Malware Analysis Report

2024-10-18 21:25

Sample ID 231224-zc1bxschb3
Target 113f59d0bd4384226e40c17bf899935d
SHA256 b77f7c59b071608e552cf6ccae6f9e0e3f6790d83ec7d163713b0eedc6eccf25
Tags
a310logger stormkitty zgrat collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b77f7c59b071608e552cf6ccae6f9e0e3f6790d83ec7d163713b0eedc6eccf25

Threat Level: Known bad

The file 113f59d0bd4384226e40c17bf899935d was found to be: Known bad.

Malicious Activity Summary

a310logger stormkitty zgrat collection rat spyware stealer

ZGRat

StormKitty

StormKitty payload

Detect ZGRat V1

A310logger

A310logger Executable

Reads local data of messenger clients

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up geolocation information via web service

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-24 20:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-24 20:35

Reported

2023-12-25 16:06

Platform

win7-20231129-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

Signatures

A310logger

stealer spyware a310logger

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 3040 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2840 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2840 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2840 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2840 wrote to memory of 644 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1644 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 1644 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 1644 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 1644 wrote to memory of 1084 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2376 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp

Files

memory/3040-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/3040-0-0x0000000001070000-0x0000000001164000-memory.dmp

memory/3040-2-0x0000000005070000-0x00000000050B0000-memory.dmp

memory/3040-3-0x0000000000A30000-0x0000000000AA8000-memory.dmp

memory/2376-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2840-36-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2840-34-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2840-39-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2840-38-0x0000000000640000-0x0000000000680000-memory.dmp

memory/2840-37-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/2840-32-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2840-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2840-28-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2840-26-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2840-24-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2840-22-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2376-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3040-18-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2376-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2376-15-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2376-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2376-7-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2376-5-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3040-4-0x0000000000520000-0x0000000000536000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63c363fd0c4e207d06b22aea2786d585
SHA1 91902fcddbee90a15acefde10b1feaec076520bf
SHA256 d0e92c48567fc9f6d3a707ed4f59f538d90a987c1b0d7deee179049271766b23
SHA512 d671aed9f2cb68ea917f8c5b0f9344fd8c7192be742efcaec3c6c82ec5a738d912f85e760f25abf6b182d4b1f074cb62c182f38c08ca649074123326eea63be6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ceb75ea5170f8d14eaa694fb4372f9ad
SHA1 da24db9b37db4414ee108116b8683fa2fb31f995
SHA256 daa37aa8e03a06fcf87bf3d21822a7c96d542fc99b3acd30244bb6b19ced2d3a
SHA512 1a614805d8785fdbef8a1ee0f1525fd44ab32fb07ef95321c530536ecfba3e78f5a0a55a7e0eebcde9f5cee03a47e9a22cd20ef03a1f9dcc4db2349a986fd623

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\Tar35F4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

MD5 1bad0cbd09b05a21157d8255dc801778
SHA1 ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA512 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

memory/2840-136-0x00000000743A0000-0x000000007494B000-memory.dmp

memory/644-135-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

memory/644-134-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

memory/2376-137-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1644-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1644-151-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1644-153-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1644-154-0x0000000073910000-0x0000000073EBB000-memory.dmp

memory/1644-155-0x00000000001F0000-0x0000000000230000-memory.dmp

memory/1644-156-0x0000000073910000-0x0000000073EBB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 458b85ac42a9e8cc8cff6a6587f995bb
SHA1 f2377eda42228106dbe264caaa73f54c5a7fa26a
SHA256 4d432a5bfc5d97c6c598456f6d976674ea6a8383b61864369bfafc41ab32e128
SHA512 c64cb8b9fafd779da8ae5060c632e42b15df2db4723ab7c6844752d32001ae343ae7428313e662826f45742287e67bc1fb841942f69c7db1b9eb64e2234e7c40

memory/1084-184-0x0000000000B30000-0x0000000000BB0000-memory.dmp

memory/1084-185-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

memory/1084-183-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

memory/1084-186-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp

memory/1644-187-0x0000000073910000-0x0000000073EBB000-memory.dmp

memory/1612-189-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-24 20:35

Reported

2023-12-25 16:06

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

Signatures

A310logger

stealer spyware a310logger

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2828 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 924 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 924 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4556 wrote to memory of 4536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 4556 wrote to memory of 4536 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 2276 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4728 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 4728 wrote to memory of 1064 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 104.18.115.97:80 icanhazip.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 104.18.115.97:80 icanhazip.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp

Files

memory/2828-1-0x0000000000710000-0x0000000000804000-memory.dmp

memory/2828-0-0x0000000075210000-0x00000000759C0000-memory.dmp

memory/2828-3-0x00000000050F0000-0x0000000005182000-memory.dmp

memory/2828-2-0x0000000005600000-0x0000000005BA4000-memory.dmp

memory/2828-4-0x0000000005190000-0x0000000005206000-memory.dmp

memory/2828-5-0x0000000005210000-0x00000000052AC000-memory.dmp

memory/2828-6-0x0000000005350000-0x0000000005360000-memory.dmp

memory/2828-7-0x0000000005090000-0x00000000050AE000-memory.dmp

memory/2828-8-0x0000000005360000-0x00000000053D8000-memory.dmp

memory/2828-9-0x00000000050E0000-0x00000000050F6000-memory.dmp

memory/2276-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2276-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2828-16-0x0000000075210000-0x00000000759C0000-memory.dmp

memory/924-17-0x0000000000400000-0x0000000000418000-memory.dmp

memory/924-19-0x0000000000CF0000-0x0000000000D00000-memory.dmp

memory/924-18-0x0000000074D10000-0x00000000752C1000-memory.dmp

memory/924-20-0x0000000074D10000-0x00000000752C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

MD5 1bad0cbd09b05a21157d8255dc801778
SHA1 ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA512 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

memory/2708-33-0x0000000000F50000-0x0000000000F60000-memory.dmp

memory/2708-38-0x00007FF8C4E10000-0x00007FF8C57B1000-memory.dmp

memory/924-40-0x0000000074D10000-0x00000000752C1000-memory.dmp

memory/2708-37-0x00007FF8C4E10000-0x00007FF8C57B1000-memory.dmp

memory/2708-32-0x00007FF8C4E10000-0x00007FF8C57B1000-memory.dmp

memory/2276-41-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2708-42-0x00007FF8C4E10000-0x00007FF8C57B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log

MD5 5370d1dff94d27a9a6cfab002a5c444b
SHA1 fecadd9e884c57822ebeae897a3989c0e678fd1a
SHA256 0ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946
SHA512 67a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb

memory/4556-46-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/4556-47-0x0000000000F90000-0x0000000000FA0000-memory.dmp

memory/4556-48-0x0000000074A20000-0x0000000074FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.log

MD5 3d238ac6dd6710907edf2ad7893a0ed2
SHA1 b07aaeeb31bdc6e94097a254be088b092dc1fb68
SHA256 02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501
SHA512 c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24

memory/4536-61-0x00007FF8C4F90000-0x00007FF8C5931000-memory.dmp

memory/4536-62-0x00007FF8C4F90000-0x00007FF8C5931000-memory.dmp

memory/4556-63-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/4728-66-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/4728-67-0x00000000009E0000-0x00000000009F0000-memory.dmp

memory/4728-68-0x0000000074A20000-0x0000000074FD1000-memory.dmp

memory/1064-80-0x00007FF8C52C0000-0x00007FF8C5C61000-memory.dmp

memory/1064-81-0x00007FF8C52C0000-0x00007FF8C5C61000-memory.dmp

memory/4728-82-0x0000000074A20000-0x0000000074FD1000-memory.dmp