f02876820424b3a7b0e84324613affd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UO0HaVbJ1O.bat

Filesize
157B

MD5
d888204c947df9214cbf15d6667f8c1e

SHA1
8d4e974f90e791541d990e5c7a17872d95e36376

SHA256
d4524e61d15576f4e45c8eaba9236d13710b45c9283e3487ea4c64a0baeb1285

SHA512
e59ac47678c2bf3b003405fb27d5daf6eac4b511f259fdd24eb3604f06f6ccb4739846e02c9e95121e11b8fa5d59201677efd087dc39f0ad8d18b255875404ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\cTMYZuI8Vj.bat

Filesize
157B

MD5
1cd7007ecbbfa039699dc2f0895f77fd

SHA1
500fb00b19609b79683b370a677ec224a886db1d

SHA256
edb9c0294a6de9c580069a176f88129d641c0ac17e7e4f2fb2928e93a259d957

SHA512
9a15ab6e8f1ef64f2e6cbb53961efe29f27e71cf999e0943d1d9a9ea8aa75acc4faac49c7a2da9fae2d9dd2bc57acb8e4e6eb6afec1ffdb6d9df7153f7b00886

Download Submit
C:\Users\Admin\AppData\Local\Temp\dNZC7W0h3T.bat

Filesize
157B

MD5
e51196ab78e05d19fda2e1ff283dc25a

SHA1
9e89a2bc13015a2a97563e157a4ad3e56dbb0473

SHA256
e75789849dd8a652bba0e11818e36e1a569597491a44c8d7889daae6aeac0f47

SHA512
4fe4883d21fb3afc37c7a1b495bb7e4d746382a48f7cdc149a2bbfa0a12ef3b8fc8edfda2be1a31fcf11549ccd43b95542b468a7ad7a2bb255e9925612bc634c

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2M6WqyfOt.bat

Filesize
205B

MD5
9d39caded07ff3573e4450dac4b24b81

SHA1
9e0ee11f75cb3602ca1c69b901139ff6e63924a6

SHA256
6aa868184cb5d17ef3ff9bc3f0b5a639b90ee134c89dd085d0f3b307aab4816c

SHA512
5dbb6ff684da8a9feeeca7a2ef48bf2b4acbc20157d1d697b036626bf6dfbed868ab1750d4767b3e8fa2b656036563d5cc79e12b49b4f99de6c625cdd88f13ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qWxuQCq4fF.bat

Filesize
205B

MD5
7e6953d4aa60af5922ab3d79775579ce

SHA1
867e592cfb537ebe15e8debbf16ccf64661d2bae

SHA256
7a34e83e381cbd475a54e612a3d4e5d7e78c9132060e693f98a8678397239c77

SHA512
bec214af1e4802ce056a0a435e324b12f39bdaa248495e32daf7de9586305778adbdbdaa7892f442bf14d4e53a6948b1b035ae04b793d6d5adc644055c3ebdc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

Filesize
157B

MD5
5b32b601a541a1592199e8250714126e

SHA1
633d815b03fa5f577f6fc92d639975d2e0474f32

SHA256
c7c36a24a769097ad0e80cd969188e61a71ce8c03387cf7b2aed06d2c438839c

SHA512
64536379bab4a636ed7c170f3c5582eebc4e7b42f1ff4340ed2db080c66650c25b1a715d61f6bbd52e06bb6fdc9990e85ee3e59bd5866f1a721454aedc2e96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\v8evR6XBmk.bat

Filesize
157B

MD5
81039a0d601194171efe7ce6c1f5392e

SHA1
9ff67af057d0ce6707f32e2e4a62392149c90d31

SHA256
3a264957728119ee3ceac261d1a2d948c611b12ca1a92ffb45874174cab30f78

SHA512
07f85c8833842043e450b0243c2ff450bf642b7d6d1c63e6e8717fcc414a9c77312d1682eec7b25258e083a20b5524794c0a72ef173c63ea42281e1d7199779b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wh6Yr0oKcq.bat

Filesize
205B

MD5
9051b6a87a526762110d19d59f2a07d2

SHA1
36f1a9db2987316cf52acdf0ee74d1df5066a0d5

SHA256
71859db78f4be678277dcdb2386e437f73e61aee820f9cd08d86b478f51a6f7e

SHA512
9b36ccb268c5df1f7657678bc7b0ef59f05618bda02033a6cba45b7ecf820abee16be6291d28de81a19f0d39f406eb6e011661aea8aea0d36c3b5f37c973b47c

Download Submit
C:\Users\Default User\dwm.exe

Filesize
100KB

MD5
5dd2e3a0c86deaec67f0441837758e6a

SHA1
5ee81771d26538858c801b483cfbd43c7df5d7b3

SHA256
cd8abc3f8fe0322cb827b2a40f84e55dc0cbd0f3201c0b10025bc1c71d9c63bf

SHA512
c77b078d81a60d3af885b394ebba5cf864072b7de29052ddf9544730b7fd1be366e4f4f8d49e236838447715d0be407ff7e61b5bc9f3361d1f5d03767aa881b2

Download Submit
C:\Users\Default\dwm.exe

Filesize
26KB

MD5
91f24888ce544ffe7b9cd5de3ca44b72

SHA1
8bb253fe0b03c075d0dbe20edfb8031bbcdaeca9

SHA256
b49b1eccea8ab61770512509a546208d1ccf5138132d7aaa6669f9fe26f9b1d6

SHA512
2108ec36dc21ea005a17e5bbf1e97cb3ff2cacb5c27b383254729e4a382dd10764e139ad1e42a779b7f914c3c0947391b8ae167135ea130d2ae56406d726738d

Download Submit
C:\Users\Default\dwm.exe

Filesize
64KB

MD5
98ef75fde1f26635cb30ce7c48d60c86

SHA1
814d4074dce493b50e4ab078e755f57be78a2cd7

SHA256
abac9a747c2d2d12193b4e15b9594d3e9117aae8762cc9f13ba2b7a4a3654e79

SHA512
3bf6777d5000b9fd781702f484f5faff679ae4ebae0aad7e5e7f93a687e2be24ad371bcb383249a8d62c46ae7ecf2354bf5b7b58b598b2d2476d04dc1421fec1

Download Submit
C:\Users\Default\dwm.exe

Filesize
2KB

MD5
d9e9adf42fc75e621a0d44dd7a7b499b

SHA1
e1d3f2da363c9fa9fc24c55e864a4438fdecca0e

SHA256
2feafdc1bfafb78342768d807815e2cf3239495ceef6d078e57b4ee04fe45e0b

SHA512
9d28b2d763e2fd7562b9d1599a656415c61fc26bdcb8455397a1d027069e861dbcd139f3a706fdfa832dc5f978850629186bf38ecdcb473ae9a44396a5fe187c

Download Submit
C:\Users\Default\dwm.exe

Filesize
140KB

MD5
c2f191b7588a0605ce7433c3b585ef5f

SHA1
c193d5cd88e9c637cb172051198e5391c074389a

SHA256
973e1680dda4d97752557c1a1d5a7b44824aee49f499b429908a45538c42bcbd

SHA512
7850b05619c005890e629f6bbf8c71950471c7f886fecc64f8b70d669ebe47ceddd8a24672ed5d4f486f9ad6227f2945bf17b371299c9c5f4b121b11ab3813fd

Download Submit
C:\Users\Default\dwm.exe

Filesize
88KB

MD5
dcb0ae18e858b7f3b6b666557cc3d348

SHA1
b300cf09c7c3a62f32a761a7b4f1a0e4775082cc

SHA256
f443e2d153a512ca794cdb84aa06d9026af451b4e111de6b70a3797b09832cc4

SHA512
16e9d25012f69f695404ae37368468800abba813bfffdd47409cccfd6b516b0671a5fbf3390e3cea1b689e8a33db76e8d9dba1a14edb3a36405270bae3bff428

Download Submit
C:\Users\Default\dwm.exe

Filesize
41KB

MD5
39da4951dc305d29e063ef41385e837e

SHA1
d4a8ce57bd9be80c1b4d824fe283e1aa3fc7c096

SHA256
4f62af6e56a14e2409f4b3bae4021bed90e1b243c1ee1f1bf2131f2264f69fc7

SHA512
a491286fbd459a70df8e1a2cfcab56a63e5e77023922d6a6fee11d53d3d3f9e127ae4580c5608841de699a6d424c2e96a898dfb879b3fce60c8a354d47ddf4a7

Download Submit
C:\Users\Default\dwm.exe

Filesize
49KB

MD5
66c88c9f589fb060baaf369da1c4aabf

SHA1
26ac8d1a10dff110be9c8999b7055aad7384fad4

SHA256
a0ff9f577f69bc1d392fa63718f2f174d176a54855ebaa7298184e09a6e59986

SHA512
8d05032781618a1eff81fe33fcaa996a793398bd37f16aec01390db42177e76f2ce3ee6232c4e8a42672db0a81f1c080ecb32f6885fd15450ddeac74b392399d

Download Submit
C:\Users\Default\dwm.exe

Filesize
22KB

MD5
223dd84cc08e1f959f543973e665c87a

SHA1
64907d4dcc952ea0d8a7ecbe76244fe5d7330711

SHA256
2a1123942e605733982177b8ed05a30e95a8c4315d04699d3cf0f4befb9a1460

SHA512
5f1f1f7b17541d46e57cf67ac3e011ec48e1c32f7cb3d10ad3047636c388bbd22b0880fd5128c66864278c5d9d8183cf50900a10935c19b102106651bca7cb83

Download Submit
C:\Users\Default\dwm.exe

Filesize
45KB

MD5
39131e58ea12b0d6251a2ee408012458

SHA1
9b5f8386f59d0dbbaef8fff1edab780bc6cfa730

SHA256
406473e79ae05adb9bc9fb3d69d7a2634ebfdd40c42ae29130679765395157c4

SHA512
840d71607f65e3cc7daf7498b07f5b4a9826db7f18c2589d066d8c03f1dd357d836f3512187ff70c65974d11ebec3e63b378e0deff38ad06fb6d918708d7b7e0

Download Submit
C:\Users\Default\dwm.exe

Filesize
180KB

MD5
db3d1fe9bd5f6fa3e7bb9708bc6cbf4a

SHA1
709ec776e427e5f96da7fa607707dda130bb165a

SHA256
ea764e377e40511ebe6fc40c8df3c55c89aa691938b3a01f0e930919c6ac7bc4

SHA512
cfff05e6aa51e122d5f4d690edf51da02d5ae09f15def187b8748e4686d7342f33f88b258caf57f193d6d0f3c87275920e9d1a23093515676cf3385320adfc2f

Download Submit
C:\Users\Default\dwm.exe

Filesize
137KB

MD5
b76cbb6597ff129779c979638949ad1c

SHA1
1d633cd667cee0242b5d933754005fc50ccf488c

SHA256
9fead3b320508070474bf8c909460da515c87925806be7f8abedec247b1683a3

SHA512
b5c746b465b179346c717e4cfb1afc0172c29e426f7eff6e74d3e72726921f358c3fbf98237696c9aa114aa5bfceef62a99dd9b4292469d0789200555bf24a3d

Download Submit
C:\Users\Default\dwm.exe

Filesize
80KB

MD5
5bb310b557cc086a8049cf6882a56348

SHA1
4345e436c99c23296c3db5e1cf4603672058d95f

SHA256
91c502f1127fcdda0873dab1c03c2e3a21827c22f39afde7d51538ac5a6f49e2

SHA512
01924826c5c47db1457a25034f96872119efd4c83764f48db0db1cbd6661425548c022739d06fbf178eb0dfd062b299178a730ed98f21b03cb7986fa034a8a66

Download Submit
C:\Users\Default\dwm.exe

Filesize
255KB

MD5
4e25d1ba74d1efe72becb866a50ae850

SHA1
d5098736abf96acb1890fa96154246331c9f1409

SHA256
7854889ba42683c36978e4fb93645e6399cfbdf8239c944a1a15a4eedc70ed69

SHA512
8808964ee6b12d0722db49fa40c6deddca483d9d48ac8c4dc26341c7651b3b5570257ea98db38f64ab1f3750831af16e3d716e3caea2963f52caa0e36c735fef

Download Submit
C:\driverruntime\HyperBrowser.exe

Filesize
65KB

MD5
4e97e170079ca0e4feccd41a1578a395

SHA1
186f236880a0ec1fe53df9de63b8f154b824b747

SHA256
f0fd06076cef08efff66d06c81900dce2a147fd2dac56e688df4ec3bb65d726c

SHA512
09908e36e7ae3fa44d1770714f83f698b2212848ed055d9b043c12e94fa3382120dd69eafac2458d3e5b69d407fab5720932a09653f12307eb776cc9b53f416a

Download Submit
C:\driverruntime\HyperBrowser.exe

Filesize
59KB

MD5
5d7306f58b650b342d96fe466907a87d

SHA1
d60acaa46eef02fea064d24becd2fd8decb50d0d

SHA256
c3442b73cc224e5d8a15ee62b5885ab35d87a15aa06101229a12c080d60efe72

SHA512
b5901184a054304394c82270d43ffa7678dc8e637642b077a7a7a490affac78274c3c0e2f37dc9ce0f777a586c31c8a1056bbd2ef5aef519948f3be9c312425f

Download Submit
C:\driverruntime\i5zSTekZccWHomwpzhFca040UT744SVhuMPteV7Hd8e15f3OsbqO.bat

Filesize
86B

MD5
2d20db6122450fdd175cf73d4ff6453d

SHA1
9d096f02847fcf09ceb4e5bbfaf18e67a3499529

SHA256
014efe499144db3d2d65d6d6be47ab806f3392902f3804e20abc28e2c196e6ed

SHA512
0a9739c3ea5d058263c4b504ddc64403703e2d5c7235176b5c498c17258087d0807d388e210c03429fbfd847e600dcb102e93d6cc0998fc45e20799de84b1b9c

Download Submit
C:\driverruntime\lOGn1vzITof4.vbe

Filesize
255B

MD5
d7b78164e8e6e4565d9d518995f7616b

SHA1
84caab43657f322e407bbe243c21b6fe757fe180

SHA256
167e1c62e5921c18063038a38851d7b39bd98214fda83f8fc89c72fdaa3dffa3

SHA512
5a07163186e14406beb796743cf40d2ee1f7630e5d610a1085ca5e726f8c8e94e1d59a5474a5723b0182e7aaa75daeadb8916f95d57db5af0208bd0a6bf486d0

Download Submit
memory/4540-108-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/4540-109-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4540-110-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmp

Filesize
760KB

Download
memory/4540-116-0x00007FFEF9F60000-0x00007FFEF9F61000-memory.dmp

Filesize
4KB

Download
memory/4540-111-0x00007FFEF9F70000-0x00007FFEF9F71000-memory.dmp

Filesize
4KB

Download
memory/4540-113-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmp

Filesize
760KB

Download
memory/4540-106-0x00007FFEDB270000-0x00007FFEDBD31000-memory.dmp

Filesize
10.8MB

Download
memory/4540-107-0x000000001BB70000-0x000000001BB80000-memory.dmp

Filesize
64KB

Download
memory/4736-77-0x00007FFEF9E60000-0x00007FFEF9E61000-memory.dmp

Filesize
4KB

Download
memory/4736-76-0x000000001C040000-0x000000001C050000-memory.dmp

Filesize
64KB

Download
memory/4736-55-0x00007FFEF9ED0000-0x00007FFEF9ED1000-memory.dmp

Filesize
4KB

Download
memory/4736-54-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmp

Filesize
760KB

Download
memory/4736-49-0x00007FFEF9EE0000-0x00007FFEF9EE1000-memory.dmp

Filesize
4KB

Download
memory/4736-48-0x00007FFEF9EF0000-0x00007FFEF9EF1000-memory.dmp

Filesize
4KB

Download
memory/4736-47-0x0000000003700000-0x0000000003712000-memory.dmp

Filesize
72KB

Download
memory/4736-44-0x000000001C080000-0x000000001C090000-memory.dmp

Filesize
64KB

Download
memory/4736-43-0x00000000034D0000-0x00000000034DE000-memory.dmp

Filesize
56KB

Download
memory/4736-41-0x00007FFEF9F20000-0x00007FFEF9F21000-memory.dmp

Filesize
4KB

Download
memory/4736-40-0x00000000034C0000-0x00000000034D0000-memory.dmp

Filesize
64KB

Download
memory/4736-38-0x00007FFEF9F10000-0x00007FFEF9F11000-memory.dmp

Filesize
4KB

Download
memory/4736-36-0x00007FFEDB270000-0x00007FFEDBD31000-memory.dmp

Filesize
10.8MB

Download
memory/4736-35-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4736-31-0x00007FFEF9F40000-0x00007FFEF9F41000-memory.dmp

Filesize
4KB

Download
memory/4736-28-0x00000000036B0000-0x0000000003700000-memory.dmp

Filesize
320KB

Download
memory/4736-27-0x0000000003510000-0x000000000352C000-memory.dmp

Filesize
112KB

Download
memory/4736-25-0x00007FFEF9F50000-0x00007FFEF9F51000-memory.dmp

Filesize
4KB

Download
memory/4736-23-0x0000000001BA0000-0x0000000001BAE000-memory.dmp

Filesize
56KB

Download
memory/4736-20-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmp

Filesize
760KB

Download
memory/4736-19-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmp

Filesize
760KB

Download
memory/4736-61-0x0000000003680000-0x000000000368E000-memory.dmp

Filesize
56KB

Download
memory/4736-62-0x00007FFEF9EB0000-0x00007FFEF9EB1000-memory.dmp

Filesize
4KB

Download
memory/4736-65-0x0000000003690000-0x00000000036A0000-memory.dmp

Filesize
64KB

Download
memory/4736-66-0x00007FFEF9E90000-0x00007FFEF9E91000-memory.dmp

Filesize
4KB

Download
memory/4736-69-0x00007FFEF9E80000-0x00007FFEF9E81000-memory.dmp

Filesize
4KB

Download
memory/4736-72-0x00007FFEF9E70000-0x00007FFEF9E71000-memory.dmp

Filesize
4KB

Download
memory/4736-59-0x000000001D870000-0x000000001DD98000-memory.dmp

Filesize
5.2MB

Download
memory/4736-80-0x000000001C050000-0x000000001C05E000-memory.dmp

Filesize
56KB

Download
memory/4736-102-0x00007FFEF9FE0000-0x00007FFEFA09E000-memory.dmp

Filesize
760KB

Download
memory/4736-103-0x00007FFEDB270000-0x00007FFEDBD31000-memory.dmp

Filesize
10.8MB

Download
memory/4736-82-0x000000001D340000-0x000000001D358000-memory.dmp

Filesize
96KB

Download
memory/4736-85-0x00007FFEF9E30000-0x00007FFEF9E31000-memory.dmp

Filesize
4KB

Download
memory/4736-86-0x000000001D450000-0x000000001D49E000-memory.dmp

Filesize
312KB

Download
memory/4736-83-0x00007FFEF9E40000-0x00007FFEF9E41000-memory.dmp

Filesize
4KB

Download
memory/4736-78-0x00007FFEF9E50000-0x00007FFEF9E51000-memory.dmp

Filesize
4KB

Download
memory/4736-74-0x000000001C030000-0x000000001C03E000-memory.dmp

Filesize
56KB

Download
memory/4736-71-0x000000001D3A0000-0x000000001D3FA000-memory.dmp

Filesize
360KB

Download
memory/4736-68-0x00000000036A0000-0x00000000036B0000-memory.dmp

Filesize
64KB

Download
memory/4736-63-0x00007FFEF9EA0000-0x00007FFEF9EA1000-memory.dmp

Filesize
4KB

Download
memory/4736-57-0x000000001C010000-0x000000001C022000-memory.dmp

Filesize
72KB

Download
memory/4736-58-0x00007FFEF9EC0000-0x00007FFEF9EC1000-memory.dmp

Filesize
4KB

Download
memory/4736-53-0x000000001BFF0000-0x000000001C006000-memory.dmp

Filesize
88KB

Download
memory/4736-51-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/4736-45-0x00007FFEF9F00000-0x00007FFEF9F01000-memory.dmp

Filesize
4KB

Download
memory/4736-37-0x00007FFEF9F30000-0x00007FFEF9F31000-memory.dmp

Filesize
4KB

Download
memory/4736-33-0x0000000003660000-0x0000000003678000-memory.dmp

Filesize
96KB

Download
memory/4736-30-0x0000000001BF0000-0x0000000001C00000-memory.dmp

Filesize
64KB

Download
memory/4736-24-0x00007FFEF9F60000-0x00007FFEF9F61000-memory.dmp

Filesize
4KB

Download
memory/4736-21-0x00007FFEF9F70000-0x00007FFEF9F71000-memory.dmp

Filesize
4KB

Download
memory/4736-18-0x00000000034E0000-0x0000000003506000-memory.dmp

Filesize
152KB

Download
memory/4736-16-0x000000001C080000-0x000000001C090000-memory.dmp

Filesize
64KB

Download
memory/4736-13-0x00007FFEDB270000-0x00007FFEDBD31000-memory.dmp

Filesize
10.8MB

Download
memory/4736-14-0x0000000001B20000-0x0000000001B21000-memory.dmp

Filesize
4KB

Download
memory/4736-15-0x000000001C080000-0x000000001C090000-memory.dmp

Filesize
64KB

Download
memory/4736-12-0x0000000000F00000-0x0000000001286000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads