zgrat | 7f172d780a290e00ba180bab8e5fcec4d1a8f6d8512310794d7e5e9cd45e829d

Analysis

max time kernel
69s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 21:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

045f4cea4f863d9def6967fe35303066.exe
Size

6.4MB
MD5

045f4cea4f863d9def6967fe35303066
SHA1

e40b4393ac099688bee151c475c71a4354c69654
SHA256

7f172d780a290e00ba180bab8e5fcec4d1a8f6d8512310794d7e5e9cd45e829d
SHA512

4779aa92792799d9e5dd6cce3a05c5f06959cdc8213e2fb5c5127733ff1d5c9108f7a13e926ea36f1661bda133b574ac484c5a3bfeed18fdf16f17d03509788f
SSDEEP

98304:Vi3w/4GrQBeQZ1P/by87heRw6+vllYmTDv7GQ6pwoTxFI:VCw/+eMy8te2dlYEDGQT6

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral2/memory/3128-7-0x000000001D330000-0x000000001D39C000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-9-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-11-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-8-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-21-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-33-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-43-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-55-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-65-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-71-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-69-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-67-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-63-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-61-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-59-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-57-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-53-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-51-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-49-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-47-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-45-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-41-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-39-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-37-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-35-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-31-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-29-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-27-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-25-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-23-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-19-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-17-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-15-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/3128-13-0x000000001D330000-0x000000001D395000-memory.dmp	family_zgrat_v1
behavioral2/memory/1916-2185-0x000000001E240000-0x000000001E880000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	045f4cea4f863d9def6967fe35303066.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	045f4cea4f863d9def6967fe35303066.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	045f4cea4f863d9def6967fe35303066.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 3484	3128	045f4cea4f863d9def6967fe35303066.exe	104
PID 3128 wrote to memory of 3484	3128	045f4cea4f863d9def6967fe35303066.exe	104

C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
"C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Jgjfitkqfhlmfojonqa.vbs"
  2⤵
  PID:3484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\webfind.exe'
    3⤵
    PID:3152
- C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
  C:\Users\Admin\AppData\Local\Temp\045f4cea4f863d9def6967fe35303066.exe
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:1608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com -Count 2 -BufferSize 128 -Delay 1
    3⤵
    PID:2008

Network

DNS

19.53.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.53.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

158.240.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

158.240.127.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301666_1OXPU2W8OTP7BGNK2&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301666_1OXPU2W8OTP7BGNK2&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 276356
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A324A27F2499434EAC89A79A1F99C130 Ref B: LON04EDGE1118 Ref C: 2023-12-30T05:52:42Z
date: Sat, 30 Dec 2023 05:52:41 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301674_1HQJ3PMNMDV6D2TGG&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301674_1HQJ3PMNMDV6D2TGG&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 310822
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FE025D55F4084E59B36EBEB7D3C1FA66 Ref B: LON04EDGE1118 Ref C: 2023-12-30T05:52:42Z
date: Sat, 30 Dec 2023 05:52:41 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301257_1V7UFS3KR429ZBZW8&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301257_1V7UFS3KR429ZBZW8&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 419259
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EB819D25B2A8472BB54EDD00723C195A Ref B: LON04EDGE1118 Ref C: 2023-12-30T05:52:42Z
date: Sat, 30 Dec 2023 05:52:41 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301265_1ENV7ZJ2DL0YYQB8P&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301265_1ENV7ZJ2DL0YYQB8P&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 472407
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A63D9062FCF149BA8ED289A509BCD4D7 Ref B: LON04EDGE1118 Ref C: 2023-12-30T05:52:42Z
date: Sat, 30 Dec 2023 05:52:41 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301059_1P6JR4ZMHWPBH8OVK&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301059_1P6JR4ZMHWPBH8OVK&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 315531
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0BD0062E311A41778DC991CE16191A95 Ref B: LON04EDGE1118 Ref C: 2023-12-30T05:52:42Z
date: Sat, 30 Dec 2023 05:52:41 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301492_19VWK67ER2VBBOLMY&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301492_19VWK67ER2VBBOLMY&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 321569
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CE609146CA214D5BB65950C4B3857CCC Ref B: LON04EDGE1118 Ref C: 2023-12-30T05:52:49Z
date: Sat, 30 Dec 2023 05:52:48 GMT
DNS

173.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

173.178.17.96.in-addr.arpa

IN PTR

Response

173.178.17.96.in-addr.arpa

IN PTR

a96-17-178-173deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

www.google.com

Remote address:

8.8.8.8:53

Request

www.google.com

IN A

Response

www.google.com

IN A

142.250.200.4
DNS

91.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.65.42.20.in-addr.arpa

IN PTR

Response
DNS

91.65.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

91.65.42.20.in-addr.arpa

IN PTR

Response

52.142.223.178:80

104 B
2
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301492_19VWK67ER2VBBOLMY&pid=21.2&w=1080&h=1920&c=4

tls, http2

77.2kB
2.2MB
1621
1617

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301666_1OXPU2W8OTP7BGNK2&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301674_1HQJ3PMNMDV6D2TGG&pid=21.2&w=1080&h=1920&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301257_1V7UFS3KR429ZBZW8&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301265_1ENV7ZJ2DL0YYQB8P&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301059_1P6JR4ZMHWPBH8OVK&pid=21.2&w=1920&h=1080&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301492_19VWK67ER2VBBOLMY&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.3kB
8.8kB
17
15
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.3kB
16
14

8.8.8.8:53

19.53.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

19.53.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

43.58.199.20.in-addr.arpa

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

158.240.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

158.240.127.40.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

157.123.68.40.in-addr.arpa

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
173 B
2
1

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

173.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

173.178.17.96.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

www.google.com

dns

60 B
76 B
1
1

DNS Request

www.google.com

DNS Response

142.250.200.4
8.8.8.8:53

91.65.42.20.in-addr.arpa

dns

140 B
312 B
2
2

DNS Request

91.65.42.20.in-addr.arpa

DNS Request

91.65.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\045f4cea4f863d9def6967fe35303066.exe.log

Filesize
1KB

MD5
b65ecf27e16c9159164a4f3e4f71a9ca

SHA1
775ce345a9eaf954e4833bd25ee2fa4c11fc846a

SHA256
adce6dd6ba66e634fe10e7fade4b6de277f3311ee0d82f6c20141520893bf72a

SHA512
3927300905ca9f86fcdbc31743e285ee376ebb5b2202a07b0c4897f9a699fa84567a5e5c260d8a397b97ddc7d8e550fceccad3ebdc382556f6017816ab0efa2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4240daff4d0559c94aeeaa69828423fa

SHA1
4d2cdd4a4f56c4bfdd632a7864249dc0fad7b18d

SHA256
ac44b3ec8a2fca634edffe5fcfe888256a4e93adc6cebe554a819680028a3e24

SHA512
a8d553a6a3bbf2f45683a6b143cd65e0ce203b4610fc5ff95b813e6fa04629ac4216aa561e4677e70158949ad76c308c8c47af3fcaf48f870b2ba951f3c91ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d096831023867930e62e6d8b3d4d8ca6

SHA1
404a1e73dc1590f1c8b9327c396591567dac7365

SHA256
167f75b42ae614a8d6b0497779ff12f09605328533487f235b029e0db03ad23b

SHA512
31333100ddd8e04bf730118ea800843720c0f3fb69e27b89dda7fa4d717d25e838ad55a0919d47a44dd8a78d724ef8c105cfa230987cc46ba94a2b790ff91b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Jgjfitkqfhlmfojonqa.vbs

Filesize
175B

MD5
10c2467cd97e13e22bd753be3c09c805

SHA1
a4da069e3936b4ab05f06281af76bd05f5d3c9f0

SHA256
29851d647c12d23c40a2b6623451052c1903cdc3ae4a44979507c423fcdb1024

SHA512
7cfd7c289c014b2307feb330e674db4ac3c74b7a3970f57406e98e3d3a29f027dda20820c00eb6559f58d9eb3b487ab5cfaca5e6d3abe70dea9a88690cae1e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckrdsmwj.iis.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/536-2153-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/536-2146-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/536-2149-0x0000027B3B7F0000-0x0000027B3B800000-memory.dmp

Filesize
64KB

Download
memory/536-2151-0x0000027B3B7F0000-0x0000027B3B800000-memory.dmp

Filesize
64KB

Download
memory/536-2150-0x0000027B3B7F0000-0x0000027B3B800000-memory.dmp

Filesize
64KB

Download
memory/896-2133-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/896-2136-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/896-2134-0x0000019EF56F0000-0x0000019EF5700000-memory.dmp

Filesize
64KB

Download
memory/1608-2163-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1608-2165-0x000002217F170000-0x000002217F180000-memory.dmp

Filesize
64KB

Download
memory/1608-2167-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2148-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2184-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/1916-2185-0x000000001E240000-0x000000001E880000-memory.dmp

Filesize
6.2MB

Download
memory/1916-2104-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2102-0x0000000140000000-0x000000014062A000-memory.dmp

Filesize
6.2MB

Download
memory/1916-2818-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/2008-2178-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/2008-2181-0x000001D7AAB30000-0x000001D7AAB40000-memory.dmp

Filesize
64KB

Download
memory/2008-2180-0x000001D7AAB30000-0x000001D7AAB40000-memory.dmp

Filesize
64KB

Download
memory/2008-2179-0x000001D7AAB30000-0x000001D7AAB40000-memory.dmp

Filesize
64KB

Download
memory/2008-2183-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-63-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-43-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-35-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-31-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-29-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-27-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-25-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-23-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-19-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-17-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-15-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-13-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-707-0x000000001C660000-0x000000001C670000-memory.dmp

Filesize
64KB

Download
memory/3128-39-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-2098-0x000000001C660000-0x000000001C670000-memory.dmp

Filesize
64KB

Download
memory/3128-41-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-2103-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-45-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-47-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-2-0x000000001C660000-0x000000001C670000-memory.dmp

Filesize
64KB

Download
memory/3128-49-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-1-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-3-0x000000001C770000-0x000000001C7E6000-memory.dmp

Filesize
472KB

Download
memory/3128-4-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3128-5-0x000000001DAA0000-0x000000001E106000-memory.dmp

Filesize
6.4MB

Download
memory/3128-6-0x00000000035A0000-0x00000000035BE000-memory.dmp

Filesize
120KB

Download
memory/3128-51-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-53-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-57-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-59-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-61-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-0-0x0000000000290000-0x00000000008FA000-memory.dmp

Filesize
6.4MB

Download
memory/3128-67-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-69-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-71-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-65-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-55-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-37-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-33-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-21-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-8-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-11-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-9-0x000000001D330000-0x000000001D395000-memory.dmp

Filesize
404KB

Download
memory/3128-7-0x000000001D330000-0x000000001D39C000-memory.dmp

Filesize
432KB

Download
memory/3152-2121-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3152-2117-0x000001C878AF0000-0x000001C878B00000-memory.dmp

Filesize
64KB

Download
memory/3152-2118-0x000001C878AF0000-0x000001C878B00000-memory.dmp

Filesize
64KB

Download
memory/3152-2115-0x00007FFCF1B60000-0x00007FFCF2621000-memory.dmp

Filesize
10.8MB

Download
memory/3152-2116-0x000001C878AF0000-0x000001C878B00000-memory.dmp

Filesize
64KB

Download
memory/3152-2105-0x000001C878AC0000-0x000001C878AE2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.