zgrat | 2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790

General

Target

75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
Size

2.0MB
MD5

75da1def0cb2b50f387441c2ebed4120
SHA1

7eca930b9afe2bf57ab9a3e546cc9969d4e5dce7
SHA256

2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790
SHA512

adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1
SSDEEP

49152:3XVUwwcIuRR61tCoC6Kof/qLvwATSUhlTovO5rb:3XVUwDjR6+oNwo05cO5

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2156-1-0x0000000001240000-0x0000000001448000-memory.dmp	family_zgrat_v1
C:\Program Files\Windows Media Player\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe	family_zgrat_v1
behavioral1/memory/2108-44-0x00000000013B0000-0x00000000015B8000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1148	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

2108 winlogon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2108	winlogon.exe

Drops file in Program Files directory 4 IoCs

Processes:

75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
File created	C:\Program Files\Windows Media Player\9ffdad6968ff62	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\services.exe	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\c5b4cb5e9653cc	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

Processes:

75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

description ioc process

File created C:\Windows\servicing\it-IT\Idle.exe 75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\servicing\it-IT\Idle.exe	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2320	schtasks.exe
2740	schtasks.exe
2516	schtasks.exe
2588	schtasks.exe
376	schtasks.exe
1988	schtasks.exe
1868	schtasks.exe
1660	schtasks.exe
1196	schtasks.exe
2692	schtasks.exe
2568	schtasks.exe
2964	schtasks.exe
1676	schtasks.exe
1608	schtasks.exe
2708	schtasks.exe
2404	schtasks.exe
2444	schtasks.exe
2436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

pid	process
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winlogon.exe

pid process

2108 winlogon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 2156 75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
Token: SeDebugPrivilege 2108 winlogon.exe

pid	process
2108	winlogon.exe

description	pid	process
Token: SeDebugPrivilege	2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
Token: SeDebugPrivilege	2108	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2156 wrote to memory of 2344	2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe	cmd.exe
PID 2156 wrote to memory of 2344	2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe	cmd.exe
PID 2156 wrote to memory of 2344	2156	75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe	cmd.exe
PID 2344 wrote to memory of 2812	2344	cmd.exe	chcp.com
PID 2344 wrote to memory of 2812	2344	cmd.exe	chcp.com
PID 2344 wrote to memory of 2812	2344	cmd.exe	chcp.com
PID 2344 wrote to memory of 2612	2344	cmd.exe	w32tm.exe
PID 2344 wrote to memory of 2612	2344	cmd.exe	w32tm.exe
PID 2344 wrote to memory of 2612	2344	cmd.exe	w32tm.exe
PID 2344 wrote to memory of 2108	2344	cmd.exe	winlogon.exe
PID 2344 wrote to memory of 2108	2344	cmd.exe	winlogon.exe
PID 2344 wrote to memory of 2108	2344	cmd.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9H7gRGj1k4.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2812
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2612
- - C:\Users\Public\Recorded TV\Sample Media\winlogon.exe
    "C:\Users\Public\Recorded TV\Sample Media\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

Filesize
2.0MB

MD5
75da1def0cb2b50f387441c2ebed4120

SHA1
7eca930b9afe2bf57ab9a3e546cc9969d4e5dce7

SHA256
2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790

SHA512
adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9H7gRGj1k4.bat

Filesize
229B

MD5
21672275dbe6c5cfff4f7067f2f0dc0f

SHA1
1ae7aac10a593ad100127d8cf2396d9fe16fe586

SHA256
89e05521430e197c448160271ec0c5312f539e8885f1aa099d79a6b4d73737e0

SHA512
282d0a604d7d67adae842c5320a3d5664e1d9ffa98d266af6f1b77185285995438741f571a23480e8caaff201ad1867dfe67e81dd6974445c7d82d7c988eadaa

Download Submit
memory/2108-44-0x00000000013B0000-0x00000000015B8000-memory.dmp

Filesize
2.0MB

Download
memory/2156-13-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-19-0x0000000000C60000-0x0000000000C78000-memory.dmp

Filesize
96KB

Download
memory/2156-6-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2156-8-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2156-12-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-11-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2156-9-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/2156-15-0x0000000000C40000-0x0000000000C58000-memory.dmp

Filesize
96KB

Download
memory/2156-4-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-17-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/2156-21-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2156-22-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-3-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-34-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-35-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-40-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2156-1-0x0000000001240000-0x0000000001448000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads