zgrat | 5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f

General

Target

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Size

2.0MB
MD5

9026338fce277581062754cab87462e7
SHA1

191b8d92c18b84fdef03f691583d8b89598cb7da
SHA256

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f
SHA512

8be58979eec71fe69408aa621e756d76b58db496da456dad533fb88ad800ecf8d8e5933baedda4742c1dc4e5095f8fe7c3071f0339b056f54a378adb08908fca
SSDEEP

24576:aSLLyDf1/7HnFZnA83kJTwJiYYfbeQYPXI3IDyVZqVhTEmkz3UzKzMlJ6wwLI:aSXM/dUJ8SDeQYvI3IGmhTZYlwlJJM

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1956-0-0x0000000000E70000-0x0000000001072000-memory.dmp	family_zgrat_v1
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe	family_zgrat_v1
behavioral1/memory/2304-125-0x0000000000880000-0x0000000000A82000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\lsass.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\lsass.exe\", \"C:\\Windows\\inf\\.NET Memory Cache 4.0\\0009\\Idle.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\", \"C:\\Users\\All Users\\lsass.exe\", \"C:\\Windows\\inf\\.NET Memory Cache 4.0\\0009\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Idle.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2532	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2532	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

Idle.exe

pid process

2304 Idle.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2304	Idle.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\lsass.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Idle.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\Idle.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\inf\\.NET Memory Cache 4.0\\0009\\Idle.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\inf\\.NET Memory Cache 4.0\\0009\\Idle.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\smss.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\lsass.exe\""	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ipinfo.io
5 ipinfo.io
14 ipinfo.io
15 ipinfo.io

flow	ioc
4	ipinfo.io
5	ipinfo.io
14	ipinfo.io
15	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC497ABEC6F004B9383C5BDFAC5CD0C1.TMP	csc.exe
File created	\??\c:\Windows\System32\ickr0a.exe	csc.exe

Drops file in Windows directory 2 IoCs

Processes:

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

description	ioc	process
File created	C:\Windows\inf\.NET Memory Cache 4.0\0009\Idle.exe	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
File created	C:\Windows\inf\.NET Memory Cache 4.0\0009\6ccacd8608530f	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2720	schtasks.exe
3024	schtasks.exe
2648	schtasks.exe
2376	schtasks.exe
2288	schtasks.exe
2316	schtasks.exe
2164	schtasks.exe
2840	schtasks.exe
1888	schtasks.exe
1840	schtasks.exe
1864	schtasks.exe
2436	schtasks.exe
2884	schtasks.exe
1836	schtasks.exe
1008	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1664 PING.EXE

pid	process
1664	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

pid	process
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeIdle.exe

description	pid	process
Token: SeDebugPrivilege	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2304	Idle.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.execsc.execmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 2444	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	csc.exe
PID 1956 wrote to memory of 2444	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	csc.exe
PID 1956 wrote to memory of 2444	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	csc.exe
PID 2444 wrote to memory of 2432	2444	csc.exe	cvtres.exe
PID 2444 wrote to memory of 2432	2444	csc.exe	cvtres.exe
PID 2444 wrote to memory of 2432	2444	csc.exe	cvtres.exe
PID 1956 wrote to memory of 2864	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2864	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2864	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2696	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2696	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2696	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2676	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2676	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2676	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2856	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2856	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2856	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 3056	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 3056	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 3056	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	powershell.exe
PID 1956 wrote to memory of 2064	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	cmd.exe
PID 1956 wrote to memory of 2064	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	cmd.exe
PID 1956 wrote to memory of 2064	1956	5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe	cmd.exe
PID 2064 wrote to memory of 2068	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 2068	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 2068	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 1664	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 1664	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 1664	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2304	2064	cmd.exe	Idle.exe
PID 2064 wrote to memory of 2304	2064	cmd.exe	Idle.exe
PID 2064 wrote to memory of 2304	2064	cmd.exe	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe
"C:\Users\Admin\AppData\Local\Temp\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wk0dhgrw\wk0dhgrw.cmdline"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1813.tmp" "c:\Windows\System32\CSC497ABEC6F004B9383C5BDFAC5CD0C1.TMP"
3⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\.NET Memory Cache 4.0\0009\Idle.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UnK6vck4LI.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2068

C:\Windows\system32\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:1664

C:\Windows\inf\.NET Memory Cache 4.0\0009\Idle.exe
"C:\Windows\inf\.NET Memory Cache 4.0\0009\Idle.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f5" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f5" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\.NET Memory Cache 4.0\0009\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\inf\.NET Memory Cache 4.0\0009\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\.NET Memory Cache 4.0\0009\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe
Filesize
2.0MB

MD5
9026338fce277581062754cab87462e7

SHA1
191b8d92c18b84fdef03f691583d8b89598cb7da

SHA256
5565710131f195b46fb7c0b124d16df72ec5e0aafdd22590eaff7885aead636f

SHA512
8be58979eec71fe69408aa621e756d76b58db496da456dad533fb88ad800ecf8d8e5933baedda4742c1dc4e5095f8fe7c3071f0339b056f54a378adb08908fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1813.tmp
Filesize
1KB

MD5
9cb54685a8658e64ce2d7bc8f79940a0

SHA1
e426cdece6dfd7afc3e4d4579c5502d0124b7cfe

SHA256
cbcdf0872e5638dc4bbd65d6ad78c3efba0e8faff9854770b36b82bf9bf3c60e

SHA512
9f8d5c6ca44ef355b823b9c0bd83bb25ebd35032659ac8ac5d73f98f7d035f164cc3b9e77036b398121255d0c72009e9c7f55766c7e73ded83ea7aa07e4fcbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnK6vck4LI.bat
Filesize
178B

MD5
e661648df1c373329660874322a1ad69

SHA1
c493292ad153eb64bf3f6ed4fed22ffd00056d4b

SHA256
4e14c1d3880bb514219eefd0f1244c43921fa04c6b4989ecf30426bf69993a69

SHA512
40d1ba3e4a78a86ec98ea8e169761f78e7dcc4dfd5c14407933ff533a77eee03b73470400ef1fe03e4ac16ca1906940df14c217501a6fe9a59777938a0ce2cbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5d649c1a228494761f0d93f731d88526

SHA1
a7d5f9bc846048aada2c834fb1a8ed95e5a96691

SHA256
e25fe03bd3a753cd3533d8767027e881c7a9765ea473e3dabb8d230b0d96b606

SHA512
8fb42910a7101a0d49ed06c677210046970657ae84ff1cc12cfa26f7d3d0dab242f1b26d2b4302c5b63356dd855d41c23dcd25ba2e54d25d8b2da104bb7c5ae7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wk0dhgrw\wk0dhgrw.0.cs
Filesize
468B

MD5
5d2e4ed4a4c2aa149a5adb8d128228ff

SHA1
1b2259db88dc625db61480e47cead6ea995a0eb0

SHA256
ec0645d6438be2b23b166b5f6f1b2bcf9bb415c654d9ae320b98725d28cb07fa

SHA512
a645091f4f68fa1bd922b4131ea45355b3397c591e30b29e097cc8211479f822b4a55f31afa717088c45edfe083b3e7cbad35217718ae06471d1452feb822fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wk0dhgrw\wk0dhgrw.cmdline
Filesize
235B

MD5
43945e05ec049459678e9ca64ea71c43

SHA1
62d92d8d834972495831320931468aea7633c1d6

SHA256
8cf21638177184e102921489fa1186d46890b18850f5177d823ea9760dc8032c

SHA512
5b6ef9369f145c48d011b7f7f7aee14d5218e77833f55f7ea33fa102889f78a376077e4ddfc5ac30adc9d4a317251f43b5abba94a547154b4fd6242c4f759707

Download Submit
\??\c:\Windows\System32\CSC497ABEC6F004B9383C5BDFAC5CD0C1.TMP
Filesize
1KB

MD5
3ffa0b85adc175bc535d5b61b093b6a5

SHA1
7fa7715f9f18aa1d9edc45935ca867602fa37894

SHA256
f05ea17245f2e54aa3b2a0a8ede3f86af5fb4e4f0cf0a6aa69c4e95103304d46

SHA512
d1034200ad1232d7e36d3d867e701357c9eb8e8ad063743deceb563b24eb099e6ea660e38099cf161c12c97fe11cf6b044a31846949d63d4a121f1692c9e6fde

Download Submit
memory/1956-60-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/1956-91-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-12-0x00000000770D0000-0x00000000770D1000-memory.dmp

Filesize
4KB

Download
memory/1956-13-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/1956-14-0x00000000770C0000-0x00000000770C1000-memory.dmp

Filesize
4KB

Download
memory/1956-16-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/1956-18-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1956-20-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/1956-21-0x00000000770B0000-0x00000000770B1000-memory.dmp

Filesize
4KB

Download
memory/1956-22-0x00000000770A0000-0x00000000770A1000-memory.dmp

Filesize
4KB

Download
memory/1956-1-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-25-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/1956-27-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/1956-28-0x0000000077080000-0x0000000077081000-memory.dmp

Filesize
4KB

Download
memory/1956-30-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/1956-31-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Filesize
9.9MB

Download
memory/1956-35-0x0000000077070000-0x0000000077071000-memory.dmp

Filesize
4KB

Download
memory/1956-36-0x0000000077060000-0x0000000077061000-memory.dmp

Filesize
4KB

Download
memory/1956-34-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1956-32-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/1956-9-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/1956-7-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/1956-6-0x00000000770F0000-0x00000000770F1000-memory.dmp

Filesize
4KB

Download
memory/1956-5-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1956-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1956-59-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/1956-0-0x0000000000E70000-0x0000000001072000-memory.dmp

Filesize
2.0MB

Download
memory/1956-2-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/1956-23-0x0000000077090000-0x0000000077091000-memory.dmp

Filesize
4KB

Download
memory/1956-11-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/2304-125-0x0000000000880000-0x0000000000A82000-memory.dmp

Filesize
2.0MB

Download
memory/2304-126-0x000007FEF4E30000-0x000007FEF581C000-memory.dmp

Filesize
9.9MB

Download
memory/2676-111-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2676-112-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2676-120-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2676-121-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2676-115-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2676-116-0x0000000002E20000-0x0000000002EA0000-memory.dmp

Filesize
512KB

Download
memory/2676-113-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-110-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-109-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/2696-85-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2696-96-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-118-0x0000000002BDB000-0x0000000002C42000-memory.dmp

Filesize
412KB

Download
memory/2696-97-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/2696-98-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2696-100-0x0000000002BD0000-0x0000000002C50000-memory.dmp

Filesize
512KB

Download
memory/2856-108-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2856-105-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2856-86-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2856-104-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-119-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2856-106-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2856-122-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-107-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2864-95-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-114-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-93-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download
memory/2864-117-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/2864-94-0x0000000002E30000-0x0000000002EB0000-memory.dmp

Filesize
512KB

Download
memory/3056-101-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/3056-99-0x0000000002264000-0x0000000002267000-memory.dmp

Filesize
12KB

Download
memory/3056-103-0x000000000226B000-0x00000000022D2000-memory.dmp

Filesize
412KB

Download
memory/3056-102-0x000007FEED990000-0x000007FEEE32D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads