zgrat | 1f64bc9469a33c77561e22beea18d9bbdd343dae89bc6f02bc85e24873d93f4e

Resubmissions

05-05-2024 02:01

240505-cfwftaed23 10

03-03-2024 18:34

240303-w76kmseh68 10

03-03-2024 18:33

240303-w7jqwaeb8v 10

03-03-2024 18:30

240303-w5g49seg83 10

Analysis

max time kernel
48s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa8c24b42f6542a290d85a9a3723e2a.exe
Size

328KB
MD5

2fa8c24b42f6542a290d85a9a3723e2a
SHA1

d7a518d0d6eae7732a59c6a7c397f0777d111255
SHA256

1f64bc9469a33c77561e22beea18d9bbdd343dae89bc6f02bc85e24873d93f4e
SHA512

764731d7ac9329083fc3a3db505b12c0a0f63ef3de3f07db80ebaab237a698b980961daaaa6b14b49ea63f93d5a848e81de6a50898c36f8609109c3ef70dc6db
SSDEEP

6144:3eY+jinF8jE9sKKegRcd2cS8ADT+5amtQuicddRp:fJf5vr9AuYOp

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2928-0-0x00000000010E0000-0x0000000001134000-memory.dmp	family_zgrat_v1
behavioral1/memory/2928-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

2fa8c24b42f6542a290d85a9a3723e2a.exe

description pid process target process

PID 2928 set thread context of 2148 2928 2fa8c24b42f6542a290d85a9a3723e2a.exe RegAsm.exe

flow	ioc
5	ip-api.com

description	pid	process	target process
PID 2928 set thread context of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2684 chrome.exe
2684 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2148	RegAsm.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2fa8c24b42f6542a290d85a9a3723e2a.exechrome.exe

description	pid	process	target process
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2928 wrote to memory of 2148	2928	2fa8c24b42f6542a290d85a9a3723e2a.exe	RegAsm.exe
PID 2684 wrote to memory of 2448	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2448	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2448	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2492	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2180	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2180	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 2180	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1936	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1936	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1936	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1936	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1936	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1936	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1936	2684	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\2fa8c24b42f6542a290d85a9a3723e2a.exe
"C:\Users\Admin\AppData\Local\Temp\2fa8c24b42f6542a290d85a9a3723e2a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5b99758,0x7fef5b99768,0x7fef5b99778
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:2
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2024 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2032 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:1
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1312 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:2
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:1
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:8
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f457688,0x13f457698,0x13f4576a8
3⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:1
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3428 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:1
2⤵
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1048 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:1
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3656 --field-trial-handle=1288,i,18018469268325801900,9980164195062278912,131072 /prefetch:1
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
cd942831228da764aa321b3070222fa7

SHA1
d5abefc84648fc8f683e390ba162440beff59440

SHA256
4139befa9fbd0120e8ca6d3165d8a7dc192d507cacad384e9db74b4693d2e6f5

SHA512
b25809be195b75880341aef8b853278ac3763b99e652da5e63eea69e1d7fefb4787fb702bc11cd2206d70de13eb3eac017378d45e9fc40285ff472d33c861200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
465d7ed49c40a6dfd97cb989d6d9006f

SHA1
97161a2543473d5c67ac2570a3a1fb8b6240af0f

SHA256
1702189be6f9df465b976ddcf3347a23b833b03f71a27f97d0863d08e72f3a47

SHA512
afbfdc04d588476fa7c45fc8e02edebbc87989e4d0825277ea7fb9d4d171e6bff26a8129a7ffa48b142eb0dcd5ba937d7adc2ccd38dfd568ba5751da0bea87a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1ea53784cbe8448c00f892e79f3d351d

SHA1
d6969ee42c29d910a29f2823d604a6055ef0eb28

SHA256
97a2f8037b7bd6fa94fd4a93aa6470ffcfde3c6c4beef92be47cd7ccf9ea205c

SHA512
f88425580125cbd8f5d9e9a9b883e35ddc91cf8a906231ec3ffd3d82ad33fbba569cc1ff6b7d51dabe32816309a1fc50b2b6bea742f12c05c5476266f0652151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c8d37052ad75dac2c9b1a4650e9dc1a6

SHA1
c6f84aeb42178bdad3032d94269d81f730aa59e4

SHA256
b121ef32d386d4bc9e8fc685a0f5c5921991d4e702c81fbb16794df037247c91

SHA512
e5f426f6cbc85c08ac058c0b7cf703da2951e7e368d701fbd1a6eb9cf5ea97c3a7ec9d46b411e80659a86b2ae55ffa0f52da973782da34c97eda4f132ceaca75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
935fab71fd33c3c5b3b5d9479b0825d8

SHA1
21ee46a768837f517ffacab255153adeba6128ad

SHA256
a5a03f4fc3811387f8d0387b3f576344c78ac3c790e9cdde44ea5e767b685bb3

SHA512
b462059b62cf79ea9fcf09aa7e23b3928222d5d4e6e9a31acd524134dfdacba4d18eab65b73079a8f1791f1ca263373d490987f34e9c5f96ad64d6c7aad549d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9b7d94b573e5d7b1e13f005556777413

SHA1
3cff19a6b7088b0e212034476a6c5133ebd1243e

SHA256
6953103146d50da827a4246c62f325576f5e342509e8a8561dee5c4bbd7b4d84

SHA512
8656ff1e29f2bf4438948c7ce7249076a13aa64da3161352ecc7c9e6d300ee1930969eb92cb49d18a432d094482710facfb445a46211db600a5d00f785bc6587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
143d276d5c1329bde64e9a46b8e16571

SHA1
b15dcde0eaa599aa0010e86cb4a68040289b96ed

SHA256
50acb0bb29a95eee9cbd00345ac6da1c94d8df14cb2607bc1304c8f9f95201c8

SHA512
828a4e4f3fa853d72a59895972bddec2ac21049b8ec499e3671f345726f12ae5c366453a9517d9046f9c6bd5b209c0d4030f6b3ce79806479bd65f8b684ba79a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
29aae3e953a98005a5d077d813c640bc

SHA1
dc2bb7f28f8f75a11f091e8799f710ff8fb18728

SHA256
97cc2362a1da2cdb13353b5e9c5f438d8d4ceb6202dfc81c5528dbf56afbea01

SHA512
8a9c07e4c7174af70853ef6240729d8fad5d385b58f0ea60172c122f97b2f13b189f3c9df5ca433d6da09dd89e4b7e6fff929b177a5d391d4fd3e9031f10589c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
ca7cf6e98c9ce80937aa0b00738e3445

SHA1
ec28f9fb4091bba925e01cf4c5695febe0dab6f1

SHA256
ac5f3b1bfb22c2e3926eb6199b77eef0dc5bf7ba4cebbacfebf7244585a70e25

SHA512
d80d83f4d63b1a9fb1946c8bd915affa98a56e9b6d5b90226e8086932af219f0d03ae91ee9ac6a703551c0a186785af71123e75f969b9e7c9667f5cbc3a35006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0066a9fc69c7c142829bf450a0317e02

SHA1
8fb36dac131d13de813a042e6761047732168645

SHA256
4a8d6f65224bd3eb40ec942d52c9d2c2b79a2e1c42b9ca430d2484c98748203a

SHA512
444d80ffbc3850e709b36eb500f5809b6db2fdc1ef1d4d575c774807aa8fa6de605f6138f6db60ba10a7794226cb9d10d5f06b50c17c072d96d65127c773834b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
c797ded2b74fde26bd64404efaae09f7

SHA1
c61c35fdf79c5c46b9e6fd3b536dc64bc54633af

SHA256
a324b9e0d8ab4fb370944873313b6b1a7b501635a42e07918762f4d7d3da8f5d

SHA512
22c9aa86349c2711419f3ecfb9151aa11afc013dcb5573aadbae67d4df724165b19c7e41751e181e1ace9c97a5042c05cf67c330ec81a67c8c77a25245ede0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8a2b3262e4a1f8775246432aca021639

SHA1
eb7d4410289c96297c6938e1bb0e67f827188425

SHA256
6e433e30780158b757a7fc8f53797ae52049558dde447675155ff4cd16e9cf84

SHA512
3b1bf44867695a893e853054c145db4089de64a89338f261fa0ad932d22b894643eec2f7cd83a6d1ef3095bfdbd6c7e4cab47d3303ed60184fde8d81ee1582a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
87d6429249754576ba5d8c54331853fb

SHA1
9b6394c44a5a1b6d3bd6191d482c9c6b57056bbb

SHA256
716e993d45a930619b719d2e9e1d1ecf1d7c38d95dc15cc6b3613400709a43ca

SHA512
b18c1951c3a0fdeaabb558005303905cbfdbd869312df1468106625f00379c3d3e3e04ac923d63ca5bc920cb63d428bc6e37d8d90d44218c9387c4b365b66dd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
520B

MD5
c6e3744666607000933ea8b110f0e77a

SHA1
f2a4457448ab66dc45735f08092e028ef48593db

SHA256
2fd433eeb1b6f68230d7f7b4bfe8fe1cebc565fc39d957657030a9e99b8c798d

SHA512
5828c6c42a60fd0f50671b8005621f121387a90c07f5c448ba537633b0ede25d103bcb8a5c60365961ef8b96b80a934ebe9ca9e9d6ec363b785084e44931fcef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
6ea6ad549b8775f467554d6a1118c94c

SHA1
718acc9e1417126550cedccade9ebddb71df6c15

SHA256
35481ea6a78ae164608a64f96c932ba3e48589699eec2f71f593acfaf7bc36ea

SHA512
4d292fbec9c4a24c580823e745290bbde3588642a504293979e076960595a95071559a83090573ece99d5250cff0dbef7f5c1fa045754568ed7847e08a9b44c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
3d1f40143fffd6910efab6a3134fb96a

SHA1
97256350afd7aa27b2f4ec8f705cf92fa8aa0f1f

SHA256
5041b9a18a9ba269caf874eeb46a965193e50f59cdf00bed487466f9e0c85f0f

SHA512
6e20fbc0f4efee7a83634fc4a5b530d32596218cf3d671ff1272d024e6f93b80ed868dc5972704062d8e75a1c01f76312094eade28da5f862869a395720592a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
9419e9c8f781e455b16f5a264739028f

SHA1
24f12e9b1695820f2c18dfdf0312466dc7b820a9

SHA256
da3f5de3288e4d82cc343237e48d2b8c4385aca89f7b2552b6114b934c0226e7

SHA512
775992b484c2f4a91382b5dc274299f99b60023e964d596072c0f872e03449de005d959bc1a402f50af742ce4b45a9e5cac4665e85577c6151a6fb9d3f28af0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
46a4a6e105417a7127330eca55dd83ed

SHA1
6e5c00b3391643516c15e90b758acefaef5db02e

SHA256
4fb660929503302da4f949e49ed05109b78b7e8d0036bed89555ff376b60b190

SHA512
a9b8d0070fe561325e88be7aeadd80124812fca7e38cd099535fd70905422ef73aff92282fc4b1bb809cdf25fe9c85d96c54e727f02911bd855af1bed4dab3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5864.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\??\pipe\crashpad_2684_EWJKWYSRMMHJCGVW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2148-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-21-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/2148-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2148-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2928-6-0x0000000002540000-0x0000000004540000-memory.dmp

Filesize
32.0MB

Download
memory/2928-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2928-1-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-18-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-0-0x00000000010E0000-0x0000000001134000-memory.dmp

Filesize
336KB

Download