zgrat | eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5

General

Target

eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe
Size

2.2MB
MD5

84c895e5e9d2e8a4a33bcc6ec7657b20
SHA1

f7efe5f005597309a25ad8eeaba6c77dff827caf
SHA256

eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5
SHA512

423841c1d334029bcfc4265b9599d219d42e8938504d9e9af0691111cbdb24c1d0a3712176b96faf0596732fa65129ee8e49a0a38efdfcfd3b212be82208ddff
SSDEEP

24576:2TbBv5rUyXVgEtP/SRdxjxY8eCpDbZXvSBNOjABV+m/dynu46+I9KTVQpeeKghOL:IBJLj8ZbkNF0m/0vV1eKghUYFtML/sJU

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe	family_zgrat_v1
behavioral1/memory/2564-13-0x00000000008A0000-0x0000000000A92000-memory.dmp	family_zgrat_v1
behavioral1/memory/1824-55-0x00000000012A0000-0x0000000001492000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2688	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2688	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 2 IoCs

Processes:

ContainerserverFontSavessession.exedwm.exe

pid process

2564 ContainerserverFontSavessession.exe
1824 dwm.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1816 cmd.exe
1816 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1816	cmd.exe
1816	cmd.exe

Drops file in Program Files directory 5 IoCs

Processes:

ContainerserverFontSavessession.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Services\69ddcba757bf72	ContainerserverFontSavessession.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\csrss.exe	ContainerserverFontSavessession.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\886983d96e3d3e	ContainerserverFontSavessession.exe
File created	C:\Program Files (x86)\Common Files\Services\smss.exe	ContainerserverFontSavessession.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\smss.exe	ContainerserverFontSavessession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2508	schtasks.exe
2628	schtasks.exe
1412	schtasks.exe
2348	schtasks.exe
1964	schtasks.exe
848	schtasks.exe
2692	schtasks.exe
2868	schtasks.exe
3004	schtasks.exe
2236	schtasks.exe
1784	schtasks.exe
1424	schtasks.exe
1172	schtasks.exe
1876	schtasks.exe
1680	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2080 PING.EXE

pid	process
2080	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ContainerserverFontSavessession.exe

pid	process
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe
2564	ContainerserverFontSavessession.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ContainerserverFontSavessession.exedwm.exe

description pid process

Token: SeDebugPrivilege 2564 ContainerserverFontSavessession.exe
Token: SeDebugPrivilege 1824 dwm.exe

description	pid	process
Token: SeDebugPrivilege	2564	ContainerserverFontSavessession.exe
Token: SeDebugPrivilege	1824	dwm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exeWScript.execmd.exeContainerserverFontSavessession.execmd.exe

description	pid	process	target process
PID 2896 wrote to memory of 2320	2896	eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe	WScript.exe
PID 2896 wrote to memory of 2320	2896	eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe	WScript.exe
PID 2896 wrote to memory of 2320	2896	eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe	WScript.exe
PID 2896 wrote to memory of 2320	2896	eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe	WScript.exe
PID 2320 wrote to memory of 1816	2320	WScript.exe	cmd.exe
PID 2320 wrote to memory of 1816	2320	WScript.exe	cmd.exe
PID 2320 wrote to memory of 1816	2320	WScript.exe	cmd.exe
PID 2320 wrote to memory of 1816	2320	WScript.exe	cmd.exe
PID 1816 wrote to memory of 2564	1816	cmd.exe	ContainerserverFontSavessession.exe
PID 1816 wrote to memory of 2564	1816	cmd.exe	ContainerserverFontSavessession.exe
PID 1816 wrote to memory of 2564	1816	cmd.exe	ContainerserverFontSavessession.exe
PID 1816 wrote to memory of 2564	1816	cmd.exe	ContainerserverFontSavessession.exe
PID 2564 wrote to memory of 1536	2564	ContainerserverFontSavessession.exe	cmd.exe
PID 2564 wrote to memory of 1536	2564	ContainerserverFontSavessession.exe	cmd.exe
PID 2564 wrote to memory of 1536	2564	ContainerserverFontSavessession.exe	cmd.exe
PID 1536 wrote to memory of 1388	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 1388	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 1388	1536	cmd.exe	chcp.com
PID 1536 wrote to memory of 2080	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 2080	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 2080	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 1824	1536	cmd.exe	dwm.exe
PID 1536 wrote to memory of 1824	1536	cmd.exe	dwm.exe
PID 1536 wrote to memory of 1824	1536	cmd.exe	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe
"C:\Users\Admin\AppData\Local\Temp\eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
"C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8yXT8NHeen.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1388

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2080

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe
"C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\ebbea1a2-8f1b-11ee-aa93-7ed9061e9c39\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\PortproviderwinMonitorSvc\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\PortproviderwinMonitorSvc\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe
Filesize
251B

MD5
288ece3d2e1006c5fa8a526d2d0fab12

SHA1
b466938792d856b963788f55037be3893024169f

SHA256
47a7ef36b24fc4250a41e93d7e132fee06b972b98317e6226814e676092b1fb1

SHA512
f818e2293f7128d1d12eeb577bbb1f9d16f0208a2b2c68d30f4b12e7ebececdc93c6b272810efb22d9b4778105e0ffc5da095feeda50ccfe9efecd52644a69b7

Download Submit
C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat
Filesize
101B

MD5
a1e10402205eb4379b696c320914eea5

SHA1
048575ccf93cf9d1e039b1b1bce5eb97d61e1048

SHA256
0861e3de74e15568d8ed44ff86fea6f446ba8eb1561ec374202b4ebba7e279b5

SHA512
fde6ddd99da5609f138badeb28f448a2b673374a1c19eee36f9215c11efe96d7d9d64a396dcbfccc911ed26915c14ace092f10b821707162cd634d08663ad427

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yXT8NHeen.bat
Filesize
198B

MD5
6ac992cdfd5f4f42e6a8661318885b54

SHA1
5a1e336a6487a8cef8e833f31f52bbc0b956c7a2

SHA256
8781ac597030e1fa0efc7593ec1ebe456f2b9ec5270447bbcb7fa4953767d761

SHA512
44c52dc1274aca67e8cc38c18fae3bc02684cb1fc818337c3f656e512367a4c7854eaeb4d83637850749c253b3a85f549710d35a084b69e53d0c1ec5f120fbe7

Download Submit
\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
Filesize
1.9MB

MD5
d67f722b73a3cbef568a2e3124a4bc04

SHA1
27e0a75a646fb2869b31eab2f34f1de4db7e35e6

SHA256
b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303

SHA512
c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb

Download Submit
memory/1824-69-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/1824-68-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/1824-73-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/1824-72-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/1824-71-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/1824-92-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/1824-93-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/1824-74-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/1824-66-0x0000000077100000-0x0000000077101000-memory.dmp

Filesize
4KB

Download
memory/1824-61-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/1824-60-0x0000000077120000-0x0000000077121000-memory.dmp

Filesize
4KB

Download
memory/1824-59-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/1824-58-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1824-57-0x000000001B500000-0x000000001B580000-memory.dmp

Filesize
512KB

Download
memory/1824-55-0x00000000012A0000-0x0000000001492000-memory.dmp

Filesize
1.9MB

Download
memory/1824-56-0x000007FEF4FC0000-0x000007FEF59AC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-19-0x0000000000810000-0x0000000000890000-memory.dmp

Filesize
512KB

Download
memory/2564-52-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-35-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2564-33-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/2564-32-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2564-30-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/2564-29-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2564-27-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/2564-26-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/2564-24-0x0000000077100000-0x0000000077101000-memory.dmp

Filesize
4KB

Download
memory/2564-23-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2564-21-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2564-18-0x0000000077120000-0x0000000077121000-memory.dmp

Filesize
4KB

Download
memory/2564-17-0x0000000000810000-0x0000000000890000-memory.dmp

Filesize
512KB

Download
memory/2564-16-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2564-15-0x0000000000810000-0x0000000000890000-memory.dmp

Filesize
512KB

Download
memory/2564-14-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-13-0x00000000008A0000-0x0000000000A92000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads