Malware Analysis Report

2024-10-18 21:25

Sample ID 231225-j4exasaeh8
Target 113f59d0bd4384226e40c17bf899935d
SHA256 b77f7c59b071608e552cf6ccae6f9e0e3f6790d83ec7d163713b0eedc6eccf25
Tags
zgrat rat a310logger stormkitty collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b77f7c59b071608e552cf6ccae6f9e0e3f6790d83ec7d163713b0eedc6eccf25

Threat Level: Known bad

The file 113f59d0bd4384226e40c17bf899935d was found to be: Known bad.

Malicious Activity Summary

zgrat rat a310logger stormkitty collection spyware stealer

StormKitty

StormKitty payload

Detect ZGRat V1

ZGRat

A310logger

A310logger Executable

Reads user/profile data of web browsers

Reads local data of messenger clients

Executes dropped EXE

Looks up external IP address via web service

Looks up geolocation information via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 08:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 08:13

Reported

2023-12-27 16:10

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2236 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

Network

N/A

Files

memory/2236-1-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2236-0-0x0000000000330000-0x0000000000424000-memory.dmp

memory/2236-2-0x0000000000690000-0x00000000006D0000-memory.dmp

memory/2236-3-0x0000000002230000-0x00000000022A8000-memory.dmp

memory/2236-4-0x0000000000280000-0x0000000000296000-memory.dmp

memory/2236-5-0x0000000074570000-0x0000000074C5E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 08:13

Reported

2023-12-27 16:10

Platform

win10v2004-20231215-en

Max time kernel

173s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

Signatures

A310logger

stealer spyware a310logger

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 2024 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe
PID 4992 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 1620 wrote to memory of 616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 1620 wrote to memory of 616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 4992 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
PID 3032 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
PID 3032 wrote to memory of 2944 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe

"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 80

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 104.18.114.97:80 icanhazip.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp

Files

memory/2024-0-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/2024-1-0x0000000000520000-0x0000000000614000-memory.dmp

memory/2024-2-0x00000000054F0000-0x0000000005A94000-memory.dmp

memory/2024-3-0x0000000005020000-0x00000000050B2000-memory.dmp

memory/2024-4-0x00000000050C0000-0x0000000005136000-memory.dmp

memory/2024-5-0x00000000051E0000-0x000000000527C000-memory.dmp

memory/2024-6-0x0000000005330000-0x0000000005340000-memory.dmp

memory/2024-7-0x0000000004FE0000-0x0000000004FFE000-memory.dmp

memory/2024-8-0x00000000052A0000-0x0000000005318000-memory.dmp

memory/2024-9-0x0000000005150000-0x0000000005166000-memory.dmp

memory/4992-10-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4992-13-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2024-14-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/4992-18-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1620-20-0x0000000000400000-0x0000000000418000-memory.dmp

memory/1620-21-0x0000000073E70000-0x0000000074421000-memory.dmp

memory/1620-22-0x0000000073E70000-0x0000000074421000-memory.dmp

memory/1620-23-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

memory/1620-24-0x0000000073E70000-0x0000000074421000-memory.dmp

memory/1620-25-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

MD5 1bad0cbd09b05a21157d8255dc801778
SHA1 ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256 218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA512 4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

memory/616-38-0x00007FFC84760000-0x00007FFC85101000-memory.dmp

memory/616-39-0x00007FFC84760000-0x00007FFC85101000-memory.dmp

memory/616-40-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/616-44-0x00007FFC84760000-0x00007FFC85101000-memory.dmp

memory/1620-46-0x0000000073E70000-0x0000000074421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log

MD5 5370d1dff94d27a9a6cfab002a5c444b
SHA1 fecadd9e884c57822ebeae897a3989c0e678fd1a
SHA256 0ddb4ec9a919c3566a4ab48ce605f24816e6fb2efdd6e4070a54a1f5912ec946
SHA512 67a3787e49e7d8ea23b3e1766639b36e685cf404042bc270f5c43dc0b0f50623778cb98c013577b3a0a3b425b608ff4e944e29df3725425ce6383759fe7534eb

memory/3032-49-0x0000000073E70000-0x0000000074421000-memory.dmp

memory/3032-50-0x0000000001450000-0x0000000001460000-memory.dmp

memory/3032-51-0x0000000073E70000-0x0000000074421000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.log

MD5 3d238ac6dd6710907edf2ad7893a0ed2
SHA1 b07aaeeb31bdc6e94097a254be088b092dc1fb68
SHA256 02d215d5b6ea166e6c4c4669547cbadecbb427d5baf394fbffc7ef374a967501
SHA512 c358aa68303aa99ebc019014b4c1fc2fbfa98733f1ea863bf78ca2b877dc5c610121115432d96504df9e43bdda637b067359b07228b6f129bc5ec9a01ed3ee24

memory/2944-64-0x00007FFC84760000-0x00007FFC85101000-memory.dmp

memory/2944-65-0x0000000001140000-0x0000000001150000-memory.dmp

memory/2944-66-0x00007FFC84760000-0x00007FFC85101000-memory.dmp

memory/2944-67-0x00007FFC84760000-0x00007FFC85101000-memory.dmp

memory/3032-68-0x0000000073E70000-0x0000000074421000-memory.dmp