zgrat | 114ad98c82f045d81f4b456900e650ea316e7dda7a1d8c5396e585488986d6fe

Analysis

max time kernel
39s
max time network
20s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12/05/2024, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PatchGadar.exe
Size

293KB
MD5

edcfedc1c217b5907f6b69272e5ca98f
SHA1

e4bb7f3226e809c7ad1e12193ee26048cfc58790
SHA256

114ad98c82f045d81f4b456900e650ea316e7dda7a1d8c5396e585488986d6fe
SHA512

c1a9d970e7690f60eb1ad0ea85a57c942b31006db8dbbfcc46e1d0e1036ee2957f67ce205eba93b426d78dd6eb8bcf23fb713b3442ae1ab91f59a24ed6e4e626
SSDEEP

3072:e3MK0Jc5YQoIpwg9iO2OaiS40eBwYG3zRrYp2OplMGc8A6uHPMG7CUqkZFI0CADL:u2c5YQoI2gzai9kjJkhpuJvYuH

Score

10^/10

zgrat evasion rat

Malware Config

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2428-1-0x00000000004D0000-0x0000000000520000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies Windows Firewall 2 TTPs 63 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2328	netsh.exe
4456	netsh.exe
776	netsh.exe
2852	netsh.exe
4004	netsh.exe
3100	netsh.exe
1064	netsh.exe
3476	netsh.exe
1540	netsh.exe
752	netsh.exe
3928	netsh.exe
4944	netsh.exe
4836	netsh.exe
3992	netsh.exe
3088	netsh.exe
4120	netsh.exe
4116	netsh.exe
2580	netsh.exe
3584	netsh.exe
4992	netsh.exe
1940	netsh.exe
5024	netsh.exe
4120	netsh.exe
2344	netsh.exe
4888	netsh.exe
4380	netsh.exe
500	netsh.exe
2824	netsh.exe
4292	netsh.exe
1180	netsh.exe
3644	netsh.exe
4964	netsh.exe
1356	netsh.exe
2152	netsh.exe
2392	netsh.exe
4464	netsh.exe
5032	netsh.exe
1732	netsh.exe
2236	netsh.exe
4204	netsh.exe
4840	netsh.exe
4380	netsh.exe
4576	netsh.exe
2432	netsh.exe
2388	netsh.exe
3264	netsh.exe
428	netsh.exe
4584	netsh.exe
3264	netsh.exe
4392	netsh.exe
5116	netsh.exe
2144	netsh.exe
1240	netsh.exe
484	netsh.exe
4916	netsh.exe
656	netsh.exe
4564	netsh.exe
1928	netsh.exe
4952	netsh.exe
864	netsh.exe
1552	netsh.exe
4536	netsh.exe
3520	netsh.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2428-1-0x00000000004D0000-0x0000000000520000-memory.dmp	net_reactor

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	PatchGadar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 3520	2428	PatchGadar.exe	75
PID 2428 wrote to memory of 3520	2428	PatchGadar.exe	75
PID 2428 wrote to memory of 3520	2428	PatchGadar.exe	75
PID 2428 wrote to memory of 3264	2428	PatchGadar.exe	77
PID 2428 wrote to memory of 3264	2428	PatchGadar.exe	77
PID 2428 wrote to memory of 3264	2428	PatchGadar.exe	77
PID 2428 wrote to memory of 2344	2428	PatchGadar.exe	79
PID 2428 wrote to memory of 2344	2428	PatchGadar.exe	79
PID 2428 wrote to memory of 2344	2428	PatchGadar.exe	79
PID 2428 wrote to memory of 4992	2428	PatchGadar.exe	81
PID 2428 wrote to memory of 4992	2428	PatchGadar.exe	81
PID 2428 wrote to memory of 4992	2428	PatchGadar.exe	81
PID 2428 wrote to memory of 4380	2428	PatchGadar.exe	83
PID 2428 wrote to memory of 4380	2428	PatchGadar.exe	83
PID 2428 wrote to memory of 4380	2428	PatchGadar.exe	83
PID 2428 wrote to memory of 4464	2428	PatchGadar.exe	85
PID 2428 wrote to memory of 4464	2428	PatchGadar.exe	85
PID 2428 wrote to memory of 4464	2428	PatchGadar.exe	85
PID 2428 wrote to memory of 4840	2428	PatchGadar.exe	87
PID 2428 wrote to memory of 4840	2428	PatchGadar.exe	87
PID 2428 wrote to memory of 4840	2428	PatchGadar.exe	87
PID 2428 wrote to memory of 1928	2428	PatchGadar.exe	89
PID 2428 wrote to memory of 1928	2428	PatchGadar.exe	89
PID 2428 wrote to memory of 1928	2428	PatchGadar.exe	89
PID 2428 wrote to memory of 1940	2428	PatchGadar.exe	91
PID 2428 wrote to memory of 1940	2428	PatchGadar.exe	91
PID 2428 wrote to memory of 1940	2428	PatchGadar.exe	91
PID 2428 wrote to memory of 1240	2428	PatchGadar.exe	93
PID 2428 wrote to memory of 1240	2428	PatchGadar.exe	93
PID 2428 wrote to memory of 1240	2428	PatchGadar.exe	93
PID 2428 wrote to memory of 2144	2428	PatchGadar.exe	95
PID 2428 wrote to memory of 2144	2428	PatchGadar.exe	95
PID 2428 wrote to memory of 2144	2428	PatchGadar.exe	95
PID 2428 wrote to memory of 3088	2428	PatchGadar.exe	97
PID 2428 wrote to memory of 3088	2428	PatchGadar.exe	97
PID 2428 wrote to memory of 3088	2428	PatchGadar.exe	97
PID 2428 wrote to memory of 5032	2428	PatchGadar.exe	99
PID 2428 wrote to memory of 5032	2428	PatchGadar.exe	99
PID 2428 wrote to memory of 5032	2428	PatchGadar.exe	99
PID 2428 wrote to memory of 3644	2428	PatchGadar.exe	101
PID 2428 wrote to memory of 3644	2428	PatchGadar.exe	101
PID 2428 wrote to memory of 3644	2428	PatchGadar.exe	101
PID 2428 wrote to memory of 428	2428	PatchGadar.exe	103
PID 2428 wrote to memory of 428	2428	PatchGadar.exe	103
PID 2428 wrote to memory of 428	2428	PatchGadar.exe	103
PID 2428 wrote to memory of 4292	2428	PatchGadar.exe	105
PID 2428 wrote to memory of 4292	2428	PatchGadar.exe	105
PID 2428 wrote to memory of 4292	2428	PatchGadar.exe	105
PID 2428 wrote to memory of 484	2428	PatchGadar.exe	107
PID 2428 wrote to memory of 484	2428	PatchGadar.exe	107
PID 2428 wrote to memory of 484	2428	PatchGadar.exe	107
PID 2428 wrote to memory of 4004	2428	PatchGadar.exe	109
PID 2428 wrote to memory of 4004	2428	PatchGadar.exe	109
PID 2428 wrote to memory of 4004	2428	PatchGadar.exe	109
PID 2428 wrote to memory of 4120	2428	PatchGadar.exe	111
PID 2428 wrote to memory of 4120	2428	PatchGadar.exe	111
PID 2428 wrote to memory of 4120	2428	PatchGadar.exe	111
PID 2428 wrote to memory of 1732	2428	PatchGadar.exe	113
PID 2428 wrote to memory of 1732	2428	PatchGadar.exe	113
PID 2428 wrote to memory of 1732	2428	PatchGadar.exe	113
PID 2428 wrote to memory of 5024	2428	PatchGadar.exe	115
PID 2428 wrote to memory of 5024	2428	PatchGadar.exe	115
PID 2428 wrote to memory of 5024	2428	PatchGadar.exe	115
PID 2428 wrote to memory of 4116	2428	PatchGadar.exe	117

C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe
"C:\Users\Admin\AppData\Local\Temp\PatchGadar.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 107.186.1.15" dir=out action=block remoteip=107.186.1.15
  2⤵
  - Modifies Windows Firewall
  PID:3520
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 107.186.10.31" dir=out action=block remoteip=107.186.10.31
  2⤵
  - Modifies Windows Firewall
  PID:3264
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 107.186.31.222" dir=out action=block remoteip=107.186.31.222
  2⤵
  - Modifies Windows Firewall
  PID:2344
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 23.226.21.91" dir=out action=block remoteip=23.226.21.91
  2⤵
  - Modifies Windows Firewall
  PID:4992
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.2.120" dir=out action=block remoteip=104.26.2.120
  2⤵
  - Modifies Windows Firewall
  PID:4380
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.3.120" dir=out action=block remoteip=104.26.3.120
  2⤵
  - Modifies Windows Firewall
  PID:4464
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.75.3" dir=out action=block remoteip=172.67.75.3
  2⤵
  - Modifies Windows Firewall
  PID:4840
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.192.231" dir=out action=block remoteip=172.67.192.231
  2⤵
  - Modifies Windows Firewall
  PID:1928
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.21.20.129" dir=out action=block remoteip=104.21.20.129
  2⤵
  - Modifies Windows Firewall
  PID:1940
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
  2⤵
  - Modifies Windows Firewall
  PID:1240
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
  2⤵
  - Modifies Windows Firewall
  PID:2144
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
  2⤵
  - Modifies Windows Firewall
  PID:3088
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 191.101.51.84" dir=out action=block remoteip=191.101.51.84
  2⤵
  - Modifies Windows Firewall
  PID:5032
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
  2⤵
  - Modifies Windows Firewall
  PID:3644
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
  2⤵
  - Modifies Windows Firewall
  PID:428
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
  2⤵
  - Modifies Windows Firewall
  PID:4292
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 107.186.1.15" dir=out action=block remoteip=107.186.1.15
  2⤵
  - Modifies Windows Firewall
  PID:484
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 107.186.10.31" dir=out action=block remoteip=107.186.10.31
  2⤵
  - Modifies Windows Firewall
  PID:4004
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 107.186.31.222" dir=out action=block remoteip=107.186.31.222
  2⤵
  - Modifies Windows Firewall
  PID:4120
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 138.201.80.108" dir=out action=block remoteip=138.201.80.108
  2⤵
  - Modifies Windows Firewall
  PID:1732
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.0.11" dir=out action=block remoteip=104.26.0.11
  2⤵
  - Modifies Windows Firewall
  PID:5024
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.1.11" dir=out action=block remoteip=104.26.1.11
  2⤵
  - Modifies Windows Firewall
  PID:4116
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 23.226.21.91" dir=out action=block remoteip=23.226.21.91
  2⤵
  - Modifies Windows Firewall
  PID:1064
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.2.120" dir=out action=block remoteip=104.26.2.120
  2⤵
  - Modifies Windows Firewall
  PID:2852
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.3.120" dir=out action=block remoteip=104.26.3.120
  2⤵
  - Modifies Windows Firewall
  PID:2580
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.72.29" dir=out action=block remoteip=172.67.72.29
  2⤵
  - Modifies Windows Firewall
  PID:3992
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.75.3" dir=out action=block remoteip=172.67.75.3
  2⤵
  - Modifies Windows Firewall
  PID:4584
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.192.231" dir=out action=block remoteip=172.67.192.231
  2⤵
  - Modifies Windows Firewall
  PID:752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
    3⤵
    - Modifies Windows Firewall
    PID:3476
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.21.20.129" dir=out action=block remoteip=104.21.20.129
  2⤵
  - Modifies Windows Firewall
  PID:1552
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
  2⤵
  - Modifies Windows Firewall
  PID:4576
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
  2⤵
  - Modifies Windows Firewall
  PID:3928
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
  2⤵
  - Modifies Windows Firewall
  PID:3264
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 191.101.51.84" dir=out action=block remoteip=191.101.51.84
  2⤵
  - Modifies Windows Firewall
  PID:4916
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.42.134" dir=out action=block remoteip=104.22.42.134
  2⤵
  - Modifies Windows Firewall
  PID:4964
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.37.86" dir=out action=block remoteip=172.67.37.86
  2⤵
  - Modifies Windows Firewall
  PID:1180
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.22.43.134" dir=out action=block remoteip=104.22.43.134
  2⤵
  - Modifies Windows Firewall
  PID:1540
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 138.201.80.108" dir=out action=block remoteip=138.201.80.108
  2⤵
  - Modifies Windows Firewall
  PID:776
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.0.11" dir=out action=block remoteip=104.26.0.11
  2⤵
  - Modifies Windows Firewall
  PID:3584
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 104.26.1.11" dir=out action=block remoteip=104.26.1.11
  2⤵
  - Modifies Windows Firewall
  PID:2328
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall add rule name="BlockIP 172.67.72.29" dir=out action=block remoteip=172.67.72.29
  2⤵
  - Modifies Windows Firewall
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
  2⤵
  PID:696
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="BlockPort29842" dir=out action=block protocol=TCP remoteport=29842
    3⤵
    - Modifies Windows Firewall
    PID:656
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 107.186.1.15"
  2⤵
  - Modifies Windows Firewall
  PID:4944
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 107.186.10.31"
  2⤵
  - Modifies Windows Firewall
  PID:4536
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 107.186.31.222"
  2⤵
  - Modifies Windows Firewall
  PID:2824
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 23.226.21.91"
  2⤵
  - Modifies Windows Firewall
  PID:2152
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.26.2.120"
  2⤵
  - Modifies Windows Firewall
  PID:2236
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.26.3.120"
  2⤵
  - Modifies Windows Firewall
  PID:4204
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 172.67.75.3"
  2⤵
  - Modifies Windows Firewall
  PID:4564
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 172.67.192.231"
  2⤵
  - Modifies Windows Firewall
  PID:4392
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.21.20.129"
  2⤵
  - Modifies Windows Firewall
  PID:4456
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.22.43.134"
  2⤵
  - Modifies Windows Firewall
  PID:5116
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 172.67.37.86"
  2⤵
  - Modifies Windows Firewall
  PID:4952
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.22.42.134"
  2⤵
  - Modifies Windows Firewall
  PID:4888
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 191.101.51.84"
  2⤵
  - Modifies Windows Firewall
  PID:4120
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.22.42.134"
  2⤵
  - Modifies Windows Firewall
  PID:2432
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 172.67.37.86"
  2⤵
  - Modifies Windows Firewall
  PID:4836
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.22.43.134"
  2⤵
  - Modifies Windows Firewall
  PID:4380
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 138.201.80.108"
  2⤵
  - Modifies Windows Firewall
  PID:2392
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.26.0.11"
  2⤵
  - Modifies Windows Firewall
  PID:500
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 104.26.1.11"
  2⤵
  - Modifies Windows Firewall
  PID:3100
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall delete rule name="BlockIP 172.67.72.29"
  2⤵
  - Modifies Windows Firewall
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C netsh advfirewall firewall delete rule name="BlockPort29842"
  2⤵
  PID:4648
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="BlockPort29842"
    3⤵
    - Modifies Windows Firewall
    PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-0-0x00000000735AE000-0x00000000735AF000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x00000000004D0000-0x0000000000520000-memory.dmp

Filesize
320KB

Download
memory/2428-2-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-3-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/2428-4-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/2428-5-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/2428-6-0x00000000735AE000-0x00000000735AF000-memory.dmp

Filesize
4KB

Download
memory/2428-7-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-9-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads