zgrat | 48b0afb9f404d55c311994ab4da41e3aa6dacd23a1b8e0de1addfe6f9fea4d11

Analysis

max time kernel
0s
max time network
104s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 07:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f181b08d7d06f955a53a2593b3596991.exe
Size

5.0MB
MD5

f181b08d7d06f955a53a2593b3596991
SHA1

c2af74c384c68491121799a8d89b5cd4322c41b2
SHA256

48b0afb9f404d55c311994ab4da41e3aa6dacd23a1b8e0de1addfe6f9fea4d11
SHA512

5784992d21762b523176b3a35e5611916568366fc3abf06cff54c6c1a2b77792f5a50f040facc4b3c786edc31d71b1a41d26a3708483289b3867e949fd515731
SSDEEP

49152:lhUCgfFMiW4UnAnkOh9pjA7E9HgFRJ9Tp4mMeJmjMjK0JlUJkGf3yIGul:s9AdHBJmg1wJkGZl

Score

10^/10

zgrat evasion rat trojan upx

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/files/0x00060000000199e7-653.dat	family_zgrat_v1
behavioral1/files/0x00060000000199e7-652.dat	family_zgrat_v1
behavioral1/memory/488-655-0x0000000000850000-0x000000000097C000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00060000000199e7-649.dat	family_zgrat_v1

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f181b08d7d06f955a53a2593b3596991.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
800	netsh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-733-0x0000000000260000-0x0000000000748000-memory.dmp	upx
behavioral1/files/0x0005000000019fe7-727.dat	upx
behavioral1/files/0x0005000000019fe7-726.dat	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f181b08d7d06f955a53a2593b3596991.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1892	bcdedit.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2772	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1964	schtasks.exe
876	schtasks.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	f181b08d7d06f955a53a2593b3596991.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1960	1540	f181b08d7d06f955a53a2593b3596991.exe	38
PID 1540 wrote to memory of 1960	1540	f181b08d7d06f955a53a2593b3596991.exe	38
PID 1540 wrote to memory of 1960	1540	f181b08d7d06f955a53a2593b3596991.exe	38

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f181b08d7d06f955a53a2593b3596991.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f181b08d7d06f955a53a2593b3596991.exe" -Force
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\is-8NG26.tmp\Ia6xFOoKwKTXwR8ecV1opFCP.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8NG26.tmp\Ia6xFOoKwKTXwR8ecV1opFCP.tmp" /SL5="$60142,4254087,423424,C:\Users\Admin\Pictures\Ia6xFOoKwKTXwR8ecV1opFCP.exe"
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\X509 der encoding\x509derencoding.exe
    "C:\Users\Admin\AppData\Local\X509 der encoding\x509derencoding.exe" -i
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 191
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\X509 der encoding\x509derencoding.exe
    "C:\Users\Admin\AppData\Local\X509 der encoding\x509derencoding.exe" -s
    3⤵
    PID:1504

C:\Users\Admin\AppData\Local\Temp\f181b08d7d06f955a53a2593b3596991.exe
"C:\Users\Admin\AppData\Local\Temp\f181b08d7d06f955a53a2593b3596991.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:1948
- - C:\Users\Admin\Pictures\BMd3ZuPGqSBfOK2AiCElySur.exe
    "C:\Users\Admin\Pictures\BMd3ZuPGqSBfOK2AiCElySur.exe"
    3⤵
    PID:620
- - C:\Users\Admin\Pictures\Ia6xFOoKwKTXwR8ecV1opFCP.exe
    "C:\Users\Admin\Pictures\Ia6xFOoKwKTXwR8ecV1opFCP.exe"
    3⤵
    PID:1960
- - C:\Users\Admin\Pictures\L1XRznhqLpUL32NIAqgJA5jH.exe
    "C:\Users\Admin\Pictures\L1XRznhqLpUL32NIAqgJA5jH.exe"
    3⤵
    PID:1184
  - - C:\Users\Admin\Pictures\L1XRznhqLpUL32NIAqgJA5jH.exe
      "C:\Users\Admin\Pictures\L1XRznhqLpUL32NIAqgJA5jH.exe"
      4⤵
      PID:2344
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:452
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        
        PID:828
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1576
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:1896
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1892
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:876
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2340
- - C:\Users\Admin\Pictures\cu9L2zQVwn043vkuRBZsE8rv.exe
    "C:\Users\Admin\Pictures\cu9L2zQVwn043vkuRBZsE8rv.exe"
    3⤵
    PID:2528
- - C:\Users\Admin\Pictures\o7tYfRNsKaBvwtpLk4sPXpUV.exe
    "C:\Users\Admin\Pictures\o7tYfRNsKaBvwtpLk4sPXpUV.exe" --silent --allusers=0
    3⤵
    PID:2760
- - C:\Users\Admin\Pictures\66OsHntq8iGrrbr3q7gUXTmS.exe
    "C:\Users\Admin\Pictures\66OsHntq8iGrrbr3q7gUXTmS.exe"
    3⤵
    PID:2560
- - C:\Users\Admin\Pictures\Ggp7nBqgBG30q54d7301coiU.exe
    "C:\Users\Admin\Pictures\Ggp7nBqgBG30q54d7301coiU.exe"
    3⤵
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\nsz310.tmp
      C:\Users\Admin\AppData\Local\Temp\nsz310.tmp
      4⤵
      PID:1264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 191
1⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\is-H4DDE.tmp\cu9L2zQVwn043vkuRBZsE8rv.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H4DDE.tmp\cu9L2zQVwn043vkuRBZsE8rv.tmp" /SL5="$601F0,140559,56832,C:\Users\Admin\Pictures\cu9L2zQVwn043vkuRBZsE8rv.exe"
1⤵
PID:1672
- C:\Users\Admin\AppData\Local\Temp\is-FCLD1.tmp\444567.exe
  "C:\Users\Admin\AppData\Local\Temp\is-FCLD1.tmp\444567.exe" /S /UID=lylal220
  2⤵
  PID:488
- - C:\Users\Admin\AppData\Local\Temp\90-5e04f-7d6-bc9bf-069bf135a8e40\Hiwidesawu.exe
    "C:\Users\Admin\AppData\Local\Temp\90-5e04f-7d6-bc9bf-069bf135a8e40\Hiwidesawu.exe"
    3⤵
    PID:2204

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240109074132.log C:\Windows\Logs\CBS\CbsPersist_20240109074132.cab
1⤵
PID:956

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:800

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2228

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e73d77b6a00548ee52a9570d7493b4f

SHA1
e70e5841b172f19b33a6b2d1754fc11a0b1a3cc0

SHA256
0a09d620333b222b266fed8cac4a20d6285e798b8eeaa9e0e5e8cd35e05b5558

SHA512
4fdf844fb8d78fbcc5ae25fd50603c1e7aeeffea6e4a5187b95f0f98ab3889b8badccdd85adff57740e60a71a9088ff5c12590922632185418e83822794abecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0739e533341546405eb74a74c26f57b9

SHA1
b0a439a50a8f4951b60e927792304a7857db0007

SHA256
129fa63f4bca8f5f790a9d8b889a9489069851f2ac94c98ceb8a12fff078381c

SHA512
e0a721aaa808d70ed2e31ee64f8deff33628d4d8bec006d5a3eb0fd4e7dafe0d85310baab7dd84c854afb8f3bafcce820a7600fa18bdb14cb04db2ac350f1dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f771c6b8d5c8683df2516dd804c9e414

SHA1
7f061db7b371fb14907102cf73b30f9ee0297464

SHA256
a03968a824b395a42f9bdc5c2b7ee37baf72ec6f344989ccc850993cab8e3983

SHA512
c5e41dd5278e1912deaec14dd64479bac0b8c649e096d85173819c42cf642fbb2deaaf74f2f3365683f14cf9ec5b6f843f1c199766d024d24bc3866d429dc2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
710KB

MD5
a0e125bfed4bee9bcd42cd3dafefd7e2

SHA1
ecfd0dc3c71ae978ff9b5c42c15f4780c42a0de4

SHA256
429567484ac14872e77e06d4caf564a92d08194f090a0a6bbe5feb0d9a5ad8be

SHA512
059bbbb9a2d6ad152d246d271ac343e022b32e02df9b44047848cd99c43324ca3de93adb20196fc4f724f65b2f2b42c56373ee1189d6fb7364ddfc319d3f0712

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FCLD1.tmp\444567.exe

Filesize
837KB

MD5
57eef540c85629230cf42796581ce5b2

SHA1
1ac457a5ee29cc7682bfd3fc7b4594f3a30b5d0c

SHA256
58b5ec92d57935410a383d8bcdc3541325f020fef399117b92b07a92c0ac5611

SHA512
75c499157b2903975b855ab29f3c0966b5c62335c3fff20b3068bc20bffa1a95247417ccf40363d557bf4cdaa5b365711360a2728acc9a66fc1bc9448c9f39e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FCLD1.tmp\444567.exe

Filesize
981KB

MD5
f1d8b6fe53e6e38b6fe7c635a2f09865

SHA1
7004a594a649cf79cd18dada8edc21fec826f2cb

SHA256
fac4fb92b3439bba87841d6cfea6610dcdbf3b6cbb49afa59b81e396582a1cde

SHA512
02671c7c77bdca83a113581a32d5cbfdb73ff80d6d35fe85d760365e78a9579c28dd2444472c98277782f8700063ed2c92eea617371c8f32e09c5d3467d6e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H4DDE.tmp\cu9L2zQVwn043vkuRBZsE8rv.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
518KB

MD5
a07ae392647ffab6aa18d5d2e65e5cba

SHA1
798ef336b9c01a6c84e7eb542f257ef41bd6ae4b

SHA256
9eb6631f9a21c286aeb7ec2f7b49c74e4fe1436024477b50dd2d24a3921f981a

SHA512
15c6c53f2d840c3445e1f7b4ea18146ffbb12fbf8e3422b6e3ce9c65e3b9eb64e9e7e1d659c14b7bbf7f0cf0339ec3e01a5d707264faec2099e2be70f8a43334

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
140KB

MD5
9137116adad212c65a27fd1f000ab1fa

SHA1
eb2cdd491fe54918098bbf00170bbe842d2dceaf

SHA256
123a6cb63e14689066765f86481e79a13475e9f12b0a0d899fbe09a6d40420e6

SHA512
622d80c0ff91cd29b6d215026d1e83a3a8649a0e878a86a2e1d7ca102dab3aec9530ee66f96e5d7778b654d6d3235ca1e78a731ee394f538537c4c2a6f06fd65

Download Submit
C:\Users\Admin\Pictures\L1XRznhqLpUL32NIAqgJA5jH.exe

Filesize
1.5MB

MD5
d664eb4ac77fc2e36d7d284e132fb148

SHA1
cea2232d87b937f105c2524c33aef32848ff1dbe

SHA256
5818b30732f6286245e31f027dad4f0b216cddf93d0cb369f4f6238403a4582f

SHA512
2bba69ebc5abce56a2059cb24e4dbab5190a6c905eb1e1c8bd3a620cb0d064cf0da4f32fdbc8921fc5e6100570eba34f0a5cd8c75fa5b2afed15df5435cca77b

Download Submit
C:\Users\Admin\Pictures\o7tYfRNsKaBvwtpLk4sPXpUV.exe

Filesize
483KB

MD5
3a7eb8a9c96e1057343e23a34651fc28

SHA1
2e9c6567c415bd33b6f110de40444113cf79390d

SHA256
65b5668d0ee8f64a1bf86f800147945e97c8f435be3c9802e95ad5327a89ab73

SHA512
99c7e5a57d2a4d11f7b5bbb42f3eec2f6c78111e3140db8d1bbf9d0d1556a1a6693c4027cdf879ce9159fad12f6110cfd05f3785e79e08aeee9cee6c063e46d4

Download Submit
C:\Users\Admin\Pictures\o7tYfRNsKaBvwtpLk4sPXpUV.exe

Filesize
648KB

MD5
ad71ec53b288de576b5b242a158e2562

SHA1
e2b7fa6f91798f7d787b386933a0225eab2ec9be

SHA256
e258d0f69e709cf0da263ff65d01ed5ea7e8fd6919ef858ea603a221e1da1228

SHA512
d2b3d2cab401e2b39b2fc2f07a9ed12cabf62bc49862fdf88ad9b148680a59d5bf51773c9800d5587338d4d949b8662b4045b396aaa038483d97bf5905420ce6

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2401090741489592760.dll

Filesize
427KB

MD5
7086097a9f3e12f772eeaee59e80dd4a

SHA1
1dd92a580f466444cc0568fc1c4186420b6f5161

SHA256
05f0015cc0e59f75591945acdb824d220c64a36386bbccba4c3c048bbcb9bbb6

SHA512
ab14b2e18d03d8884f808c468bd03ed48c386bb9373a656d258463347a1a64c7e9e3d7f2f0e150022fbced571714e7baeb34016719cd6ef6ad889b353b7e75aa

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
536KB

MD5
c4c3a778cab11c518ccc1804e7bde399

SHA1
b68ae16b2c259af00cc53dd6f8a61ee9de760e82

SHA256
1b57e59e58c971836a61555c5429cb704ea74e96ccd9a81fe1457298dac9ce9b

SHA512
e426559e762c282f38fba9b9a2bdcfd255d2f42e9171f5ad87d6c342b46b5e6bb2bca9130979e2eafac64977c714e8bd762e66a364c0b45d536353a592a71124

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
619KB

MD5
654e6a51472dac3e7542d3762e8e4e40

SHA1
8c5db17f7019c0eb1ff17c922efe12b014724c3d

SHA256
f85e148b277aab5f20343d5679c42a4c14647f09e832476110880b44103818b1

SHA512
f34750329568f5d68e8940537cd6fcf0cdc344c78c92d84b68ec96c4addcaacef2b95fd82fa7f8dd6e01e332a553566890cf0ae85cef14c8045fb10b6ef9651d

Download Submit
\Users\Admin\AppData\Local\Temp\is-FCLD1.tmp\444567.exe

Filesize
1.0MB

MD5
ecada79dc320f0c85dd511597ffee0e9

SHA1
b50af5d1d9b8171dc63e23a6ac71a54a91559125

SHA256
a27755e084531f232c0f869ce6ca296e3966990a21562119f897a7dfb9cf3c74

SHA512
9af02a627b9863922c50391692aeacaae330152e9b9bc3b4114fd6b1b508ee6dda89205f8193d5c0ff1961c08797711b316867a33fdca591738ec1c7c4dcd170

Download Submit
\Users\Admin\AppData\Local\Temp\is-FCLD1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-FCLD1.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
449KB

MD5
6a676c5b0e1804b8fb645de3fc6c9c89

SHA1
ea25965a81d76e36954aa5735ba08a10d80bcb34

SHA256
b2df686f9ff6087029c17649b872bec8e4081988dbbd1d4c4633d21320e1a39c

SHA512
6a14a4ccc5ea45dfb4177c947aa938414de0aec6ca27f5291bf411b035dc2f2d4786942ef715a0c146ae02f7d90e7b36a6ad7156e7c2a7db470d9dfb4fd6fe6f

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
547KB

MD5
bfaf94d50709e2111df4fcea0a60644c

SHA1
b3873adb4cc803175585008e2f7cc599f97fb9a3

SHA256
72af37b9e650f65d855e306142624d939a4a0a37433a8777d478de459558518d

SHA512
e60cfa6ad0a1b154e05e241a7604fad7eff9394fff23d12c7e632392262eee5048d3f30e3fdb905bc2d3f27db9e97b2cd2abec6bc2eb67a57f92306f697c1e8b

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
439KB

MD5
cca172d4703dd48d747511c416d04b31

SHA1
09cf0458a5e133e21d98b27fdd66703ae16cda10

SHA256
0a1c4351368ddca9b908c7cd2afc10c603fce7938201b04ce641f10dc2ec14eb

SHA512
bf6a24648e649bebda5eb01fc1929e64c55f20aec08f7fa5badb5ef2f497f07f9dbd24631028c8d7fe5870367927f184f798dce4b46d1f388f0e11ada38d185e

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
137KB

MD5
0b84f65964111dfabc25ba8ec3d9988e

SHA1
e79ff6a4128021a1461882929fee1049735e72f8

SHA256
625077105bcae27b57b1e14826a3c89d9474ed580089736d2fc67eb90daaf04d

SHA512
23fbda4d466ab303f654cf0f8fc24b507c7e190029720427b02103d849e1fbdc05badf56757c1583fe279f55a4c7b084b5d7990643963072bf371097bcde1883

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\Pictures\Opera_installer_2401090741536442760.dll

Filesize
333KB

MD5
0894e156ed3645ae24940131137c7319

SHA1
285146f053354e6b1492a06a1d3ddcc557c8c90e

SHA256
81fe0a45d19a25cc75302a018835b8aa1f0e9aa87767e6cd510e72a9f96d228e

SHA512
18cbbd1204ab8690d5cb5fc43f678a7f6a05b01be9e7098cdd914691c5f9c3d2cf8c0b292ed962fe8565c5deaaedb8915fe0331026278e02bb3521e853d92263

Download Submit
\Users\Admin\Pictures\cu9L2zQVwn043vkuRBZsE8rv.exe

Filesize
380KB

MD5
748d10a9f74335cb40b9d62a720bd9d5

SHA1
ef91ce42b14e911a1c178e5cf8675b54922f8f88

SHA256
a32365528f89268c7a0e8a8a8052612ffb72e2eda4c1c8a299cba656cbaf3889

SHA512
9510690e4dff3efbe31fd8139f5694ecec0adeded536faefb4aef6b1eb7a572f7505746f6bbef9959a846e4fe3e63e5c8c7f4a726797c2c879cb7d4a0aa39961

Download Submit
\Windows\rss\csrss.exe

Filesize
978KB

MD5
837fb51d6cad7b531133deb1d5a7f431

SHA1
1b8d1fa54c167fe8aafa649fe327f9923f1e802d

SHA256
9ef33e263b59a06c455bd95d819ef2c131991be961a88c6073db2c751ba509d9

SHA512
7116b7e629931e3b11ede73aba488d3bc7398ba04f994b848da9516c3f0f87f7fd93fcdb4c324ee634ae395630ac81aac4c4f5d6d95f105876a91f68946f9781

Download Submit
\Windows\rss\csrss.exe

Filesize
857KB

MD5
a0b7b6778b12048d2e2031a4fac228e8

SHA1
25e48e9a4e1316a72f73f7af4e42a6610683fdc9

SHA256
028cd315979b46994fad32641acb04335273f48a78de0ef7c15443e1db0668c8

SHA512
c789243333be8e921639836e59e98caa9c11335e55801b8bcc7ad9494878a94f72858bb73b91221992cefc65139ad3cc4ef0049fc89b394be7304e5afa266080

Download Submit
memory/452-692-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/452-669-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/452-757-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/452-763-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/452-854-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/452-694-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/452-802-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/452-836-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/488-657-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/488-655-0x0000000000850000-0x000000000097C000-memory.dmp

Filesize
1.2MB

Download
memory/488-729-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/488-656-0x0000000002340000-0x00000000023F2000-memory.dmp

Filesize
712KB

Download
memory/488-654-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/488-749-0x0000000000740000-0x0000000000780000-memory.dmp

Filesize
256KB

Download
memory/620-268-0x000000013FD10000-0x000000013FD7F000-memory.dmp

Filesize
444KB

Download
memory/828-713-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/828-714-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1184-598-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1184-516-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/1184-600-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1184-602-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/1184-585-0x0000000002C40000-0x000000000352B000-memory.dmp

Filesize
8.9MB

Download
memory/1184-584-0x0000000002840000-0x0000000002C38000-memory.dmp

Filesize
4.0MB

Download
memory/1264-1041-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/1264-1042-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1264-1043-0x0000000000400000-0x000000000086F000-memory.dmp

Filesize
4.4MB

Download
memory/1504-766-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1504-868-0x00000000023F0000-0x0000000002492000-memory.dmp

Filesize
648KB

Download
memory/1504-648-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1504-631-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1504-840-0x00000000023F0000-0x0000000002492000-memory.dmp

Filesize
648KB

Download
memory/1504-843-0x00000000023F0000-0x0000000002492000-memory.dmp

Filesize
648KB

Download
memory/1504-691-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1504-839-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1504-813-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1504-759-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1504-518-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/1672-580-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1672-646-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1820-978-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1948-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-16-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-803-0x0000000009920000-0x0000000009E08000-memory.dmp

Filesize
4.9MB

Download
memory/1948-578-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/1948-25-0x0000000004450000-0x0000000004490000-memory.dmp

Filesize
256KB

Download
memory/1948-24-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-564-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/1948-21-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1948-732-0x0000000009920000-0x0000000009E08000-memory.dmp

Filesize
4.9MB

Download
memory/1948-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1960-9-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1960-4-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1960-5-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1960-6-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-314-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1960-603-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1960-10-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1960-11-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-8-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

Filesize
9.6MB

Download
memory/1960-7-0x0000000002900000-0x0000000002980000-memory.dmp

Filesize
512KB

Download
memory/1992-958-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1992-961-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2204-857-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-814-0x0000000001230000-0x0000000001318000-memory.dmp

Filesize
928KB

Download
memory/2204-816-0x0000000005040000-0x0000000005080000-memory.dmp

Filesize
256KB

Download
memory/2204-815-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-859-0x0000000005040000-0x0000000005080000-memory.dmp

Filesize
256KB

Download
memory/2228-959-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2228-1052-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2344-670-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2344-671-0x0000000002820000-0x0000000002C18000-memory.dmp

Filesize
4.0MB

Download
memory/2344-601-0x0000000002820000-0x0000000002C18000-memory.dmp

Filesize
4.0MB

Download
memory/2344-658-0x0000000002820000-0x0000000002C18000-memory.dmp

Filesize
4.0MB

Download
memory/2344-660-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2344-659-0x0000000002C20000-0x000000000350B000-memory.dmp

Filesize
8.9MB

Download
memory/2528-638-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2528-563-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2560-938-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2620-491-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2620-487-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2620-490-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2760-733-0x0000000000260000-0x0000000000748000-memory.dmp

Filesize
4.9MB

Download
memory/2760-767-0x0000000000260000-0x0000000000748000-memory.dmp

Filesize
4.9MB

Download
memory/2844-630-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2844-632-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2844-347-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads